October 8th – This Week’s Top Cybersecurity and Dark Web Stories

XWorm Malware Resurfaces with Ransomware Module

New versions of XWorm malware are being actively distributed through phishing campaigns, following the abandonment of the project by its original developer, XCoder last year.

The latest variants are circulating widely among cybercriminals and include plugin support that enables a broad range of malicious activity. Operators can use modules to steal broswer and application data, remotely control infected hosts, and encrypt or decrypt files.

First observed in 2022, XWorm is a remote access trojan first observed in 2022. It gained a reputation as a highly effective malware due to its modular architecture and extensive capabilities. It can collect sensitive data (such as credentials, crypto wallets, and financial information), track keystrokes, steal clipboard data, launch DDoS attacks, and load additional malware.

After XCoder deleted their Telegram accounts, multiple actors began distributing cracked versions of XWorm. One campaign even used malware as bait to compromise less experienced cybercriminals, resulting in 18,459 infections across Russia, the US, India, Ukraine, and Turkey.

The new version started to be advertised on a hacker forum from an account with the username XCoderTools, who offered access for a $500 lifetime subscription.

Although it is unclear if it was the original developer, the user claimed that the new XWorm variant addressed the RCE vulnerability and included multiple updates.

XWorm now has more than 35 plugins that extend its capabilities from stealing sensitive information to ransomware.

Oracle Customers Receiving Extortion Emails

Attackers claiming to be associated with the Cl0p ransomware group have launched a widespread extortion campaign targeting Oracle E-Business Suite customers, according to multiple cybersecurity researchers.

Victims have received emails sent from hundreds of compromised third-party accounts, alleging that attackers stole their data from Oracle’s systems.

Cl0p hasn’t published any data or claims on its leak site, and the emails themselves do not include ransom demands, instead they pressure victims to initiate negotations.

“Our ongoing investigation has found the potential use of previously identified vulnerabilities that are addressed in the July 2025 critical patch update,” Rob Duhart, chief security officer at Oracle Security, said in a blog post.

Oracle has not said which vulnerabilities are under active exploitation, nor did it confirm if its customers’ data was stolen. The July security update included 309 patches, including nine that addressed defects in Oracle E-Business Suite.

Cl0p is a prolific ransomware operation, known for exploiting file-transfer software vulnerabilities to conduct large-scale data theft and extortion. Its 2023 MOVEit campaign compromised over 2,300 organizations making it the largest cyberattack of the year. You can learn more about Cl0p in our H1 2025 ransomware report.

Renault UK Hit by Cyberattack

Renault UK has confirmed that some customer data has been compromised following a cyberattack on one of its third-party data processing providers.

The French carmaker said no financial information, passwords, or bank details were accessed, but warned customers to remain vigilant after other personal data was stolen.

The exposed data includes names, addresses, dates of birth, gender, phone numbers, vehicle identification numbers, and vehicle registration details. The number of customers affected hasn’t been disclosed by Renault “for ongoing security reasons,” but emphasized that its own systems were not breached.

A Renault spokesperson said the incident was isolated to the third-party provider and had been contained. “The third-party provider has confirmed this is an isolated incident which has been contained, and we are working with it to ensure that all appropriate actions are being taken. We have notified all relevant authorities.

“We are in the process of contacting all affected customers, advising them of the cyber-attack and reminding them to be cautious of any unsolicited requests for personal information,” they added.

Renault UK is contacting affected customers and adivising them to watch out for phishing or other unsolicited communications. The impacted group may extend beyond to vehicle owners to competition entrants and individuals who shared data with Renault without making a purchase.

The Renault incident comes amid a wave of cyberattacks on major manufacturers. In late August, Jaguar Land Rover suffered a cyberattack that forced it to halt production and secure a £1.5 billion government-underwritten loan.