{"id":11769,"date":"2026-04-01T10:06:20","date_gmt":"2026-04-01T10:06:20","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/04\/01\/xloader-malware-upgrades-obfuscation-tactics-and-hides-c2-traffic-behind-decoy-servers\/"},"modified":"2026-04-01T10:06:20","modified_gmt":"2026-04-01T10:06:20","slug":"xloader-malware-upgrades-obfuscation-tactics-and-hides-c2-traffic-behind-decoy-servers","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/04\/01\/xloader-malware-upgrades-obfuscation-tactics-and-hides-c2-traffic-behind-decoy-servers\/","title":{"rendered":"XLoader Malware Upgrades Obfuscation Tactics and Hides C2 Traffic Behind Decoy Servers"},"content":{"rendered":"<p>    XLoader Malware Upgrades Obfuscation Tactics and Hides C2 Traffic Behind Decoy Servers<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>A well-known information-stealing malware called XLoader has received significant upgrades in its latest versions, making it considerably harder to detect and analyze than before. <\/p>\n<p>Originally derived from a malware family known as FormBook, which first surfaced in 2016, XLoader was rebranded and relaunched in early 2020, and since then, its developers have consistently pushed new updates to keep the malware active and effective against modern defenses.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/4a90c602-7322-4c87-a60f-3c694d5f7f53\/XLoader-Malware-Upgrades-Obfuscation-Tactics-and-Hides-C2-Traffic-Behind-Decoy-Servers.pdf?AWSAccessKeyId=ASIA2F3EMEYE57JACLVI&amp;Signature=aNIjSRaS0NLL3Owjp7agFQ2j7kE%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEIb%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQDUJBnUsE1PEyIkYwmJHkeX5U8y3u40HpA80QEdKdM5gQIgTlKmO0ll9n2hrP1fO0T2cfeL5WgBzhs9vvuBjbCKqTgq8wQITxABGgw2OTk3NTMzMDk3MDUiDO232PVaHkkw%2B6lESirQBNsiqrlMUXFyTTVlx4On%2Fw7FhEJPdh2AA8qn6Y79KdOOjJUBsgS2mqfCgXQjLGk6okpuw8X%2FZAqn1%2FM555bMlweJHY6VUOPN21dsmLJVMy9%2FItAGoLngrHdqXAcmwzakB3xd1fqY%2BOqm%2BxgeAc3FGI%2FA0%2BuQX%2BIsxtskDKhs01XsaYAn4LuRyb26dsvgDPkarvcgQXDHGIK%2FjcjT0JRBXMXPnytYMTwIdCJqSN%2BCJy1Or1ahsuOkT3rWcXlznPf%2BBHQxpVhpFMEk%2FVO4alu1SKymisAkN6wf4l4934Ot9SYrk%2BdCcLL6%2Br69234CLEP1OOSOGzgNbQ1TJ2k0JO3cAMtFUmpyM%2BhkiexRWcsD0GcH4kEfwke13tHAPFsXA9%2B2M6XQSe%2BzoavSEPwI9YtRZMHUfnD%2FvNQOxvleYUjpUL5LDdhjzxSjw4cuO9UZTSBvTRqy93HB3t%2B3twoxqWH%2BdigmVjNo%2F24%2FwhHRGnJGh8tl%2Br0oxK1Ue8ZEs1e0Uc1mUzGjni97dQp0Fz%2Bt3QPIByJYJ6wTfzyuqr17YuP%2BqgIeLJBu4Uug2sLW01iX9eq%2FccgNGdWa9WI%2BoVngi3AVuy6dx%2BwoY1CiZ%2BAxJ3oOEwutjunfflsZ0wnrTy5TIckeCCB3GxFUEauZcYMIUaoF6FeQjaeugk2MI2VoSFFqwT8cYFrb4%2BTGaICcGhpQkHOQtGdsv1ZiEhe1oGejKx5ekJyT67syTizfTBjGcMrMlmo3lt5hDMQi1FdKyxGLFNG1OjPjGpYf93EstyMElrfAObUwiOGyzgY6mAFZmub3CWuoULthoBa1%2FZNYIj2YdgNVHo2mns2BMq2JQq8pyBpRYh29iWsCbEgJxYY%2BWqnCbYJgGNTchU0uYHa%2FAyCCDVtg72Vz%2BD0gfAfpqaRetkSUTMt8O%2Fasa5DGFR5%2BHq6gyPZ5nx8fTGiZzJS56WHrsUVz1sg1xitgly3qxcEBKo72SMMNo%2Ffdf1qdehuCTU3%2B0dmAhQ%3D%3D&amp;Expires=1775025436\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>XLoader targets web browsers, email clients, and FTP applications to steal passwords, cookies, and other sensitive credentials from infected systems. <\/p>\n<p>Beyond stealing data, it can also execute arbitrary commands and deploy second-stage malware payloads onto compromised machines, giving attackers a wide range of control over any affected host. <\/p>\n<p>The most recently observed version is 8.7, with active development continuing to introduce new capabilities and evasion enhancements with every release.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/4a90c602-7322-4c87-a60f-3c694d5f7f53\/XLoader-Malware-Upgrades-Obfuscation-Tactics-and-Hides-C2-Traffic-Behind-Decoy-Servers.pdf?AWSAccessKeyId=ASIA2F3EMEYE57JACLVI&amp;Signature=aNIjSRaS0NLL3Owjp7agFQ2j7kE%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEIb%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQDUJBnUsE1PEyIkYwmJHkeX5U8y3u40HpA80QEdKdM5gQIgTlKmO0ll9n2hrP1fO0T2cfeL5WgBzhs9vvuBjbCKqTgq8wQITxABGgw2OTk3NTMzMDk3MDUiDO232PVaHkkw%2B6lESirQBNsiqrlMUXFyTTVlx4On%2Fw7FhEJPdh2AA8qn6Y79KdOOjJUBsgS2mqfCgXQjLGk6okpuw8X%2FZAqn1%2FM555bMlweJHY6VUOPN21dsmLJVMy9%2FItAGoLngrHdqXAcmwzakB3xd1fqY%2BOqm%2BxgeAc3FGI%2FA0%2BuQX%2BIsxtskDKhs01XsaYAn4LuRyb26dsvgDPkarvcgQXDHGIK%2FjcjT0JRBXMXPnytYMTwIdCJqSN%2BCJy1Or1ahsuOkT3rWcXlznPf%2BBHQxpVhpFMEk%2FVO4alu1SKymisAkN6wf4l4934Ot9SYrk%2BdCcLL6%2Br69234CLEP1OOSOGzgNbQ1TJ2k0JO3cAMtFUmpyM%2BhkiexRWcsD0GcH4kEfwke13tHAPFsXA9%2B2M6XQSe%2BzoavSEPwI9YtRZMHUfnD%2FvNQOxvleYUjpUL5LDdhjzxSjw4cuO9UZTSBvTRqy93HB3t%2B3twoxqWH%2BdigmVjNo%2F24%2FwhHRGnJGh8tl%2Br0oxK1Ue8ZEs1e0Uc1mUzGjni97dQp0Fz%2Bt3QPIByJYJ6wTfzyuqr17YuP%2BqgIeLJBu4Uug2sLW01iX9eq%2FccgNGdWa9WI%2BoVngi3AVuy6dx%2BwoY1CiZ%2BAxJ3oOEwutjunfflsZ0wnrTy5TIckeCCB3GxFUEauZcYMIUaoF6FeQjaeugk2MI2VoSFFqwT8cYFrb4%2BTGaICcGhpQkHOQtGdsv1ZiEhe1oGejKx5ekJyT67syTizfTBjGcMrMlmo3lt5hDMQi1FdKyxGLFNG1OjPjGpYf93EstyMElrfAObUwiOGyzgY6mAFZmub3CWuoULthoBa1%2FZNYIj2YdgNVHo2mns2BMq2JQq8pyBpRYh29iWsCbEgJxYY%2BWqnCbYJgGNTchU0uYHa%2FAyCCDVtg72Vz%2BD0gfAfpqaRetkSUTMt8O%2Fasa5DGFR5%2BHq6gyPZ5nx8fTGiZzJS56WHrsUVz1sg1xitgly3qxcEBKo72SMMNo%2Ffdf1qdehuCTU3%2B0dmAhQ%3D%3D&amp;Expires=1775025436\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>The malware primarily reaches victims through phishing emails and malicious file attachments \u2014 attack vectors that remain effective because they exploit human behavior rather than relying solely on technical weaknesses. <\/p>\n<p>Once a system is infected, XLoader quietly runs in the background, harvesting credentials from browsers like Google Chrome and email clients like Microsoft Outlook, and then sends that stolen data back to its command-and-control (C2) servers in an encrypted and carefully disguised format.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/4a90c602-7322-4c87-a60f-3c694d5f7f53\/XLoader-Malware-Upgrades-Obfuscation-Tactics-and-Hides-C2-Traffic-Behind-Decoy-Servers.pdf?AWSAccessKeyId=ASIA2F3EMEYE57JACLVI&amp;Signature=aNIjSRaS0NLL3Owjp7agFQ2j7kE%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEIb%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQDUJBnUsE1PEyIkYwmJHkeX5U8y3u40HpA80QEdKdM5gQIgTlKmO0ll9n2hrP1fO0T2cfeL5WgBzhs9vvuBjbCKqTgq8wQITxABGgw2OTk3NTMzMDk3MDUiDO232PVaHkkw%2B6lESirQBNsiqrlMUXFyTTVlx4On%2Fw7FhEJPdh2AA8qn6Y79KdOOjJUBsgS2mqfCgXQjLGk6okpuw8X%2FZAqn1%2FM555bMlweJHY6VUOPN21dsmLJVMy9%2FItAGoLngrHdqXAcmwzakB3xd1fqY%2BOqm%2BxgeAc3FGI%2FA0%2BuQX%2BIsxtskDKhs01XsaYAn4LuRyb26dsvgDPkarvcgQXDHGIK%2FjcjT0JRBXMXPnytYMTwIdCJqSN%2BCJy1Or1ahsuOkT3rWcXlznPf%2BBHQxpVhpFMEk%2FVO4alu1SKymisAkN6wf4l4934Ot9SYrk%2BdCcLL6%2Br69234CLEP1OOSOGzgNbQ1TJ2k0JO3cAMtFUmpyM%2BhkiexRWcsD0GcH4kEfwke13tHAPFsXA9%2B2M6XQSe%2BzoavSEPwI9YtRZMHUfnD%2FvNQOxvleYUjpUL5LDdhjzxSjw4cuO9UZTSBvTRqy93HB3t%2B3twoxqWH%2BdigmVjNo%2F24%2FwhHRGnJGh8tl%2Br0oxK1Ue8ZEs1e0Uc1mUzGjni97dQp0Fz%2Bt3QPIByJYJ6wTfzyuqr17YuP%2BqgIeLJBu4Uug2sLW01iX9eq%2FccgNGdWa9WI%2BoVngi3AVuy6dx%2BwoY1CiZ%2BAxJ3oOEwutjunfflsZ0wnrTy5TIckeCCB3GxFUEauZcYMIUaoF6FeQjaeugk2MI2VoSFFqwT8cYFrb4%2BTGaICcGhpQkHOQtGdsv1ZiEhe1oGejKx5ekJyT67syTizfTBjGcMrMlmo3lt5hDMQi1FdKyxGLFNG1OjPjGpYf93EstyMElrfAObUwiOGyzgY6mAFZmub3CWuoULthoBa1%2FZNYIj2YdgNVHo2mns2BMq2JQq8pyBpRYh29iWsCbEgJxYY%2BWqnCbYJgGNTchU0uYHa%2FAyCCDVtg72Vz%2BD0gfAfpqaRetkSUTMt8O%2Fasa5DGFR5%2BHq6gyPZ5nx8fTGiZzJS56WHrsUVz1sg1xitgly3qxcEBKo72SMMNo%2Ffdf1qdehuCTU3%2B0dmAhQ%3D%3D&amp;Expires=1775025436\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p><a href=\"https:\/\/www.zscaler.com\/blogs\/security-research\/latest-xloader-obfuscation-methods-and-network-protocol\" id=\"https:\/\/www.zscaler.com\/blogs\/security-research\/latest-xloader-obfuscation-methods-and-network-protocol\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Researchers at Zscaler identified the latest iterations of XLoader<\/a>, noting that starting from version 8.1, the malware\u2019s developers introduced considerably more advanced code obfuscation and network encryption techniques than what was seen in earlier versions. <\/p>\n<p>Their analysis revealed that these updates are deliberate and systematic, designed to frustrate both automated analysis tools and manual reverse engineering efforts by security professionals.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/4a90c602-7322-4c87-a60f-3c694d5f7f53\/XLoader-Malware-Upgrades-Obfuscation-Tactics-and-Hides-C2-Traffic-Behind-Decoy-Servers.pdf?AWSAccessKeyId=ASIA2F3EMEYE57JACLVI&amp;Signature=aNIjSRaS0NLL3Owjp7agFQ2j7kE%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEIb%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQDUJBnUsE1PEyIkYwmJHkeX5U8y3u40HpA80QEdKdM5gQIgTlKmO0ll9n2hrP1fO0T2cfeL5WgBzhs9vvuBjbCKqTgq8wQITxABGgw2OTk3NTMzMDk3MDUiDO232PVaHkkw%2B6lESirQBNsiqrlMUXFyTTVlx4On%2Fw7FhEJPdh2AA8qn6Y79KdOOjJUBsgS2mqfCgXQjLGk6okpuw8X%2FZAqn1%2FM555bMlweJHY6VUOPN21dsmLJVMy9%2FItAGoLngrHdqXAcmwzakB3xd1fqY%2BOqm%2BxgeAc3FGI%2FA0%2BuQX%2BIsxtskDKhs01XsaYAn4LuRyb26dsvgDPkarvcgQXDHGIK%2FjcjT0JRBXMXPnytYMTwIdCJqSN%2BCJy1Or1ahsuOkT3rWcXlznPf%2BBHQxpVhpFMEk%2FVO4alu1SKymisAkN6wf4l4934Ot9SYrk%2BdCcLL6%2Br69234CLEP1OOSOGzgNbQ1TJ2k0JO3cAMtFUmpyM%2BhkiexRWcsD0GcH4kEfwke13tHAPFsXA9%2B2M6XQSe%2BzoavSEPwI9YtRZMHUfnD%2FvNQOxvleYUjpUL5LDdhjzxSjw4cuO9UZTSBvTRqy93HB3t%2B3twoxqWH%2BdigmVjNo%2F24%2FwhHRGnJGh8tl%2Br0oxK1Ue8ZEs1e0Uc1mUzGjni97dQp0Fz%2Bt3QPIByJYJ6wTfzyuqr17YuP%2BqgIeLJBu4Uug2sLW01iX9eq%2FccgNGdWa9WI%2BoVngi3AVuy6dx%2BwoY1CiZ%2BAxJ3oOEwutjunfflsZ0wnrTy5TIckeCCB3GxFUEauZcYMIUaoF6FeQjaeugk2MI2VoSFFqwT8cYFrb4%2BTGaICcGhpQkHOQtGdsv1ZiEhe1oGejKx5ekJyT67syTizfTBjGcMrMlmo3lt5hDMQi1FdKyxGLFNG1OjPjGpYf93EstyMElrfAObUwiOGyzgY6mAFZmub3CWuoULthoBa1%2FZNYIj2YdgNVHo2mns2BMq2JQq8pyBpRYh29iWsCbEgJxYY%2BWqnCbYJgGNTchU0uYHa%2FAyCCDVtg72Vz%2BD0gfAfpqaRetkSUTMt8O%2Fasa5DGFR5%2BHq6gyPZ5nx8fTGiZzJS56WHrsUVz1sg1xitgly3qxcEBKo72SMMNo%2Ffdf1qdehuCTU3%2B0dmAhQ%3D%3D&amp;Expires=1775025436\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>The overall impact of these upgrades is far-reaching. XLoader\u2019s combination of data theft, flexible command execution, and deeply layered obfuscation makes it a persistent threat to individuals and organizations of all sizes. <\/p>\n<p>ThreatLabz concluded that XLoader is expected to keep posing a significant risk going forward, especially as its growing stealth capabilities allow it to remain largely undetected by conventional security systems.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/4a90c602-7322-4c87-a60f-3c694d5f7f53\/XLoader-Malware-Upgrades-Obfuscation-Tactics-and-Hides-C2-Traffic-Behind-Decoy-Servers.pdf?AWSAccessKeyId=ASIA2F3EMEYE57JACLVI&amp;Signature=aNIjSRaS0NLL3Owjp7agFQ2j7kE%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEIb%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQDUJBnUsE1PEyIkYwmJHkeX5U8y3u40HpA80QEdKdM5gQIgTlKmO0ll9n2hrP1fO0T2cfeL5WgBzhs9vvuBjbCKqTgq8wQITxABGgw2OTk3NTMzMDk3MDUiDO232PVaHkkw%2B6lESirQBNsiqrlMUXFyTTVlx4On%2Fw7FhEJPdh2AA8qn6Y79KdOOjJUBsgS2mqfCgXQjLGk6okpuw8X%2FZAqn1%2FM555bMlweJHY6VUOPN21dsmLJVMy9%2FItAGoLngrHdqXAcmwzakB3xd1fqY%2BOqm%2BxgeAc3FGI%2FA0%2BuQX%2BIsxtskDKhs01XsaYAn4LuRyb26dsvgDPkarvcgQXDHGIK%2FjcjT0JRBXMXPnytYMTwIdCJqSN%2BCJy1Or1ahsuOkT3rWcXlznPf%2BBHQxpVhpFMEk%2FVO4alu1SKymisAkN6wf4l4934Ot9SYrk%2BdCcLL6%2Br69234CLEP1OOSOGzgNbQ1TJ2k0JO3cAMtFUmpyM%2BhkiexRWcsD0GcH4kEfwke13tHAPFsXA9%2B2M6XQSe%2BzoavSEPwI9YtRZMHUfnD%2FvNQOxvleYUjpUL5LDdhjzxSjw4cuO9UZTSBvTRqy93HB3t%2B3twoxqWH%2BdigmVjNo%2F24%2FwhHRGnJGh8tl%2Br0oxK1Ue8ZEs1e0Uc1mUzGjni97dQp0Fz%2Bt3QPIByJYJ6wTfzyuqr17YuP%2BqgIeLJBu4Uug2sLW01iX9eq%2FccgNGdWa9WI%2BoVngi3AVuy6dx%2BwoY1CiZ%2BAxJ3oOEwutjunfflsZ0wnrTy5TIckeCCB3GxFUEauZcYMIUaoF6FeQjaeugk2MI2VoSFFqwT8cYFrb4%2BTGaICcGhpQkHOQtGdsv1ZiEhe1oGejKx5ekJyT67syTizfTBjGcMrMlmo3lt5hDMQi1FdKyxGLFNG1OjPjGpYf93EstyMElrfAObUwiOGyzgY6mAFZmub3CWuoULthoBa1%2FZNYIj2YdgNVHo2mns2BMq2JQq8pyBpRYh29iWsCbEgJxYY%2BWqnCbYJgGNTchU0uYHa%2FAyCCDVtg72Vz%2BD0gfAfpqaRetkSUTMt8O%2Fasa5DGFR5%2BHq6gyPZ5nx8fTGiZzJS56WHrsUVz1sg1xitgly3qxcEBKo72SMMNo%2Ffdf1qdehuCTU3%2B0dmAhQ%3D%3D&amp;Expires=1775025436\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 class=\"wp-block-heading\" id=\"how-xloader-hides-its-c2-traffic-behind-decoy-serv\"><strong>How XLoader Hides Its C2 Traffic Behind Decoy Servers<\/strong><\/h2>\n<p>One of the most significant aspects of XLoader\u2019s updated behavior is how it hides its real command-and-control (C2) servers within a large pool of decoy addresses. <\/p>\n<p>The malware embeds a total of 65 C2 <a href=\"https:\/\/cybersecuritynews.com\/911-s5-botnet-dismantled\/\" id=\"66150\" target=\"_blank\" rel=\"noreferrer noopener\">IP addresses<\/a> in its code, but each address is individually encrypted and only decrypted at runtime when it is about to be used, which makes static analysis of the binary extremely difficult for researchers.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/4a90c602-7322-4c87-a60f-3c694d5f7f53\/XLoader-Malware-Upgrades-Obfuscation-Tactics-and-Hides-C2-Traffic-Behind-Decoy-Servers.pdf?AWSAccessKeyId=ASIA2F3EMEYE57JACLVI&amp;Signature=aNIjSRaS0NLL3Owjp7agFQ2j7kE%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEIb%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQDUJBnUsE1PEyIkYwmJHkeX5U8y3u40HpA80QEdKdM5gQIgTlKmO0ll9n2hrP1fO0T2cfeL5WgBzhs9vvuBjbCKqTgq8wQITxABGgw2OTk3NTMzMDk3MDUiDO232PVaHkkw%2B6lESirQBNsiqrlMUXFyTTVlx4On%2Fw7FhEJPdh2AA8qn6Y79KdOOjJUBsgS2mqfCgXQjLGk6okpuw8X%2FZAqn1%2FM555bMlweJHY6VUOPN21dsmLJVMy9%2FItAGoLngrHdqXAcmwzakB3xd1fqY%2BOqm%2BxgeAc3FGI%2FA0%2BuQX%2BIsxtskDKhs01XsaYAn4LuRyb26dsvgDPkarvcgQXDHGIK%2FjcjT0JRBXMXPnytYMTwIdCJqSN%2BCJy1Or1ahsuOkT3rWcXlznPf%2BBHQxpVhpFMEk%2FVO4alu1SKymisAkN6wf4l4934Ot9SYrk%2BdCcLL6%2Br69234CLEP1OOSOGzgNbQ1TJ2k0JO3cAMtFUmpyM%2BhkiexRWcsD0GcH4kEfwke13tHAPFsXA9%2B2M6XQSe%2BzoavSEPwI9YtRZMHUfnD%2FvNQOxvleYUjpUL5LDdhjzxSjw4cuO9UZTSBvTRqy93HB3t%2B3twoxqWH%2BdigmVjNo%2F24%2FwhHRGnJGh8tl%2Br0oxK1Ue8ZEs1e0Uc1mUzGjni97dQp0Fz%2Bt3QPIByJYJ6wTfzyuqr17YuP%2BqgIeLJBu4Uug2sLW01iX9eq%2FccgNGdWa9WI%2BoVngi3AVuy6dx%2BwoY1CiZ%2BAxJ3oOEwutjunfflsZ0wnrTy5TIckeCCB3GxFUEauZcYMIUaoF6FeQjaeugk2MI2VoSFFqwT8cYFrb4%2BTGaICcGhpQkHOQtGdsv1ZiEhe1oGejKx5ekJyT67syTizfTBjGcMrMlmo3lt5hDMQi1FdKyxGLFNG1OjPjGpYf93EstyMElrfAObUwiOGyzgY6mAFZmub3CWuoULthoBa1%2FZNYIj2YdgNVHo2mns2BMq2JQq8pyBpRYh29iWsCbEgJxYY%2BWqnCbYJgGNTchU0uYHa%2FAyCCDVtg72Vz%2BD0gfAfpqaRetkSUTMt8O%2Fasa5DGFR5%2BHq6gyPZ5nx8fTGiZzJS56WHrsUVz1sg1xitgly3qxcEBKo72SMMNo%2Ffdf1qdehuCTU3%2B0dmAhQ%3D%3D&amp;Expires=1775025436\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>When <a href=\"https:\/\/cybersecuritynews.com\/xloader-malware-macos\/\" id=\"38592\" target=\"_blank\" rel=\"noreferrer noopener\">XLoader initiates<\/a> a communication cycle, it randomly selects 16 of those 65 IP addresses and begins sending HTTP requests to each one in sequence. <\/p>\n<p>Both internal request types \u2014 POST requests carrying stolen credentials and GET requests retrieving commands \u2014 are sent across this entire pool indiscriminately.<\/p>\n<p>This approach makes it nearly impossible for malware sandboxes and automated detection tools to distinguish real C2 servers from decoys without live network verification of each address.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/4a90c602-7322-4c87-a60f-3c694d5f7f53\/XLoader-Malware-Upgrades-Obfuscation-Tactics-and-Hides-C2-Traffic-Behind-Decoy-Servers.pdf?AWSAccessKeyId=ASIA2F3EMEYE57JACLVI&amp;Signature=aNIjSRaS0NLL3Owjp7agFQ2j7kE%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEIb%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQDUJBnUsE1PEyIkYwmJHkeX5U8y3u40HpA80QEdKdM5gQIgTlKmO0ll9n2hrP1fO0T2cfeL5WgBzhs9vvuBjbCKqTgq8wQITxABGgw2OTk3NTMzMDk3MDUiDO232PVaHkkw%2B6lESirQBNsiqrlMUXFyTTVlx4On%2Fw7FhEJPdh2AA8qn6Y79KdOOjJUBsgS2mqfCgXQjLGk6okpuw8X%2FZAqn1%2FM555bMlweJHY6VUOPN21dsmLJVMy9%2FItAGoLngrHdqXAcmwzakB3xd1fqY%2BOqm%2BxgeAc3FGI%2FA0%2BuQX%2BIsxtskDKhs01XsaYAn4LuRyb26dsvgDPkarvcgQXDHGIK%2FjcjT0JRBXMXPnytYMTwIdCJqSN%2BCJy1Or1ahsuOkT3rWcXlznPf%2BBHQxpVhpFMEk%2FVO4alu1SKymisAkN6wf4l4934Ot9SYrk%2BdCcLL6%2Br69234CLEP1OOSOGzgNbQ1TJ2k0JO3cAMtFUmpyM%2BhkiexRWcsD0GcH4kEfwke13tHAPFsXA9%2B2M6XQSe%2BzoavSEPwI9YtRZMHUfnD%2FvNQOxvleYUjpUL5LDdhjzxSjw4cuO9UZTSBvTRqy93HB3t%2B3twoxqWH%2BdigmVjNo%2F24%2FwhHRGnJGh8tl%2Br0oxK1Ue8ZEs1e0Uc1mUzGjni97dQp0Fz%2Bt3QPIByJYJ6wTfzyuqr17YuP%2BqgIeLJBu4Uug2sLW01iX9eq%2FccgNGdWa9WI%2BoVngi3AVuy6dx%2BwoY1CiZ%2BAxJ3oOEwutjunfflsZ0wnrTy5TIckeCCB3GxFUEauZcYMIUaoF6FeQjaeugk2MI2VoSFFqwT8cYFrb4%2BTGaICcGhpQkHOQtGdsv1ZiEhe1oGejKx5ekJyT67syTizfTBjGcMrMlmo3lt5hDMQi1FdKyxGLFNG1OjPjGpYf93EstyMElrfAObUwiOGyzgY6mAFZmub3CWuoULthoBa1%2FZNYIj2YdgNVHo2mns2BMq2JQq8pyBpRYh29iWsCbEgJxYY%2BWqnCbYJgGNTchU0uYHa%2FAyCCDVtg72Vz%2BD0gfAfpqaRetkSUTMt8O%2Fasa5DGFR5%2BHq6gyPZ5nx8fTGiZzJS56WHrsUVz1sg1xitgly3qxcEBKo72SMMNo%2Ffdf1qdehuCTU3%2B0dmAhQ%3D%3D&amp;Expires=1775025436\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>To further protect its traffic, XLoader applies multiple encryption layers using RC4 ciphers and SHA-1 hashing of the C2 URL.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiZocI8o5HJckZz7eBziMpkgI2pHbF8QMDbcSPrUJuXxAjhAlswA-r-fBZCfR3juy860k9gyPGli10mujdKlZbMNjUMgn4m40YATnH0sqJ_Pj_lhGiXcUtA0knx9Ag2i_Jsj8w9FzbL-MKGwSwBJyWqRYqSTpZ-wzblu5cWTUe6EB9RFjOh-yu5akoj4SU\/s16000\/Xloader%25E2%2580%2599s%2520obfuscated%2520custom%2520decryption%2520routine%2520since%2520version%25208.1%2520%28Source%2520-%2520Zscaler%29.webp?ssl=1\" alt=\"Xloader\u2019s obfuscated custom decryption routine since version 8.1 (Source - Zscaler)\"><figcaption class=\"wp-element-caption\">Xloader\u2019s obfuscated custom decryption routine since version 8.1 (Source \u2013 Zscaler)<\/figcaption><\/figure>\n<\/div>\n<p>The encryption keys are derived dynamically from the C2 URL seed and are only revealed at specific stages of execution, making interception alone insufficient to expose the malware\u2019s activities. <\/p>\n<p>Even though the traffic travels over plaintext HTTP, the actual data is layered with enough encryption that decoding it without the proper keys is practically impossible.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/4a90c602-7322-4c87-a60f-3c694d5f7f53\/XLoader-Malware-Upgrades-Obfuscation-Tactics-and-Hides-C2-Traffic-Behind-Decoy-Servers.pdf?AWSAccessKeyId=ASIA2F3EMEYE57JACLVI&amp;Signature=aNIjSRaS0NLL3Owjp7agFQ2j7kE%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEIb%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQDUJBnUsE1PEyIkYwmJHkeX5U8y3u40HpA80QEdKdM5gQIgTlKmO0ll9n2hrP1fO0T2cfeL5WgBzhs9vvuBjbCKqTgq8wQITxABGgw2OTk3NTMzMDk3MDUiDO232PVaHkkw%2B6lESirQBNsiqrlMUXFyTTVlx4On%2Fw7FhEJPdh2AA8qn6Y79KdOOjJUBsgS2mqfCgXQjLGk6okpuw8X%2FZAqn1%2FM555bMlweJHY6VUOPN21dsmLJVMy9%2FItAGoLngrHdqXAcmwzakB3xd1fqY%2BOqm%2BxgeAc3FGI%2FA0%2BuQX%2BIsxtskDKhs01XsaYAn4LuRyb26dsvgDPkarvcgQXDHGIK%2FjcjT0JRBXMXPnytYMTwIdCJqSN%2BCJy1Or1ahsuOkT3rWcXlznPf%2BBHQxpVhpFMEk%2FVO4alu1SKymisAkN6wf4l4934Ot9SYrk%2BdCcLL6%2Br69234CLEP1OOSOGzgNbQ1TJ2k0JO3cAMtFUmpyM%2BhkiexRWcsD0GcH4kEfwke13tHAPFsXA9%2B2M6XQSe%2BzoavSEPwI9YtRZMHUfnD%2FvNQOxvleYUjpUL5LDdhjzxSjw4cuO9UZTSBvTRqy93HB3t%2B3twoxqWH%2BdigmVjNo%2F24%2FwhHRGnJGh8tl%2Br0oxK1Ue8ZEs1e0Uc1mUzGjni97dQp0Fz%2Bt3QPIByJYJ6wTfzyuqr17YuP%2BqgIeLJBu4Uug2sLW01iX9eq%2FccgNGdWa9WI%2BoVngi3AVuy6dx%2BwoY1CiZ%2BAxJ3oOEwutjunfflsZ0wnrTy5TIckeCCB3GxFUEauZcYMIUaoF6FeQjaeugk2MI2VoSFFqwT8cYFrb4%2BTGaICcGhpQkHOQtGdsv1ZiEhe1oGejKx5ekJyT67syTizfTBjGcMrMlmo3lt5hDMQi1FdKyxGLFNG1OjPjGpYf93EstyMElrfAObUwiOGyzgY6mAFZmub3CWuoULthoBa1%2FZNYIj2YdgNVHo2mns2BMq2JQq8pyBpRYh29iWsCbEgJxYY%2BWqnCbYJgGNTchU0uYHa%2FAyCCDVtg72Vz%2BD0gfAfpqaRetkSUTMt8O%2Fasa5DGFR5%2BHq6gyPZ5nx8fTGiZzJS56WHrsUVz1sg1xitgly3qxcEBKo72SMMNo%2Ffdf1qdehuCTU3%2B0dmAhQ%3D%3D&amp;Expires=1775025436\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>Security teams should monitor for unusual HTTP traffic patterns involving repeated requests sent to multiple IP addresses within a short period, particularly when those requests include Base64-encoded parameters with randomly generated names. <\/p>\n<p>Using network emulation tools that can establish actual connections and verify server responses remains the most dependable method to separate real <a href=\"https:\/\/cybersecuritynews.com\/chinese-threat-actors-hosted-18000-active-c2-servers\/\" id=\"139740\" target=\"_blank\" rel=\"noreferrer noopener\">C2 servers<\/a> from decoys. <\/p>\n<p>Organizations should also keep endpoint detection tools updated to catch XLoader activity, which is currently tracked under the indicator\u00a0Win32.PWS.XLoader.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/4a90c602-7322-4c87-a60f-3c694d5f7f53\/XLoader-Malware-Upgrades-Obfuscation-Tactics-and-Hides-C2-Traffic-Behind-Decoy-Servers.pdf?AWSAccessKeyId=ASIA2F3EMEYE57JACLVI&amp;Signature=aNIjSRaS0NLL3Owjp7agFQ2j7kE%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEIb%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQDUJBnUsE1PEyIkYwmJHkeX5U8y3u40HpA80QEdKdM5gQIgTlKmO0ll9n2hrP1fO0T2cfeL5WgBzhs9vvuBjbCKqTgq8wQITxABGgw2OTk3NTMzMDk3MDUiDO232PVaHkkw%2B6lESirQBNsiqrlMUXFyTTVlx4On%2Fw7FhEJPdh2AA8qn6Y79KdOOjJUBsgS2mqfCgXQjLGk6okpuw8X%2FZAqn1%2FM555bMlweJHY6VUOPN21dsmLJVMy9%2FItAGoLngrHdqXAcmwzakB3xd1fqY%2BOqm%2BxgeAc3FGI%2FA0%2BuQX%2BIsxtskDKhs01XsaYAn4LuRyb26dsvgDPkarvcgQXDHGIK%2FjcjT0JRBXMXPnytYMTwIdCJqSN%2BCJy1Or1ahsuOkT3rWcXlznPf%2BBHQxpVhpFMEk%2FVO4alu1SKymisAkN6wf4l4934Ot9SYrk%2BdCcLL6%2Br69234CLEP1OOSOGzgNbQ1TJ2k0JO3cAMtFUmpyM%2BhkiexRWcsD0GcH4kEfwke13tHAPFsXA9%2B2M6XQSe%2BzoavSEPwI9YtRZMHUfnD%2FvNQOxvleYUjpUL5LDdhjzxSjw4cuO9UZTSBvTRqy93HB3t%2B3twoxqWH%2BdigmVjNo%2F24%2FwhHRGnJGh8tl%2Br0oxK1Ue8ZEs1e0Uc1mUzGjni97dQp0Fz%2Bt3QPIByJYJ6wTfzyuqr17YuP%2BqgIeLJBu4Uug2sLW01iX9eq%2FccgNGdWa9WI%2BoVngi3AVuy6dx%2BwoY1CiZ%2BAxJ3oOEwutjunfflsZ0wnrTy5TIckeCCB3GxFUEauZcYMIUaoF6FeQjaeugk2MI2VoSFFqwT8cYFrb4%2BTGaICcGhpQkHOQtGdsv1ZiEhe1oGejKx5ekJyT67syTizfTBjGcMrMlmo3lt5hDMQi1FdKyxGLFNG1OjPjGpYf93EstyMElrfAObUwiOGyzgY6mAFZmub3CWuoULthoBa1%2FZNYIj2YdgNVHo2mns2BMq2JQq8pyBpRYh29iWsCbEgJxYY%2BWqnCbYJgGNTchU0uYHa%2FAyCCDVtg72Vz%2BD0gfAfpqaRetkSUTMt8O%2Fasa5DGFR5%2BHq6gyPZ5nx8fTGiZzJS56WHrsUVz1sg1xitgly3qxcEBKo72SMMNo%2Ffdf1qdehuCTU3%2B0dmAhQ%3D%3D&amp;Expires=1775025436\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 90%,rgb(169,184,195) 100%)\"><strong>Follow us on\u00a0<a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>,\u00a0and\u00a0<a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0<strong>Set CSN as a Preferred Source in\u00a0<a href=\"https:\/\/www.google.com\/preferences\/source?q=cybersecuritynews.com\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google<\/a>.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/xloader-malware-upgrades-obfuscation-tactics\/\">XLoader Malware Upgrades Obfuscation Tactics and Hides C2 Traffic Behind Decoy Servers<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Tushar Subhra Dutta<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/xloader-malware-upgrades-obfuscation-tactics\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>XLoader Malware Upgrades Obfuscation Tactics and Hides C2 Traffic Behind Decoy Servers A well-known information-stealing malware called XLoader has received significant upgrades in its latest versions, making it considerably harder to detect and analyze than before. Originally derived from a malware family known as FormBook, which first surfaced in 2016, XLoader was rebranded and relaunched [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-11769","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/11769"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=11769"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/11769\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=11769"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=11769"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=11769"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}