It captured images of the desktop, stealing data from the clipboard, too. The Finale
A separate, unrelated malware family also called "XLoader" targets Android devices. This mobile malware (also known as or Wroba ) is typically distributed through SMiShing (SMS phishing) attacks and has recently been observed posing as a security application.
XLoader relies heavily on human error and social engineering to breach defense perimeters. The most common distribution methods include: Malicious Spam (Malspam) xloader
The malware's low cost as a MaaS and its effectiveness make it a popular tool in the arsenals of various cybercriminal gangs. It is frequently used as a first-stage payload in larger, more devastating attack chains. By stealing credentials and establishing persistence, XLoader opens the door for:
XLoader uses techniques to evade antivirus software, injecting its code into legitimate running processes and executing in their context. This "process hollowing" technique effectively hides the malware’s presence from basic process monitoring. It captured images of the desktop, stealing data
In 2023, a new macOS variant was discovered masquerading as a signed application. The malicious payload was distributed within a DMG file named OfficeNote.dmg , complete with a valid Apple developer signature. Once executed, the app displayed a fake error message while silently installing a LaunchAgent in the background to maintain persistence.
In the security world, XLoader (formerly known as Formbook) is a notorious info-stealer that targets both Windows and macOS to swipe credentials and personal data. Deep Technical Analysis Any.Run Malware Blog XLoader relies heavily on human error and social
The following IoCs can indicate the presence of XLoader on a system:
Refrain from downloading cracked software or unverified applications from third-party websites.
Prevent browsers from automatically opening downloaded files.