1. Home
  2. Software
  3. XORIndex Loader

XORIndex Loader

XORIndex Loader is a XOR-encoded loader that collects host data, decodes follow-on scripts and acts as a downloader for the BeaverTail malware. XORIndex Loader was first reported in June 2025. XORIndex Loader has been leveraged by North Korea-affiliated threat actors identified as Contagious Interview. XORIndex Loader has been delivered to victims through code repository sites utilizing typo squatting naming conventions of various npm packages.[1]

ID: S1248
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 22 October 2025
Last Modified: 24 October 2025
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

XORIndex Loader has used HTTPS POST to communicate with C2.[1]
Enterprise T1059 .007 Command and Scripting Interpreter: JavaScript

XORIndex Loader has executed malicious JavaScript code.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

XORIndex Loader can decode its payload prior to execution.[1]
Enterprise T1041 Exfiltration Over C2 Channel

XORIndex Loader has exfiltrated victim data using HTTPS POST requests to its C2 servers.[1]
Enterprise T1105 Ingress Tool Transfer

XORIndex Loader has been used to download a malicious payload to include BeaverTail.[1]
Enterprise T1036 .005 Masquerading: Match Legitimate Resource Name or Location

XORIndex Loader has leveraged legitimate package names to mimic frequently utilized tools to entice victims to download and execute malicious payloads.[1]
Enterprise T1027 .010 Obfuscated Files or Information: Command Obfuscation

XORIndex Loader has obfuscated strings using ASCII buffers and TextDecoder.[1]
.013 Obfuscated Files or Information: Encrypted/Encoded File

XORIndex Loader has encoded module names and C2 URLs as hexadecimal strings in attempts to evade analysis.[1]
Enterprise T1082 System Information Discovery

XORIndex Loader has the ability to collect the hostname, OS Username, Geolocation, and OS version of an infected host.[1]
Enterprise T1614 System Location Discovery

XORIndex Loader can identify the geographical location of a victim host.[1]
Enterprise T1016 System Network Configuration Discovery

XORIndex Loader has leveraged webservices to identify the public IP of the victim host.[1]
Enterprise T1033 System Owner/User Discovery

XORIndex Loader has collected the username from the victim host.[1]

Groups That Use This Software

ID Name References
G1052 Contagious Interview

[1]

References

  1. Kirill Boychenko. (2025, July 14). Contagious Interview Campaign Escalates With 67 Malicious npm Packages and New Malware Loader. Retrieved October 19, 2025.