Skip to content Dark Web Informer - Cyber Threat Intelligence
IOC

IOC Alert: XWorm Command-and-Control Infrastructure

📖 Overview
A domain-based indicator has been identified linked to XWorm command-and-control infrastructure. The domain is hosted through the Playit.gg platform, often abused by threat actors to proxy malicious traffic. This IOC represents a high-confidence threat tied to ongoing XWorm campaigns.


📌 Key Details

FieldInformation
TypeDomain
Indicatorinsurance-statistical.gl.at.ply[.]gg
Threat TypeBotnet C2
Malwarewin.xworm
Confidence100%
Date03 Sep 2025 – 12:01:43 UTC
Tagsc2, domain, triage, XWorm
ReporterDonPasci

🔎 URLScan Result
Page Title: playit.gg
Screenshot: https://urlscan.io/screenshots/01990f76-aed5-76eb-b3ab-2821d15f45db.png
Result: https://urlscan.io/result/01990f76-aed5-76eb-b3ab-2821d15f45db/


📡 Related Intelligence
WHOIS Record: https://who.is/whois/insurance-statistical.gl.at.ply.gg
VirusTotal Report: https://www.virustotal.com/gui/domain/insurance-statistical.gl.at.ply.gg
Reference: https://tria.ge/250903-m1drlsvjz6


🛡️ Defensive Guidance

  • Block insurance-statistical.gl.at.ply[.]gg at DNS, proxy, and endpoint layers.
  • Monitor for outbound connections tunneled through Playit.gg services.
  • Hunt for XWorm persistence artifacts and registry modifications.
  • Review proxy and firewall logs for suspicious beaconing activity to Playit.gg subdomains.

⚠️ This IOC highlights the abuse of legitimate proxy services (Playit.gg) for C2 hosting, a common tactic to evade detection.

Latest