Next-Gen Threat: Xillen Stealer v4 Targets 100+ Browsers/70+ Wallets with Polymorphic Evasion and DevOps Theft

Darktrace analysts are sounding the alarm over a rapidly evolving cross-platform information-stealing malware family known as Xillen Stealer, whose newly released v4 and v5 versions significantly expand targeting capabilities, introduce advanced evasion mechanisms, and adopt multiple modern C2 and exfiltration techniques.

Xillen Stealer is marketed openly on Telegram, with licenses offered through a professional dashboard for buyers. The criminal panel operators browse logs, infected hosts, and subscription tiers.

Darktrace notes that Xillen v4/v5 steals from an unusually broad ecosystem:

• 100+ browsers (Chrome, Chromium, Brave, Ghost, Floorp, Waterfox, Tor, Arc, Sidekick, Pale Moon, K-Meleon, etc.)
• 70+ cryptocurrency wallets, including Ledger, MetaMask, Exodus, AtomicDEX, Rabby, Phantom, Trezor, Wasabi, and MyEtherWallet
• Password managers, including LastPass, BitWarden, Dashlane, KeePass, NordPass
• Developer environments (VS Code, JetBrains, Sublime, Eclipse)
• Cloud credentials for AWS, GCP, Azure, DigitalOcean, Heroku
• Containers & DevOps systems: Docker, Kubernetes configs/secrets
• SSO tokens (Azure AD, Kerberos, Google Cloud)
• TOTP 2FA tokens
• VPN configurations (WireGuard, NordVPN, ExpressVPN, Cisco AnyConnect, Pulse Secure)

As Darktrace summarizes, “The main functionality of Xillen Stealer is to steal cryptocurrency, credentials, system information, and account information from a range of stores.”

One of the most attention-grabbing updates is the so-called AI Target Detection module. Darktrace writes, “While the class is named ‘AITargetDetection’… there is no actual implementation of machine learning. Instead, the system relies entirely on rule-based pattern matching.”

Nevertheless, the intent is clear. The rules prioritize:

• High-value countries (US, UK, Germany, Japan)
• Crypto-friendly jurisdictions
• Wealth-related keywords like CEO, trader, investor, VIP

Darktrace warns that “Even though AI is not actually implemented… it shows how malware developers could use AI in future malicious campaigns.”

Modern security products increasingly rely on AI/ML, so Xillen Stealer introduces a module specifically to fool them.

According to the report, “‘AIEvasionEngine’ is designed to help malware evade AI-based or behavior-based detection systems… mimicking legitimate user behavior, injecting statistical noise, randomizing timing, and camouflaging resource usage.”

The source code shows the entropy-variance code that simulates random workloads.

Techniques include:

• Fake mouse movements and browsing
• Random file & network activity
• Irregular sleep patterns
• CPU/RAM usage shaped to look like Notepad or Chrome
• API & memory access obfuscation

Xillen Stealer v4/v5 packages a Rust-based polymorphic engine. “The ‘PolymorphicEngine’… recognized instruction patterns with randomized alternatives, then applies control flow obfuscation and inserts non-functional code to increase variability. Additional features include string encryption via XOR and a stub-based packer.”

This makes each build unique, complicating static signatures and antivirus detection.

The malware includes a function that extracts Kubernetes cluster secrets. Darktrace explains: “The ‘DevToolsCollector’ is designed to collect sensitive data related to a wide range of developer tools and environments… IDE configs, cloud credentials, Docker/Kubernetes configs, Git credentials, database connections, API keys, FTP configs.”

This positions Xillen Stealer as a threat not just to personal users, but also:

• DevOps
• SRE teams
• Software companies
• Cloud administrators

Xillen implements multiple steganographic methods:

• LSB image encoding
• NTFS Alternate Data Streams
• Registry-based hiding
• Slack space
• Image + archive polyglots
• EXIF metadata embedding
• Whitespace encoding

Darktrace notes,  “The ‘SteganographyModule’ hides the stolen data by embedding it within images or unallocated disk space to stage it for exfiltration.”

Darktrace highlights the CloudProxy module: “The CloudProxy class is designed for exfiltrating data by routing it through cloud service domains… allowing the traffic to blend in.”

The malware attaches timestamps and SHA-256 signatures, then POSTs data through cloud-themed URLs—intended to be replaced by attacker cloud accounts.

Xillen’s C2 system is highly resilient. Darktrace explains, “The ‘P2PEngine’ provides multiple methods of C2, including embedding instructions within blockchain transactions… exfiltrating data via Tor and I2P… and storing payloads on IPFS. It also supports domain generation algorithms to create dynamic .onion addresses.”

Xillen Stealer appears to be developed by a self-described 15-year-old ‘pentest specialist.’ The group distributing it, ‘Xillen Killers’, claims to have 3,000 members.”

The same group claims involvement in:

• Analyzing Project DDoSia
• Compromising doxbin.net
• Finding vulnerabilities on Russian and Ukrainian websites

With extensive credential theft, steganography, polymorphism, DevOps targeting, and blockchain-backed C2, Xillen Stealer v4/v5 represents one of the most ambitious and wide-scope information-stealing platforms seen in 2025.

Related Posts:

• Darktrace Exposes “Fake Startup” Malware Campaign: Lures Crypto Users with AI/Web3 Apps to Steal Wallets
• DragonForce Ransomware Strikes Manufacturing Sector with Brute-Force, Exfiltrating Data Over SSH to Russian Host
• Venom Spider Evolves: Arctic Wolf Exposes More_eggs Campaign Targeting HR
• SocGholish Reloaded: Darktrace Uncovers Ransomware-Primed Loader Campaign