S1207 XLoader
XLoader is an infostealer malware in use since at least 2016. Previously known and sometimes still referred to as Formbook, XLoader is a Malware as a Service (MaaS) known for stealing data from web browsers, email clients and File Transfer Protocol (FTP) applications.53214
| Item | Value |
|---|---|
| ID | S1207 |
| Associated Names | Formbook |
| Type | MALWARE |
| Version | 1.0 |
| Created | 11 March 2025 |
| Last Modified | 11 March 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Formbook | 5324 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1583 | Acquire Infrastructure | - |
| enterprise | T1583.001 | Domains | XLoader can utilize hardcoded command and control domain configurations created by the XLoader authors. These are designed to mimic domain registrars and hosting service providers such as Hostinger and Namecheap.2 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | XLoader uses HTTP and HTTPS for command and control communication.4 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | XLoader establishes persistence by copying its executable in a subdirectory of %APPDATA% or %PROGRAMFILES%, and then modifies Windows Registry Run keys or policies keys to execute the executable on system start.54 |
| enterprise | T1185 | Browser Session Hijacking | XLoader can conduct form grabbing, steal cookies, and extract data from HTTP sessions.4 |
| enterprise | T1115 | Clipboard Data | XLoader can collect data stored in the victim’s clipboard.46 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.010 | AutoHotKey & AutoIT | XLoader can use an AutoIT script to decrypt a payload file, load it into victim memory, then execute it on the victim machine.4 |
| enterprise | T1555 | Credentials from Password Stores | XLoader can collect credentials stored in email clients.46 |
| enterprise | T1555.003 | Credentials from Web Browsers | XLoader can gather credentials from several web browsers.546 |
| enterprise | T1622 | Debugger Evasion | XLoader uses anti-debugging mechanisms such as calling NtQueryInformationProcess with InfoClass=7, referencing ProcessDebugPort, to determine if it is being analyzed.4 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | XLoader uses XOR and RC4 algorithms to decrypt payloads and functions.5 XLoader can be distributed as a self-extracting RAR archive that launches an AutoIT loader.4 |
| enterprise | T1203 | Exploitation for Client Execution | XLoader has exploited Office vulnerabilities during local execution such as CVE-2017-11882 and CVE-2018-0798.6 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | XLoader loads a copy of NTDLL to evade hooks from security monitoring tools on this library.5 XLoader can add the path of its executable to the Microsoft Defender exclusion list.6 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | XLoader can delete malicious executables from compromised machines.1 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | XLoader can capture keystrokes from the victim machine.4 |
| enterprise | T1106 | Native API | XLoader uses the native Windows API for functionality, including defense evasion.5 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.002 | Software Packing | XLoader uses various packers, including CyaX, to obfuscate malicious executables.6 |
| enterprise | T1027.013 | Encrypted/Encoded File | XLoader features encrypted functions using the RC4 algorithm and bytecode operations.53 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | XLoader has been delivered as a phishing attachment, including PDFs with embedded links, Word and Excel files, and various archive files (ZIP, RAR, ACE, and ISOs) containing EXE payloads.41 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.004 | Asynchronous Procedure Call | XLoader injects code into the APC queue using NtQueueApcThread API.5 |
| enterprise | T1055.012 | Process Hollowing | XLoader uses process hollowing by injecting itself into the explorer.exe process and other files ithin the Windows SysWOW64 directory.543 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | XLoader can create scheduled tasks for persistence.6 |
| enterprise | T1113 | Screen Capture | XLoader can capture screenshots on compromised hosts.46 |
| enterprise | T1539 | Steal Web Session Cookie | XLoader can capture web session cookies and session information from victim browsers.4 |
| enterprise | T1082 | System Information Discovery | XLoader can collect system information and supported language information from the victim machine.1 |
| enterprise | T1033 | System Owner/User Discovery | XLoader can identify the username from a victim machine.1 |
| enterprise | T1529 | System Shutdown/Reboot | XLoader can initiate a system reboot or shutdown.4 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | XLoader can utilize decoy command and control domains within the malware configuration to circumvent sandbox analysis.32 |
| enterprise | T1497.001 | System Checks | XLoader performs timing checks using the Read-Time Stamp Counter (RDTSC) instruction on the victim CPU.4 |
References
-
Acronis. (2021, November 26). Trojan-as-a-service: From Formbook to XLoader. Retrieved March 11, 2025. ↩↩↩↩↩
-
Alexey Bukhteyev & Raman Ladutska, Check Point Research. (2022, May 31). XLoader Botnet: Find Me If You Can. Retrieved March 11, 2025. ↩↩↩↩
-
ANY.RUN. (2023, February 28). XLoader/FormBook: Encryption Analysis and Malware Decryption . Retrieved March 11, 2025. ↩↩↩↩↩
-
Nart Villeneuve, Randi Eitzman, Sandor Nemes & Tyler Dean, Google Cloud. (2017, October 5). Significant FormBook Distribution Campaigns Impacting the U.S. and South Korea. Retrieved March 11, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Zscaler Threatlabz. (2025, January 27). Technical Analysis of Xloader Versions 6 and 7 | Part 1. Retrieved March 11, 2025. ↩↩↩↩↩↩↩↩↩↩
-
Gustavo Palazolo, Netskope. (2022, March 11). New Formbook Campaign Delivered Through Phishing Emails. Retrieved March 11, 2025. ↩↩↩↩↩↩↩↩