XLoader Malware Upgrades Obfuscation Tactics and Hides C2 Traffic Behind Decoy Servers

A well-known information-stealing malware called XLoader has received significant upgrades in its latest versions, making it considerably harder to detect and analyze than before.

Originally derived from a malware family known as FormBook, which first surfaced in 2016, XLoader was rebranded and relaunched in early 2020, and since then, its developers have consistently pushed new updates to keep the malware active and effective against modern defenses.

XLoader targets web browsers, email clients, and FTP applications to steal passwords, cookies, and other sensitive credentials from infected systems.

Beyond stealing data, it can also execute arbitrary commands and deploy second-stage malware payloads onto compromised machines, giving attackers a wide range of control over any affected host.

The most recently observed version is 8.7, with active development continuing to introduce new capabilities and evasion enhancements with every release.

The malware primarily reaches victims through phishing emails and malicious file attachments — attack vectors that remain effective because they exploit human behavior rather than relying solely on technical weaknesses.

Once a system is infected, XLoader quietly runs in the background, harvesting credentials from browsers like Google Chrome and email clients like Microsoft Outlook, and then sends that stolen data back to its command-and-control (C2) servers in an encrypted and carefully disguised format.

Researchers at Zscaler identified the latest iterations of XLoader, noting that starting from version 8.1, the malware’s developers introduced considerably more advanced code obfuscation and network encryption techniques than what was seen in earlier versions.

Their analysis revealed that these updates are deliberate and systematic, designed to frustrate both automated analysis tools and manual reverse engineering efforts by security professionals.

The overall impact of these upgrades is far-reaching. XLoader’s combination of data theft, flexible command execution, and deeply layered obfuscation makes it a persistent threat to individuals and organizations of all sizes.

ThreatLabz concluded that XLoader is expected to keep posing a significant risk going forward, especially as its growing stealth capabilities allow it to remain largely undetected by conventional security systems.

One of the most significant aspects of XLoader’s updated behavior is how it hides its real command-and-control (C2) servers within a large pool of decoy addresses.

The malware embeds a total of 65 C2 IP addresses in its code, but each address is individually encrypted and only decrypted at runtime when it is about to be used, which makes static analysis of the binary extremely difficult for researchers.

When XLoader initiates a communication cycle, it randomly selects 16 of those 65 IP addresses and begins sending HTTP requests to each one in sequence.

Both internal request types — POST requests carrying stolen credentials and GET requests retrieving commands — are sent across this entire pool indiscriminately.

This approach makes it nearly impossible for malware sandboxes and automated detection tools to distinguish real C2 servers from decoys without live network verification of each address.

To further protect its traffic, XLoader applies multiple encryption layers using RC4 ciphers and SHA-1 hashing of the C2 URL.

The encryption keys are derived dynamically from the C2 URL seed and are only revealed at specific stages of execution, making interception alone insufficient to expose the malware’s activities.

Even though the traffic travels over plaintext HTTP, the actual data is layered with enough encryption that decoding it without the proper keys is practically impossible.

Security teams should monitor for unusual HTTP traffic patterns involving repeated requests sent to multiple IP addresses within a short period, particularly when those requests include Base64-encoded parameters with randomly generated names.

Using network emulation tools that can establish actual connections and verify server responses remains the most dependable method to separate real C2 servers from decoys.

Organizations should also keep endpoint detection tools updated to catch XLoader activity, which is currently tracked under the indicator Win32.PWS.XLoader.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.