The Evolution of an Infostealer: Xloader 8.7 Unmasked

ThreatLabz has released a deep-dive analysis into the latest iterations of Xloader, a notorious information-stealing malware that continues to haunt web browsers, email clients, and FTP applications.

First introduced in 2016 as Formbook, the malware underwent a major rebranding to Xloader in early 2020. Since then, its author has been on a relentless quest to stay ahead of security researchers, with the most recent observed version, 8.7, showcasing a high degree of technical maturity.

The most significant changes began with version 8.1, where the developer introduced advanced code obfuscation designed to break automated sandboxing and frustrate manual analysis. These enhancements make it increasingly difficult for defenders to understand the malware’s internals without significant effort.

As the ThreatLabz researchers explain:

“The author of Xloader continues to update the codebase… applying several changes to the code obfuscation to make automation and analysis more difficult”.

While Xloader is primarily known for harvesting credentials, it is far from a one-trick pony. The malware supports a robust set of network commands that allow an attacker to use an infected host as a staging ground for even more destructive payloads.

The command-and-control (C2) infrastructure can instruct Xloader to:

• Execute Arbitrary Files: This includes PowerShell scripts, Windows executables (EXE), and DLL files.
• System Control: Remote operators can reboot or shut down the compromised host at will.
• Self-Destruction: If an attacker fears detection, they can issue a command for Xloader to “remove itself from the compromised host”.

To ensure its survival, Xloader protects its communication lines with multiple layers of encryption. Perhaps most clever is its use of decoys—fake C2 addresses that mask the actual malicious server, leading researchers down a rabbit hole of dead ends while the real data exfiltration happens in the shadows.

Even when researchers identify the communication protocol, they face hurdles. For example, Xloader utilizes RC4 encryption for its network packets, sometimes skipping vital checks to ensure the connection remains established even in unstable environments.

The evolution from Formbook to Xloader 8.7 serves as a stark reminder of the “cat-and-mouse” game between cybercriminals and security professionals. With its ability to steal browser cookies, invoke credential-stealing modules, and download further malware, Xloader remains one of the most versatile threats in the wild today.

ThreatLabz concludes that understanding these latest obfuscation methods and network protocols is critical for modern defense. Security teams are encouraged to review the malware’s internals deeply to build more resilient detection patterns against this ever-changing adversary.