1. Home
  2. Software
  3. XLoader

XLoader

XLoader is an infostealer malware in use since at least 2016. Previously known and sometimes still referred to as Formbook, XLoader is a Malware as a Service (MaaS) known for stealing data from web browsers, email clients and File Transfer Protocol (FTP) applications.[1][2][3][4][5]

ID: S1207
Associated Software: Formbook
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 11 March 2025
Last Modified: 11 March 2025
Version Permalink

Associated Software Descriptions

Name Description
Formbook

[1][2][3][5]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

XLoader can utilize hardcoded command and control domain configurations created by the XLoader authors. These are designed to mimic domain registrars and hosting service providers such as Hostinger and Namecheap.[3]
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

XLoader uses HTTP and HTTPS for command and control communication.[5]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

XLoader establishes persistence by copying its executable in a subdirectory of %APPDATA% or %PROGRAMFILES%, and then modifies Windows Registry Run keys or policies keys to execute the executable on system start.[1][5]
Enterprise T1185 Browser Session Hijacking

XLoader can conduct form grabbing, steal cookies, and extract data from HTTP sessions.[5]
Enterprise T1115 Clipboard Data

XLoader can collect data stored in the victim's clipboard.[5][6]
Enterprise T1059 .010 Command and Scripting Interpreter: AutoHotKey & AutoIT

XLoader can use an AutoIT script to decrypt a payload file, load it into victim memory, then execute it on the victim machine.[5]
Enterprise T1555 Credentials from Password Stores

XLoader can collect credentials stored in email clients.[5][6]
.003 Credentials from Web Browsers

XLoader can gather credentials from several web browsers.[1][5][6]
Enterprise T1622 Debugger Evasion

XLoader uses anti-debugging mechanisms such as calling NtQueryInformationProcess with InfoClass=7, referencing ProcessDebugPort, to determine if it is being analyzed.[5]
Enterprise T1140 Deobfuscate/Decode Files or Information

XLoader uses XOR and RC4 algorithms to decrypt payloads and functions.[1] XLoader can be distributed as a self-extracting RAR archive that launches an AutoIT loader.[5]
Enterprise T1203 Exploitation for Client Execution

XLoader has exploited Office vulnerabilities during local execution such as CVE-2017-11882 and CVE-2018-0798.[6]
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

XLoader loads a copy of NTDLL to evade hooks from security monitoring tools on this library.[1] XLoader can add the path of its executable to the Microsoft Defender exclusion list.[6]
Enterprise T1070 .004 Indicator Removal: File Deletion

XLoader can delete malicious executables from compromised machines.[4]
Enterprise T1056 .001 Input Capture: Keylogging

XLoader can capture keystrokes from the victim machine.[5]
Enterprise T1106 Native API

XLoader uses the native Windows API for functionality, including defense evasion.[1]
Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

XLoader uses various packers, including CyaX, to obfuscate malicious executables.[6]
.013 Obfuscated Files or Information: Encrypted/Encoded File

XLoader features encrypted functions using the RC4 algorithm and bytecode operations.[1][2]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

XLoader has been delivered as a phishing attachment, including PDFs with embedded links, Word and Excel files, and various archive files (ZIP, RAR, ACE, and ISOs) containing EXE payloads.[5][4]
Enterprise T1055 .004 Process Injection: Asynchronous Procedure Call

XLoader injects code into the APC queue using NtQueueApcThread API.[1]
.012 Process Injection: Process Hollowing

XLoader uses process hollowing by injecting itself into the explorer.exe process and other files ithin the Windows SysWOW64 directory.[1][5][2]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

XLoader can create scheduled tasks for persistence.[6]
Enterprise T1113 Screen Capture

XLoader can capture screenshots on compromised hosts.[5][6]
Enterprise T1539 Steal Web Session Cookie

XLoader can capture web session cookies and session information from victim browsers.[5]
Enterprise T1082 System Information Discovery

XLoader can collect system information and supported language information from the victim machine.[4]
Enterprise T1033 System Owner/User Discovery

XLoader can identify the username from a victim machine.[4]
Enterprise T1529 System Shutdown/Reboot

XLoader can initiate a system reboot or shutdown.[5]
Enterprise T1497 Virtualization/Sandbox Evasion

XLoader can utilize decoy command and control domains within the malware configuration to circumvent sandbox analysis.[2][3]
.001 System Checks

XLoader performs timing checks using the Read-Time Stamp Counter (RDTSC) instruction on the victim CPU.[5]

References

  1. Zscaler Threatlabz. (2025, January 27). Technical Analysis of Xloader Versions 6 and 7 | Part 1. Retrieved March 11, 2025.
  2. ANY.RUN. (2023, February 28). XLoader/FormBook: Encryption Analysis and Malware Decryption . Retrieved March 11, 2025.
  3. Alexey Bukhteyev & Raman Ladutska, Check Point Research. (2022, May 31). XLoader Botnet: Find Me If You Can. Retrieved March 11, 2025.
  1. Acronis. (2021, November 26). Trojan-as-a-service: From Formbook to XLoader. Retrieved March 11, 2025.
  2. Nart Villeneuve, Randi Eitzman, Sandor Nemes & Tyler Dean, Google Cloud. (2017, October 5). Significant FormBook Distribution Campaigns Impacting the U.S. and South Korea. Retrieved March 11, 2025.
  3. Gustavo Palazolo, Netskope. (2022, March 11). New Formbook Campaign Delivered Through Phishing Emails. Retrieved March 11, 2025.