A well-known information-stealing malware named XLoader has recently upgraded its obfuscation tactics and methods for hiding command-and-control (C2) traffic behind decoy servers. This advanced evolution makes the malware significantly harder for cybersecurity professionals and automated tools to detect and analyze. Originally a variant of a malware family first identified in 2016, XLoader was rebranded and released in early 2020, with its developers consistently issuing updates to maintain its effectiveness against modern defenses.
XLoader primarily targets web browsers, email clients, and FTP applications, aiming to steal sensitive credentials such as passwords and cookies from infected systems. Beyond data exfiltration, it possesses the capability to execute arbitrary commands and deploy further malware payloads onto compromised machines, granting attackers extensive control over affected hosts. The most recent observed version is 8.7, indicating continuous development with the introduction of new capabilities and evasion enhancements in each release. The malware commonly infiltrates systems via phishing emails and malicious file attachments, attack vectors that remain highly effective due to their exploitation of human behavior.
How XLoader Hides Its C2 Traffic Behind Decoy Servers
A key innovation in XLoader’s latest iterations is its sophisticated method of concealing its true C2 servers within a substantial array of decoy addresses. The malware embeds a total of 65 C2 IP addresses within its code, with each address being individually encrypted and decrypted only at runtime when it is intended for use. This runtime decryption makes static analysis of the malware extremely challenging for security researchers.
During a communication cycle, XLoader randomly selects 16 of these 65 IP addresses and sequentially sends HTTP requests to each. Both POST requests, which carry stolen credentials, and GET requests, used to retrieve commands, are sent indiscriminately across this entire pool of addresses. This indiscriminate approach makes it exceptionally difficult for malware sandboxes and automated detection tools to differentiate between authentic C2 servers and decoys without live network verification of each address.
To further safeguard its network traffic, XLoader employs multiple layers of encryption utilizing RC4 ciphers and applies SHA-1 hashing to the C2 URL. The encryption keys are dynamically generated from the C2 URL seed and are only revealed at specific points during the execution process. This mechanism ensures that merely intercepting the traffic is insufficient to expose the malware’s malicious activities.
Even though the traffic may traverse over plaintext HTTP, the actual data transmitted is layered with extensive encryption. Without possession of the correct decryption keys, decoding this data becomes virtually impossible. Security teams are advised to monitor for unusual HTTP traffic patterns characterized by repeated requests to multiple IP addresses within a compressed timeframe. Particular attention should be paid to requests containing Base64-encoded parameters with randomly generated names.
Utilizing network emulation tools capable of establishing actual connections and verifying server responses remains the most reliable method for distinguishing between legitimate C2 servers and decoys. Organizations should also ensure their endpoint detection tools are kept up-to-date to effectively identify XLoader activity, which is currently tracked under the indicator Win32.PWS.XLoader. The ongoing evolution of XLoader’s evasion techniques suggests that continuous vigilance and the adoption of advanced security measures will be crucial in defending against this persistent threat.