IOC

IOC Alert: XWorm Command-and-Control Infrastructure

, and Dark Web Informer

September 3, 2025 . 5:59 PM

1 min read

📖 Overview
A domain-based indicator has been identified linked to XWorm command-and-control infrastructure. The domain is hosted through the Playit.gg platform, often abused by threat actors to proxy malicious traffic. This IOC represents a high-confidence threat tied to ongoing XWorm campaigns.

📌 Key Details

Field	Information
Type	Domain
Indicator	`insurance-statistical.gl.at.ply[.]gg`
Threat Type	Botnet C2
Malware	win.xworm
Confidence	100%
Date	03 Sep 2025 – 12:01:43 UTC
Tags	c2, domain, triage, XWorm
Reporter	DonPasci

🔎 URLScan Result
Page Title: playit.gg
Screenshot: https://urlscan.io/screenshots/01990f76-aed5-76eb-b3ab-2821d15f45db.png
Result: https://urlscan.io/result/01990f76-aed5-76eb-b3ab-2821d15f45db/

📡 Related Intelligence
WHOIS Record: https://who.is/whois/insurance-statistical.gl.at.ply.gg
VirusTotal Report: https://www.virustotal.com/gui/domain/insurance-statistical.gl.at.ply.gg
Reference: https://tria.ge/250903-m1drlsvjz6

🛡️ Defensive Guidance

Block insurance-statistical.gl.at.ply[.]gg at DNS, proxy, and endpoint layers.
Monitor for outbound connections tunneled through Playit.gg services.
Hunt for XWorm persistence artifacts and registry modifications.
Review proxy and firewall logs for suspicious beaconing activity to Playit.gg subdomains.

⚠️ This IOC highlights the abuse of legitimate proxy services (Playit.gg) for C2 hosting, a common tactic to evade detection.