XLoader
Associated Software Descriptions |
|
Name | Description |
---|---|
Formbook | (Citation: Zscaler XLoader 2025)(Citation: ANY.RUN XLoader 2023)(Citation: CheckPoint XLoader 2022)(Citation: Google XLoader 2017) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1583 | .001 | Acquire Infrastructure: Domains |
XLoader can utilize hardcoded command and control domain configurations created by the XLoader authors. These are designed to mimic domain registrars and hosting service providers such as Hostinger and Namecheap.(Citation: CheckPoint XLoader 2022) |
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
XLoader uses HTTP and HTTPS for command and control communication.(Citation: Google XLoader 2017) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
XLoader establishes persistence by copying its executable in a subdirectory of `%APPDATA%` or `%PROGRAMFILES%`, and then modifies Windows Registry Run keys or policies keys to execute the executable on system start.(Citation: Zscaler XLoader 2025)(Citation: Google XLoader 2017) |
Enterprise | T1059 | .010 | Command and Scripting Interpreter: AutoHotKey & AutoIT |
XLoader can use an AutoIT script to decrypt a payload file, load it into victim memory, then execute it on the victim machine.(Citation: Google XLoader 2017) |
Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
XLoader can gather credentials from several web browsers.(Citation: Zscaler XLoader 2025)(Citation: Google XLoader 2017)(Citation: Netskope XLoader 2022) |
Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
XLoader loads a copy of NTDLL to evade hooks from security monitoring tools on this library.(Citation: Zscaler XLoader 2025) XLoader can add the path of its executable to the Microsoft Defender exclusion list.(Citation: Netskope XLoader 2022) |
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
XLoader can delete malicious executables from compromised machines.(Citation: Acronis XLoader 2021) |
Enterprise | T1056 | .001 | Input Capture: Keylogging |
XLoader can capture keystrokes from the victim machine.(Citation: Google XLoader 2017) |
Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
XLoader uses various packers, including CyaX, to obfuscate malicious executables.(Citation: Netskope XLoader 2022) |
.013 | Obfuscated Files or Information: Encrypted/Encoded File |
XLoader features encrypted functions using the RC4 algorithm and bytecode operations.(Citation: Zscaler XLoader 2025)(Citation: ANY.RUN XLoader 2023) |
||
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
XLoader has been delivered as a phishing attachment, including PDFs with embedded links, Word and Excel files, and various archive files (ZIP, RAR, ACE, and ISOs) containing EXE payloads.(Citation: Google XLoader 2017)(Citation: Acronis XLoader 2021) |
Enterprise | T1055 | .004 | Process Injection: Asynchronous Procedure Call |
XLoader injects code into the APC queue using `NtQueueApcThread` API.(Citation: Zscaler XLoader 2025) |
.012 | Process Injection: Process Hollowing |
XLoader uses process hollowing by injecting itself into the `explorer.exe` process and other files ithin the Windows `SysWOW64` directory.(Citation: Zscaler XLoader 2025)(Citation: Google XLoader 2017)(Citation: ANY.RUN XLoader 2023) |
||
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
XLoader can create scheduled tasks for persistence.(Citation: Netskope XLoader 2022) |
Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
XLoader performs timing checks using the Read-Time Stamp Counter (RDTSC) instruction on the victim CPU.(Citation: Google XLoader 2017) |
References
- Acronis. (2021, November 26). Trojan-as-a-service: From Formbook to XLoader. Retrieved March 11, 2025.
- Alexey Bukhteyev & Raman Ladutska, Check Point Research. (2022, May 31). XLoader Botnet: Find Me If You Can. Retrieved March 11, 2025.
- ANY.RUN. (2023, February 28). XLoader/FormBook: Encryption Analysis and Malware Decryption . Retrieved March 11, 2025.
- Nart Villeneuve, Randi Eitzman, Sandor Nemes & Tyler Dean, Google Cloud. (2017, October 5). Significant FormBook Distribution Campaigns Impacting the U.S. and South Korea. Retrieved March 11, 2025.
- Zscaler Threatlabz. (2025, January 27). Technical Analysis of Xloader Versions 6 and 7 | Part 1. Retrieved March 11, 2025.
- Gustavo Palazolo, Netskope. (2022, March 11). New Formbook Campaign Delivered Through Phishing Emails. Retrieved March 11, 2025.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.