The evolving malware landscape has seen significant advancements in obfuscation techniques, with threat actors continuously refining their tools to evade detection. One such example is Xloader, a malware family that originated as a rebranding of Formbook in early 2020. Xloader operates under a Malware-as-a-Service (MaaS) model, providing cybercriminals with access to its command-and-control (C2) infrastructure.
Zscaler ThreatLabz recently released an in-depth two-part analysis of the latest iterations of Xloader, Versions 6 and 7. This analysis sheds light on the sophisticated obfuscation and encryption methods that these versions employ to evade detection and hinder analysis efforts. According to Zscaler, “Xloader’s code includes increasingly complex layers of encryption and obfuscation to complicate analysis.”
Xloader is known for its ability to steal sensitive information from web browsers, email clients, and FTP applications, as well as deploy second-stage payloads on infected systems. Versions 6 and 7 introduce new capabilities that enhance its ability to remain undetected:

- Advanced Encryption Layers: The updated versions utilize multiple encryption layers, particularly focusing on functions identified as NOPUSHEBP. As the Zscaler report highlights, “Xloader Versions 6 and 7 include additional obfuscation and encryption layers meant to protect critical code and information to defeat signature-based detection and complicate reverse engineering efforts”.
- Dynamic Key Construction: Unlike earlier versions, which used static data blocks, Xloader now constructs keys dynamically. This technique significantly complicates static analysis since decryption keys are only generated at runtime, reducing the effectiveness of traditional signature-based detection methods.
- Code Injection and Process Hollowing: A major component of Xloader’s persistence strategy involves injecting code into legitimate system processes. “Xloader first creates a new instance of its own executable through process hollowing,” explains the Zscaler team. “Xloader injects the next stage into the explorer.exe process to establish network communication”. This approach allows Xloader to operate stealthily within the system, avoiding immediate detection by security software.
The report from Zscaler draws a clear line between the current and previous iterations of Xloader. While Xloader Versions 4 and earlier relied heavily on static encrypted data blocks, Versions 6 and 7 have shifted to a more dynamic approach, removing hardcoded values and employing runtime encryption for critical operations.
The changes are notable in the encryption algorithms used as well. Earlier versions of Xloader made use of simpler custom encryption, but the latest releases have integrated complex RC4 algorithms with additional layers of byte subtraction encryption. This evolution in Xloader’s encryption mechanisms showcases its author’s intent to “stay one step ahead” of security solutions.
To further evade detection, Xloader has adopted techniques similar to those seen in other sophisticated malware families like SmokeLoader. The malware loads its own copy of NTDLL and calls functions from this copy, rather than relying on the original system library. This prevents security tools from easily tracing its behavior. “Xloader now encrypts its own code before calling critical APIs, like ZwSetThreadContext,” effectively shielding its operations from analysis platforms that monitor system calls.
Related Posts:
- Xloader Malware Delivered via Sophisticated SharePoint Attack
- Zscaler Report: 300% increase in phishing attacks delivered over SSL
- Android Boosts Anti-Theft Measures with AI and Biometric Security
- Zscaler found 150 Android apps infected with Windows malware