Streamers in the Crosshairs: How XWorm Malware Targets Online Content Creators

Content creators and streamers have carved out a unique niche, entertaining and educating millions of viewers. However, as their popularity rises, so does the attention they attract from cybercriminals. A new and unsettling trend is emerging: streamers are becoming prime targets for sophisticated malware attacks, particularly the XWorm malware. In our latest research we expose XWorm is targeting online content creators, exposing their personal data and accounts, and what steps can be taken to avoid this evolving threat.

XWorm Malware

XWorm is a Remote Access Trojan (RAT) that offers cybercriminals a wide array of tools to infiltrate and manipulate victims’ systems. First appearing in 2022, XWorm has quickly evolved into a significant threat due to its modular nature and availability as a malware-as-a-service (MaaS). This accessibility lowers the barrier to entry for aspiring hackers, enabling even those with limited technical skills to launch sophisticated attacks.

XWorm is designed to be highly configurable, allowing attackers to customize its payloads to suit their malicious goals. Whether it’s stealing sensitive data, launching Distributed Denial of Service (DDoS) attacks, or deploying ransomware, XWorm is a versatile tool in the cybercriminal arsenal. Recent research by Veriti reveals that online streamers are increasingly finding themselves in the crosshairs of these attacks.

The New Prime Targets

So why are streamers, in particular, becoming prime targets for XWorm? The answer lies in the high-value nature of their digital assets. Streamers often operate across multiple platforms, including Twitch, YouTube, Discord, and various social media channels. They store valuable data such as account credentials, cryptocurrency wallets, and sensitive personal information. This makes them an attractive target for cybercriminals looking to hijack accounts, steal funds, or even extort money.

Moreover, streamers typically maintain large followings, making their accounts lucrative for attackers who can monetize hacked accounts by promoting scams or selling access to these accounts on the dark web. Our research indicates that XWorm infections are particularly prevalent in Russia, with numerous stolen credentials and personal data from streamers being posted online.

Inside the XWorm Infection

XWorm is typically delivered through multi-stage attacks. A common method involves phishing emails containing malicious attachments. Once the unsuspecting victim opens the attachment, it triggers a sequence of downloads that culminate in the installation of XWorm. From there, the malware establishes a connection with its command-and-control (C2) server and begins siphoning off data.

One of the most concerning aspects of XWorm is its ability to gather a wide range of information from infected systems. This includes:

• Account Credentials: XWorm can hijack accounts for popular platforms like Discord, Telegram, and even MetaMask. Streamers who rely on these accounts to manage their communities or finances are particularly vulnerable.
• User Activity Monitoring: The malware can track keystrokes, capture webcam footage, listen through the microphone, and log network activity. This enables attackers to monitor and potentially blackmail victims based on their private activities.
• Clipboard Hijacking: XWorm can intercept clipboard data, replacing cryptocurrency wallet addresses with those controlled by the attacker. For streamers who may receive donations in crypto, this poses a significant risk.
• File System Control: XWorm can access the infected system’s file structure, allowing attackers to download or upload files, steal content, or even deploy additional malware.

In our investigation, we discovered extensive lists of hundreds of stolen credentials belonging to streamers with the payload being uploaded via VirusTotal, along with screenshots and videos that showcase the extent of the compromise. These data dumps provide a glimpse into how XWorm is systematically targeting content creators, exploiting their high-value digital assets.

Why Streamers Are Vulnerable

Beyond the technical aspects of XWorm, it’s important to understand the human behaviors that make streamers vulnerable. The fast-paced, always-on nature of content creation means streamers are often multitasking and managing numerous platforms at once. This can lead to lapses in judgment, such as clicking on suspicious links or neglecting security updates.

Moreover, the pressure to constantly engage with their audience can make streamers less cautious about potential threats. Attackers exploit this by crafting phishing emails that appear to be fan messages, sponsorship offers, or urgent requests from streaming platforms. Once the malware gains access, the impact can be devastating, leading to account takeovers, financial loss, and damage to reputation.

How to Stay Protected

As the saying goes, an ounce of prevention is worth a pound of cure. Streamers and content creators need to take proactive steps to secure their digital assets and mitigate the risks posed by XWorm and similar threats. Here are some best practices:

1. Strengthen Account Security: Implement multi-factor authentication (MFA) on all streaming and social media accounts. This adds an extra layer of protection by requiring a second form of verification beyond just a password.
2. Be Wary of Phishing Attempts: Streamers should be cautious when interacting with unknown senders. Even if a message appears to come from a legitimate source, double-check the sender’s email address, and avoid clicking on links or downloading attachments unless absolutely certain.
3. Regularly Update Software: Ensure that all devices, including streaming software and plugins, are up to date with the latest security patches. XWorm and similar malware often exploit known vulnerabilities that can be patched with timely updates.
4. Monitor Account Activity: Keep an eye on login activity and any changes to account settings. If any suspicious activity is detected, take immediate action by changing passwords and enabling security features.

What This Means for the Streaming Industry

The rise of targeted attacks against streamers underscores a broader trend in cybercrime: the focus on individuals who hold high-value digital assets. As content creators continue to grow in influence and revenue, they will increasingly find themselves in the crosshairs of sophisticated threat actors. The streaming industry must take this threat seriously and implement stronger security measures across the board.

For platforms like Twitch and YouTube, this means investing in better detection and response mechanisms to safeguard their user base. For streamers, it means staying informed, remaining vigilant, and prioritizing security alongside content creation.

While XWorm might be the latest malware making headlines, it won’t be the last. Streamers need to recognize that their digital fame comes with a price: the need for heightened cybersecurity awareness.