Blog

HomeNewsInsightsPeople & Impact
Research

Neptune and the legacy of XWORM

A closer look at Neptune RAT V1 reveals shared code, persistence methods and encryption patterns with XWORM, suggesting a common origin
Ajin Deepak
Threat Analysis Engineer
Published
July 22, 2025
Read time
8 Minutes
Neptune and the legacy of XWORM
Written by
Ajin Deepak
Threat Analysis Engineer
Published
July 22, 2025
Read time
8 Minutes
Neptune and the legacy of XWORM
    Share this article

    A recent investigation into Neptune RAT unexpectedly uncovered notable overlaps with the notorious remote access trojan, XWORM. Given XWORM’s recent surge in popularity, this discovery prompted a deeper analysis, revealing several intriguing connections between the two malware families. This similarity was also reflected in various OSINT sources, where samples of Neptune RAT triggered detections originally developed for XWORM.

    Neptune RAT

    Based on research from Cyfima, we identified several GitHub repositories that helped us partially reconstruct the development history of Neptune RAT. Currently, there are at least two major distinct versions. The older version, which we’ll refer to as V1, has been linked to the campaign under investigation.

    Neptune RAT V1

    We discovered a GitHub repository that appears to be a fork of the original builder for Neptune RAT. Because the original repository is named MasonGroup/NeptuneRatV1, we’ll designate this version as V1. The repository contains commits exclusively from a user named "Freemasonry," with the initial commit and most activity dating back to early December 2024, before activity abruptly ceased. Additionally, the repository references a Discord server called FreemasonryTM.

    Notably, the builder’s user interface differs significantly from the typical UI seen in XWORM’s builder:

    Comparison of XWORM V5.6 and Neptune RAT V1 builder settings
    Comparison of XWORM V5.6 and Neptune RAT V1 builder settings
    Comparison of XWORM V5.6 and Neptune RAT V1 client panel
    Comparison of XWORM V5.6 and Neptune RAT V1 client panel

    Despite the obvious differences in design and appearance, the codebases reveal a striking similarity. Both XWORM and Neptune RAT share a similar approach to initialization: they load all configuration settings at the start of their respective main functions and then launch executor threads to carry out their tasks.

    Main functions of XWORM and Neptune RAT V1
    Main functions of XWORM and Neptune RAT V1

    These values are stored in a single class containing static strings. Except for the mutex, all strings are AES-encrypted and Base64-encoded, a common practice among .NET RATs. What’s unusual, however, is that both XWORM and Neptune RAT V1 use the exact same encryption routine: the mutex is hashed using MD5, and the hash is duplicated to form a 32-byte key used for AES encryption running in the insecure ECB mode. Because of this shared method, Neptune RAT V1 configurations were mistakenly conflated with XWORM’s configurations in our tracking systems.

    The similarities don’t end there. Both malware families implement persistence using three methods: Task Scheduler, registry entries and the startup folder. The resemblance is especially striking in the first and third approaches:

    XWORM and Neptune RAT V1 code responsible for setting up LNK file inside startup folder
    XWORM and Neptune RAT V1 code responsible for setting up LNK file inside startup folder
    XWORM and Neptune RAT V1 code responsible for creating a scheduled task
    XWORM and Neptune RAT V1 code responsible for creating a scheduled task

    These similarities extend to their scope as well. Both malware families use identical regular expressions and target the same cryptocurrencies: BTC, ETH and TRC. Notably, although Neptune RAT V1 appears to be a recent variant, it only targets legacy Bitcoin addresses and largely ignores newer standards like Bech32 (BIP-0173, introduced in 2017). The reuse of identical regular expressions and wallet-targeting patterns further reinforces the likelihood that Neptune RAT V1 is derived from XWORM rather than being developed independently.

    We also examined other popular RATs such as njRAT and AsyncRAT. Their initialization processes and workflows differ significantly, and their structures and implementations do not share these specific patterns. Based on this, we conclude that the similarities between Neptune RAT V1 and XWORM are unlikely coincidental, Neptune RAT V1 is most likely a derivative of XWORM.

    Main functions of njRat and AsyncRat
    Main functions of njRat and AsyncRat

    Neptune RAT V2

    We also identified another repository, forked from MasonGroup/NeptuneRAT and named NeptuneRatV2, which contains a trial version of a new builder that we’ll refer to as V2. Its initial commit dates to February 22, 2025, with GitHub showing ongoing development in the original, now-private repository. While the V2 builder’s UI appears to be a reskinned and more polished version of V1, the underlying code has undergone significant changes, suggesting either a complete rewrite or an extensive refactoring.

    Main function of Neptune RAT V2
    Main function of Neptune RAT V2

    Neptune RAT V2 shows a drastic departure from V1. While V1 completed configuration initialization within the main function, V2 follows a completely different code flow. Unlike V1, variable names in V2 are not obfuscated, and the configuration data is stored as plain strings in the Settings class rather than being AES-encrypted. This unencrypted approach is consistent across both trial and production builds.

    Configuration values of Neptune RAT V2 Sample
    Configuration values of Neptune RAT V2 Sample

    Conclusion

    We identified Neptune RAT configurations within our historical XWORM tracking data, which prompted the hypothesis that these two malware strains might be linked. OSINT investigations uncovered some tentative connections, including forks of the MasonGroup/NeptuneRatV1 repository. Although the original repository is no longer accessible, these forks contained code heavily overlapping with XWORM. Notably, the current Neptune RAT builder references the Freemasonry group, aligning with the Discord server identified in our research.

    Reverse engineering Neptune RAT V1 revealed further compelling similarities. While the shared resource structure might be dismissed as a coincidence, given that many .NET RATs use similar frameworks, the resource encryption scheme is essentially identical in both: AES encryption in insecure ECB mode combined with the same key-derivation method using a hard-coded mutex. Their persistence mechanisms are also functionally and structurally alike. Additionally, the clipper functionality employs the same regular expressions and targets the same cryptocurrencies. Although these expressions focus on legacy Bitcoin addresses rather than newer standards like Bech32, this link is somewhat weak given the widespread use of these expressions in malware.

    The strong similarities between XWORM and Neptune RAT V1, contrasted with their clear divergence from other open-source RATs, strongly suggest that Neptune RAT V1 is related to XWORM. However, these parallels do not extend to Neptune RAT V2, whose trial version, while functionally similar to V1, appears to be a complete code rewrite.

    List of SHA256S 

    XWORM: 

    8dd992c363c594b80d10cbc9bc2b26ca8211f88bb12636f98a82627b847cbdae 

    d3ad9240d2abdb9c43e37f546b2420f0a3890742133453650de1b012b4f4a11 

    3283c0031175ae5d68e7cb81d069b40e9c028fa680d19fd34019daad3b2d4828 

    Neptune V1 RAT 

    f2c0ee24b7eb590e8caca3abeccd2cf73cdb4cc719e0828062ea50d9484303d5 

    5b27e4bc78e05c098cd97da75f4d4df100039bdb71f6f16da99ae6b9e60a878c 

    Neptune V2 RAT 

    be1e0ca3b58139a64fd3cb0127a63b21ffd76721800a55f8ff16479303e8e4a2 

    eac5e8915cd2be4629a5eb02cce0c26c0dd224a3cdef8bcd27b7c28b3fb36dd1 

    3ff3722127d97b03fb866ee6f6c4ca9782b6cc162bd8684cec08425f56d5507f 

    Ajin Deepak
    Threat Analysis Engineer
    Follow us for more
    Blog Archive