Cybercriminals Use Fake Invoices to Deploy XWorm and Steal Login Credentials

Cybercriminals are deploying sophisticated phishing campaigns that weaponize seemingly legitimate invoice emails to distribute Backdoor.XWorm is a dangerous remote-access trojan (RAT) capable of stealing sensitive credentials, recording keystrokes, and installing ransomware.

Security researchers have uncovered an active malware distribution operation using Visual Basic Script attachments disguised as routine business correspondence, representing a dangerous evolution of social engineering tactics that exploit workplace trust.

The attack begins with a professional-looking email that mimics standard business communication.

Recipients receive messages with subject lines referencing invoice processing and payment confirmations, complete with polite language requesting verification.

The email typically reads: “Please find attached the list of invoices we have processed and payment has been made… Kindly review and confirm that these have been received on your end.”

However, several red flags immediately expose the fraudulent nature of these communications. The greeting contains no personalization just a generic “Hi” with no ...