[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f1gBQueAJ6Y7N16Q-Z-DU8Bwe_R5b85kL7ZEEwwdivFM":3},{"article":4,"iocs":46},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":28,"category":29,"article_tags":33},"fcd89353-23f6-4186-bd23-5c6773b4e6be","Hackers Use PyInstaller and AMSI Patching to Deliver XWorm RAT v7.4","hackers-use-pyinstaller-and-amsi-patching-to-deliver-xworm-rat-v7-4-7b3e57","Hackers are hiding XWorm malware in PyInstaller files to bypass Windows security, steal data and remotely control devices through ads.","Security researchers at Point Wild discovered a new campaign distributing XWorm RAT v7.4 malware packaged in PyInstaller files to bypass Windows Defender. The attack uses AMSI Memory Patching to disable AmsiScanBuffer, Base64\u002FSHA-512 encryption, and fake obfuscation routines to evade detection. Once activated, the malware connects to C2 infrastructure to steal credentials, spy via webcam, launch DDoS attacks, and achieve full remote control.","Hackers deploy XWorm RAT v7.4 via PyInstaller with AMSI patching to bypass Windows security.","Security Malware Scams and FraudHackers Use PyInstaller and AMSI Patching to Deliver XWorm RAT v7.4 Hackers are hiding XWorm malware in PyInstaller files to bypass Windows security, steal data and remotely control devices through ads. byDeeba AhmedMay 15, 20262 minute read Cybersecurity researchers at Point Wild recently found a new way that cyberattackers are gaining unauthorised access to computers. The investigation, led by experts Kedar Shashikant Pandit, Prathamesh Shingare, and Amol Swami from the Lat61 Threat Intelligence Team, reveals that a common tool used by legitimate developers is being twisted by hackers to hide a nasty malware called XWorm. Attack Details The attack starts with a trick email or a fake software update, involving a harmless-looking file. This file is bundled with malicious code using PyInstaller, which is a tool to help programmers turn their scripts into an easy-to-run app. However, in this attack, it is converted into a delivery method for the threat. When the victim opens the file, it runs a compiled script: BA4Q6ACPMNrd980FwZn9iEbEqkjvRmw7FhW.pyc that works in the background without showing any windows. Point Wild’s investigation further revealed that the hackers even added a routine called _IAT_PHANTOM_FIX that researchers believe is just ‘fake’ code used to generate useless data to waste time, making it much harder for security experts to figure out what is actually happening. Evading Security Researchers noted in the blog post, shared exclusively with Hackread.com, that this malware is smart enough to hide from Windows security using AMSI Memory Patching that changes the computer’s memory and disables the AmsiScanBuffer, the safety guard Windows uses to scan for threats. Breaking this guard allows XWorm to unpack its main payload safely. The payload is hidden inside the file in a scrambled format (through Base64 and SHA-512 encryption). Right after fooling the safety processes, it unscrambles itself and hides in a folder called %LOCALAPPDATA%. It also names the final file Win.Kernel_Svc_AJ8iOw.exe to make it look like a regular Windows system service and marks itself as a hidden system file so it stays invisible to the user. Remote control and data theft Once active, the malware (version XWorm V7.4) establishes a connection to the hackers’ remote computer using an AES secret key. It communicates with an IP address at 68.219.64.89 on port 4444 to establish this connection, which then allows the hackers to perform a range of actions, including stealing passwords, scanning through files, and turning on the webcam to spy on the user. They can also launch DDoS attacks to flood websites with traffic or drop a file called afacan313131.exe to gain full remote control of the device. Attack Flow (Source: Point Wild) The team at Point Wild explained that threat actors are getting better at blending in with normal computer tasks to stay hidden for a long time. Dr. Zulfikar Ramzan, Chief Technology & AI Officer at Point Wild, and Head of the Lat61 Threat Intelligence Team, notes in a comment shared with us that: “Threat actors are taking familiar malware families, like XWorm, and giving them modern packaging, inclusive of obfuscation, anti-analysis routines, AMSI bypasses, and encrypted command and control. This campaign reminds us that even known RATs become difficult to detect when the infection chain is engineered for stealth.” Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts AMSICyber AttackCybersecurityMalwarePoint WildPyInstallerRATXWormXWorm 7.4 Leave a Reply Cancel reply View Comments (0) Related Posts Read More Security Phishing Scam Fake OpenClaw Token Giveaway Targets GitHub Devs with Wallet-Draining Scam OX Security reveals a new phishing campaign targeting GitHub developers. Scammers use fake OpenClaw token giveaways to trick users into connecting and draining their crypto wallets byDeeba Ahmed Security Gaming How To Keep Yourself Safe During Online Gaming Coming home to gaming on your favorite computer may be a pastime you always look forward to, but… byWaqas Security Privacy Social Media Technology Facebook will use facial recognition to unlock your account Facebook is known for tracking users even when they log off from the site; the social media giant also… byCarolina Security Fake Coronavirus apps hit Android & iOS users with spyware, adware Cybercriminals are trying every trick up their sleeve to benefit from the Coronavirus pandemic and... byDeeba Ahmed","https:\u002F\u002Fhackread.com\u002Fhackers-pyinstaller-amsi-patching-xworm-rat-v7-4\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Fhackers-pyinstaller-amsi-patching-xworm-rat-v7-4.jpg","2026-05-15T16:42:58+00:00","2026-05-15T18:00:20.040172+00:00",8,[18,21,24,26],{"name":19,"type":20},"Point Wild","vendor",{"name":22,"type":23},"PyInstaller","technology",{"name":25,"type":23},"AMSI",{"name":27,"type":20},"Microsoft","89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5",{"id":28,"icon":30,"name":31,"slug":32},null,"Malware","malware",[34,39,41],{"category":35},{"id":36,"icon":30,"name":37,"slug":38},"574f766a-fb3f-487c-8d2c-0720ae75471b","Zero-day","zero-day",{"category":40},{"id":28,"icon":30,"name":31,"slug":32},{"category":42},{"id":43,"icon":30,"name":44,"slug":45},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[47,51,54],{"type":48,"value":49,"context":50},"ip","68.219.64.89","XWorm RAT C2 server communication on port 4444",{"type":32,"value":52,"context":53},"XWorm RAT v7.4","Remote access trojan with AMSI bypass, credential theft, webcam spying, DDoS capabilities",{"type":32,"value":55,"context":56},"afacan313131.exe","Secondary payload dropped by XWorm for full remote control"]