Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент XLoader
Сертификаты СЗИ
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
XLoader
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

XLoader

XLoader is an infostealer malware in use since at least 2016. Previously known and sometimes still referred to as Formbook, XLoader is a Malware as a Service (MaaS) known for stealing data from web browsers, email clients and File Transfer Protocol (FTP) applications.(Citation: Zscaler XLoader 2025)(Citation: ANY.RUN XLoader 2023)(Citation: CheckPoint XLoader 2022)(Citation: Acronis XLoader 2021)(Citation: Google XLoader 2017)
ID: S1207
Associated Software: Formbook
Type: MALWARE
Platforms: Windows
Created: 11 Mar 2025
Last Modified: 11 Mar 2025

Associated Software Descriptions
Name Description
Formbook (Citation: Zscaler XLoader 2025)(Citation: ANY.RUN XLoader 2023)(Citation: CheckPoint XLoader 2022)(Citation: Google XLoader 2017)

Techniques Used
Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

XLoader can utilize hardcoded command and control domain configurations created by the XLoader authors. These are designed to mimic domain registrars and hosting service providers such as Hostinger and Namecheap.(Citation: CheckPoint XLoader 2022)
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

XLoader uses HTTP and HTTPS for command and control communication.(Citation: Google XLoader 2017)
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

XLoader establishes persistence by copying its executable in a subdirectory of `%APPDATA%` or `%PROGRAMFILES%`, and then modifies Windows Registry Run keys or policies keys to execute the executable on system start.(Citation: Zscaler XLoader 2025)(Citation: Google XLoader 2017)
Enterprise T1059 .010 Command and Scripting Interpreter: AutoHotKey & AutoIT

XLoader can use an AutoIT script to decrypt a payload file, load it into victim memory, then execute it on the victim machine.(Citation: Google XLoader 2017)
Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

XLoader can gather credentials from several web browsers.(Citation: Zscaler XLoader 2025)(Citation: Google XLoader 2017)(Citation: Netskope XLoader 2022)
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

XLoader loads a copy of NTDLL to evade hooks from security monitoring tools on this library.(Citation: Zscaler XLoader 2025) XLoader can add the path of its executable to the Microsoft Defender exclusion list.(Citation: Netskope XLoader 2022)
Enterprise T1070 .004 Indicator Removal: File Deletion

XLoader can delete malicious executables from compromised machines.(Citation: Acronis XLoader 2021)
Enterprise T1056 .001 Input Capture: Keylogging

XLoader can capture keystrokes from the victim machine.(Citation: Google XLoader 2017)
Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

XLoader uses various packers, including CyaX, to obfuscate malicious executables.(Citation: Netskope XLoader 2022)
.013 Obfuscated Files or Information: Encrypted/Encoded File

XLoader features encrypted functions using the RC4 algorithm and bytecode operations.(Citation: Zscaler XLoader 2025)(Citation: ANY.RUN XLoader 2023)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

XLoader has been delivered as a phishing attachment, including PDFs with embedded links, Word and Excel files, and various archive files (ZIP, RAR, ACE, and ISOs) containing EXE payloads.(Citation: Google XLoader 2017)(Citation: Acronis XLoader 2021)
Enterprise T1055 .004 Process Injection: Asynchronous Procedure Call

XLoader injects code into the APC queue using `NtQueueApcThread` API.(Citation: Zscaler XLoader 2025)
.012 Process Injection: Process Hollowing

XLoader uses process hollowing by injecting itself into the `explorer.exe` process and other files ithin the Windows `SysWOW64` directory.(Citation: Zscaler XLoader 2025)(Citation: Google XLoader 2017)(Citation: ANY.RUN XLoader 2023)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

XLoader can create scheduled tasks for persistence.(Citation: Netskope XLoader 2022)
Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

XLoader performs timing checks using the Read-Time Stamp Counter (RDTSC) instruction on the victim CPU.(Citation: Google XLoader 2017)

References

  1. Acronis. (2021, November 26). Trojan-as-a-service: From Formbook to XLoader. Retrieved March 11, 2025.
  2. Alexey Bukhteyev & Raman Ladutska, Check Point Research. (2022, May 31). XLoader Botnet: Find Me If You Can. Retrieved March 11, 2025.
  3. ANY.RUN. (2023, February 28). XLoader/FormBook: Encryption Analysis and Malware Decryption . Retrieved March 11, 2025.
  4. Nart Villeneuve, Randi Eitzman, Sandor Nemes & Tyler Dean, Google Cloud. (2017, October 5). Significant FormBook Distribution Campaigns Impacting the U.S. and South Korea. Retrieved March 11, 2025.
  5. Zscaler Threatlabz. (2025, January 27). Technical Analysis of Xloader Versions 6 and 7 | Part 1. Retrieved March 11, 2025.
  6. Gustavo Palazolo, Netskope. (2022, March 11). New Formbook Campaign Delivered Through Phishing Emails. Retrieved March 11, 2025.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.