XWorm RAT v7.4 Delivered via PyInstaller‑Packed Executables with AMSI Patching Bypasses Windows Defenses
What Happened – Threat actors are embedding the XWorm remote‑access trojan (RAT) version 7.4 inside PyInstaller‑generated executables and patching the Antimalware Scan Interface (AMSI) to evade Windows‑based detection. The payload steals files, harvests credentials, and enables command‑and‑control through malicious advertising redirects.
Why It Matters for TPRM –
- The technique subverts a core Windows defense, raising the likelihood of successful compromise across any third‑party software supply chain that uses PyInstaller.
- Data exfiltration and remote control capabilities increase the risk of downstream breach of your organization’s sensitive assets.
- Vendors that distribute PyInstaller‑based tools may inadvertently become a delivery vector for the RAT.
Who Is Affected – All industries that rely on Windows‑based desktop applications packaged with PyInstaller, especially those that integrate third‑party utilities or internal tooling.
Recommended Actions –
- Inventory all third‑party applications built with PyInstaller and verify they are signed and scanned with AMSI‑aware solutions.
- Deploy endpoint detection and response (EDR) that can monitor AMSI tampering and anomalous process behavior.
- Enforce strict application allow‑lists and conduct regular threat‑emulation testing for PyInstaller‑packed binaries.
Technical Notes – Attack vector leverages legitimate PyInstaller bundling to hide malicious code, then patches AMSI (via in‑memory patching) to suppress script‑based scanning. The RAT communicates over HTTP/HTTPS to ad‑network URLs, exfiltrating documents, browser cookies, and credential dumps. No specific CVE is cited; the evasion technique is a known “AMSI bypass” pattern. Source: HackRead