XLoader Windows and macOS Malware

XLoader: FormBook Successor Turned Cross-Platform Infostealer for Windows and macOS

XLoader is a commercial infostealer and keylogger derived from the FormBook malware family, designed to extract credentials, log keystrokes, take screenshots, and exfiltrate data. First spotted in 2020, it quickly gained traction as a malware-as-a-service (MaaS) tool and later expanded its functionality to target macOS in addition to Windows. Its combination of low cost, wide availability, and active development has made it a popular choice for threat actors seeking quick access to stolen data.

Introduction to XLoader

Originally based on FormBook’s codebase, XLoader rebranded with a more extensive feature set and a web-based control panel, making it easier for less skilled attackers to deploy. It spreads through malicious email attachments, cracked software, and fake installers, often posing as benign applications. Once installed, XLoader operates quietly in the background, siphoning off data and transmitting it to attacker-controlled servers.

---

1. How XLoader Works

Infection Mechanism:
XLoader typically spreads through:

• Phishing emails with malicious Word or Excel documents containing macros
• Fake software installers or keygens from unofficial sites
• Drive-by downloads from compromised websites
• May be bundled with other malware loaders

Payload Execution:
After execution, XLoader:

• Captures keystrokes and clipboard content
• Takes screenshots at regular intervals
• Extracts saved credentials from browsers and mail clients
• Sends collected data to a remote command-and-control (C2) server
• In macOS versions, runs disguised as a legitimate app with system-level access if granted

---

2. History and Notable Campaigns

Origin and Discovery:
XLoader emerged in 2020, marketed as the successor to FormBook, which had been discontinued. In 2021, security researchers discovered a macOS version being sold for as little as $49/month, highlighting its accessibility.

Notable Campaigns:

• Deployed in phishing campaigns targeting corporate and personal email users
• Used in targeted attacks on macOS systems, which are less commonly defended than Windows endpoints
• Regularly updated with new evasion techniques and payload options

---

3. Targets and Impact

Targeted Victims and Sectors:

• Individual users, SMBs, and enterprise employees
• Targets on both Windows and macOS platforms
• Victims worldwide, often selected through broad phishing campaigns

Consequences:

• Credential theft, especially from browsers, email clients, and FTP tools
• Keylogging and surveillance, potentially leading to business espionage
• Exfiltration of files, screenshots, and clipboard data
• Use of stolen data for identity theft, account compromise, or resale

---

4. Technical Details

Payload Capabilities:

• Steals:
  • Passwords from browsers (Chrome, Firefox, Edge)
  • Email and FTP credentials
  • Clipboard contents and keystrokes
• Takes periodic screenshots
• Mac version runs as Java-based application, requiring user to allow execution
• Communicates with C2 via HTTP or encrypted channels

Evasion Techniques:

• Packed and obfuscated to avoid antivirus detection
• May delay execution or detect sandbox environments
• Deletes itself after execution in some builds to hinder forensic analysis
• On macOS, uses Launch Agents and deceptive file names for persistence

---

5. Preventing XLoader Infections

Best Practices:

• Avoid opening attachments from unknown or suspicious emails
• Do not download software from unofficial sources or use cracked programs
• Keep OS and security tools updated — especially macOS which is often neglected
• Disable macros by default in Office apps
• Use password managers instead of browser autofill

Recommended Security Tools:

• Antivirus and EDR solutions with keylogger and info-stealer detection
• Email filtering tools that block macro-laced documents
• DNS filtering to block known C2 domains
• macOS-specific security tools that detect unsigned or obfuscated apps

---

6. Detecting and Removing XLoader

Indicators of Compromise (IoCs):

• Suspicious processes with random or misleading names
• Unknown apps in macOS LaunchAgents or Windows startup entries
• Outbound network traffic to known XLoader C2 domains
• Unexpected behavior like clipboard clearing, lag, or screenshot activity

Removal Steps:

1. Run a full system scan with an updated antivirus or malware removal tool
2. On macOS, inspect and remove unknown LaunchAgents or apps in ~/Library
3. Clear browser-stored passwords and reset credentials
4. Reboot and re-scan to confirm successful removal
5. Consider full OS reinstall on heavily compromised systems

Professional Help:
If system-level compromise occurred or credentials were stolen, consult a forensics or incident response team for remediation and impact assessment.

---

7. Response to a XLoader Infection

Immediate Steps:

• Disconnect from the network
• Change all stored credentials from a clean system
• Remove the malware and related persistence mechanisms
• Notify affected services or business teams if credentials were work-related
• Monitor for signs of account takeover or unauthorized access

---

8. Legal and Ethical Implications

Legal Considerations:
Stolen credentials may lead to data breaches requiring disclosure under data privacy laws like GDPR or CCPA. Victims may be liable for any fraud committed using their stolen credentials.

Ethical Considerations:
XLoader commodifies surveillance and theft, enabling virtually anyone to harvest sensitive data. Its availability and low cost highlight how malware-as-a-service continues to lower the barrier to cybercrime.

---

9. Resources and References

• Check Point: XLoader Botnet: Find Me If You Can
• SentinelOne:
  • Comparison of XLoader and FormBook
  • Detecting XLoader | A macOS ‘Malware-as-a-Service’ Info Stealer and Keylogger
• Zscaler Blog:
  • Technical Analysis of Xloader Versions 6 and 7 | Part 1
  • Technical Analysis of Xloader Versions 6 and 7 | Part 2
• Acronis: Trojan-as-a-service: From Formbook to XLoader
• Cyble: Xloader Returns with New Infection Technique
• MITRE ATT&CK Techniques:
  • T1056.001 (Input Capture: Keylogging)
  • T1555.003 (Credentials from Web Browsers)
  • T1566.001 (Phishing: Spearphishing Attachment)
  • T1113 (Screen Capture)
  • S1207 (Malware: Xloader)

---

10. FAQs about XLoader

Q: What is XLoader malware?
A cross-platform infostealer that evolved from FormBook, designed to steal credentials, capture keystrokes, and exfiltrate data from Windows and macOS systems.

Q: How does it spread?
Primarily through phishing emails and malicious attachments, as well as fake installers.

Q: Is XLoader still active?
Yes — it continues to be sold and updated on underground forums, with Windows and macOS versions in circulation.

Q: Can XLoader be removed?
Yes, but all compromised credentials should be reset immediately after cleaning the system.

---

11. Conclusion

XLoader represents the evolution of consumer-grade info-stealers into cross-platform threats. Its roots in FormBook and its reach across macOS and Windows make it particularly dangerous for users who think their platform is immune. The best protection is prevention: avoid suspicious downloads, use secure authentication, and deploy endpoint protection capable of catching stealthy data theft.

 

 

« Back to the Virus Information Library

« Back to the Security Center