APT / THREAT GROUP
Xwo
2
aliases
Last seen:Mar 17, 2026
Intelligence Profile
In March 2019, AT&T Alien Labs identified a new malware family that is actively scanning for exposed web services and default passwords. Based on our findings we are calling it “Xwo” - taken from its primary module name. It is likely related to the previously reported malware families Xbash and MongoLock.
Threat Analysis
Xwo is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.
Intelligence Reports Mentioning Xwo
Multi-Stage VOID#GEIST Malware Delivering XWorm, AsyncRAT, and Xeno RAT
The Hacker News· Mar 6, 2026
Want More XWorm?, (Wed, Mar 4th)
SANS ISC· Mar 4, 2026
External References
Quick Facts
TypeAPT / Threat Group
Aliases2
Also Known As
Xwowin.xwo
External Intelligence
Malpedia: win.xwoResearch Links
Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.