{
	"id": "405109b7-3275-403a-8bb8-9e5fab4d2d8e",
	"created_at": "2026-04-06T00:13:44.220487Z",
	"updated_at": "2026-04-10T13:12:26.503082Z",
	"deleted_at": null,
	"sha1_hash": "38f123ce45aed2df17e6637bf60419d4144966ef",
	"title": "Cyble - Xloader Returns with New Infection Technique",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1772000,
	"plain_text": "Cyble - Xloader Returns with New Infection Technique\r\nBy cybleinc\r\nPublished: 2022-07-01 · Archived: 2026-04-05 23:06:09 UTC\r\nCyble analyzes Xloader, a sophisticated malware variant that uses multiple stages for its payload delivery.\r\nMultistage Delivery of Malware Using Steganography\r\nDuring our routine threat-hunting exercise, Cyble Research Labs came across a Twitter post wherein a researcher\r\nmentioned an interesting infection chain of Xloader malware.\r\nThe malware uses multiple file types such as PDF, XLSX, and RTF for its initial infection and execution. It is also\r\ndesigned to drop three modules in memory and execute the final payload using the Process-Hollowing technique.\r\nAdditionally, The malware uses steganography to hide its malicious content in a bitmap file.\r\nThe below figure shows the infection chain of Xloader malware.\r\nSee Cyble in Action\r\nWorld's Best AI-Native Threat Intelligence\r\nhttps://blog.cyble.com/2022/07/01/xloader-returns-with-new-infection-technique/\r\nPage 1 of 13\n\nFigure 1 – Xloader Infection Chain\r\nXloader is a rebranded version of the Formbook stealer. It is designed as a malicious tool to steal credentials from\r\ndifferent web browsers, collect screenshots, monitor and log keystrokes from the victim’s machine, and send them\r\nto Command and Control (C\u0026C) server. Typically, Xloader spreads via spam emails that trick victims into\r\ndownloading a malicious attachment file, such as MS Office documents, PDF documents, etc.\r\nThis blog showcases the deep-dive analysis of the malware infection, starting with a spam email containing a PDF\r\nattachment to deliver the final payload of Xloader malware. The PDF attachment is shown below.\r\nFigure 2 – PDF Attachment from Spam Email\r\nUpon opening a PDF file, it drops the embedded XLSX file named “has been verified. However PDF, JPG, Docx,\r\n.xlsx” into the “Temp” location. It then uses multiple extensions of different file formats to trick the user. The\r\nhttps://blog.cyble.com/2022/07/01/xloader-returns-with-new-infection-technique/\r\nPage 2 of 13\n\nbelow figure shows the embedded file details of the PDF document.\r\nFigure 3 – Embedded file in PDF Document\r\nUpon execution of the XLSX file, it downloads the RTF document file from the URL –\r\nhxxps[:]//htmlpreview[.]github[.]io@oshi[.]at/Nmtw.\r\nWhen the RTF document is opened, MS Word’s equation editor (EQNEDT32.exe) will automatically launch and\r\ndownload a .NET malware file from the URL – hxxp[:]//192.227.173[.]33/71/vbc[.]exe.\r\nThe below figure shows the opened RTF document.\r\nhttps://blog.cyble.com/2022/07/01/xloader-returns-with-new-infection-technique/\r\nPage 3 of 13\n\nFigure 4 – RTF Document\r\nThe .NET executable file named “vbc.exe” isdownloaded from the RTF document via equation editor\r\nvulnerability (CVE-2017-11882) and is an obfuscated binary file. The below figure shows the obfuscated and de-obfuscated file details such as methods and functions.\r\nFigure 5 – Obfuscated and De-obfuscated details of the “vbc.exe” file\r\nTechnical analysis:\r\nWe have taken the sample hash (SHA256),\r\nd0c85ba5e6d88e1e0b5f068f125829b4e224b90be2488f2c21317447dc51fb9e for our analysis. It is a 32-bit, .NET\r\nexecutable file named as “vbc.exe”.\r\nUpon execution of the vbc.exe file, the method Convert.FromBase64String() in the Main() function decodes the\r\nbase64 string content and returns a new PE file, as shown below.\r\nhttps://blog.cyble.com/2022/07/01/xloader-returns-with-new-infection-technique/\r\nPage 4 of 13\n\nFigure 6 – Base64 String Conversion\r\nAfter decoding the base64 content, vbc.exe loads the converted PE module named “Bunifu.UI.dll” into memory\r\nby using a dynamically invoked function with passing arguments of strings such as “Invoke” and\r\n“Bunifu_TextBox.” The below figure shows the concatenated strings used in the malware file.\r\nFigure 7 – String Concatenation\r\nThe module “Bunifu.UI.dll” is also an obfuscated .NET file. The below figure shows the de-obfuscated content of\r\nthe new assembly file and runs the Bunifu_TextBox() function, which retrieves the embedded bitmap image\r\n“QQvruB” present in the resource (“Hospital_Document_Tracker_System.Resources.resources”) of the parent\r\nmalware vbc.exe file. It then calls the Sleep function to delay the execution before accessing the resource for the\r\nbitmap image.\r\nhttps://blog.cyble.com/2022/07/01/xloader-returns-with-new-infection-technique/\r\nPage 5 of 13\n\nFigure 8 – De-obfuscated Content of New Module “Bunifu.UI.dll”\r\nThe malware uses the steganography technique to hide malicious content in the compressed bitmap image\r\nembedded in the resource of the parent malware file vbc.exe, shown below.\r\nFigure 9 – Compressed Bitmap Embedded in Main File Resource\r\nThe successful decompression of the bitmap image retrieves another .NET file in memory, as shown in Figure 10.\r\nThe “Bunifu.UI.dll” module loads the new binary using the Assembly.Load method by passing the decompressed\r\nbitmap content as an argument.\r\nhttps://blog.cyble.com/2022/07/01/xloader-returns-with-new-infection-technique/\r\nPage 6 of 13\n\nFigure 10 – Decompressed Bitmap Content of New Module from Resource\r\nThe main purpose of “Bunifu.UI.dll” is to decompress the bitmap image from a resource using the “GZipStream”\r\nclass, as shown in the figure below.\r\nFigure 11 – Decompression Function\r\nThe new file decompressed from the resource is another obfuscated .NET binary titled “MajorRevision.exe.” The\r\nfigure below shows the newly loaded module in memory with the module name in the Chinese script.\r\nhttps://blog.cyble.com/2022/07/01/xloader-returns-with-new-infection-technique/\r\nPage 7 of 13\n\nFigure 12 – Loaded New Module “MajorRevision.exe”\r\nThe below figure shows the de-obfuscated “MajorRevision.exe” assembly file.\r\nFigure 13 – De-obfuscated MajorRevision.exe File\r\nUpon execution of the “MajorRevision.exe” module, it first creates a mutex named “fBEQVtAy” to ensure that\r\nonly one instance of malware runs on the victims’ system. The malware exits if the mutex is already present.\r\nFigure 14 – Mutex Creation\r\nhttps://blog.cyble.com/2022/07/01/xloader-returns-with-new-infection-technique/\r\nPage 8 of 13\n\nNext, it converts the larger array of bytes present in the module into HEX values, as shown in Figure 15. It\r\ncontains multiple Anti-Analysis and Anti-Detection checks to prevent the execution of the malware in a controlled\r\nenvironment.\r\nFigure 15 – Anti-analysis Strings in Memory of MajorRevision.exe\r\nAfter that, it retrieves the final payload in memory by converting another larger array of bytes which is also\r\npresent in the “MajorRevision.exe.” Finally, it injects the payload by creating a new process with the parent file\r\nname (“vbc.exe”) using the process hollowing technique shown below.\r\nFigure 16 – Process Hollowing technique\r\nThe below figure shows the file information of the final malware payload, “Xloader.” Based on our static analysis,\r\nwe concluded that the malware payload is a 32-bit, MASM compiled binary with only the “.text” section.\r\nhttps://blog.cyble.com/2022/07/01/xloader-returns-with-new-infection-technique/\r\nPage 9 of 13\n\nFigure 17 – Final Payload Details\r\nXloader malware uses the magic bytes “XLNG,” shown in the figure below.\r\nFigure 18 – XLNG Magic Bytes of Xloader\r\nUpon successful execution, Xloader drops an executable file in the following location and injects it into\r\nexplorer.exe.\r\n“C:\\Program Files (x86)\\L9rql\\winmrhl7bm.exe”\r\nTo establish persistence, the malware creates the below registry key for autorun to execute the dropped malware\r\nfile when the user logs in to the system every time.\r\nHKEY_LOCAL_MACHINE\r\n\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\J8TPYFN8OVE = “C:\\\\Program\r\nFiles (x86)\\\\L9rql\\\\winmrhl7bm.exe”\r\nFinally, after a successful connection to the Threat Actor’s C\u0026C server, Xloader can be instructed to download and\r\nlaunch additional payloads, terminate and uninstall the malware, etc.\r\nAdditionally, Xloader steals user credentials or cookies from browsers, logs keystrokes, steals clipboard content,\r\ntakes screenshots, and sends them to the TA’s C\u0026C server.\r\nConclusion\r\nInformation stealers are evolving as increasingly sophisticated threats in the cybercrime ecosystem. They can\r\ncause severe damage to individuals and organizations in the case of privacy violations, confidential information\r\nhttps://blog.cyble.com/2022/07/01/xloader-returns-with-new-infection-technique/\r\nPage 10 of 13\n\nleakage, etc.\r\nExploiting the human element is often easier for Threat Actors compared to exploiting complex vulnerabilities.\r\nThroughout our analysis, we have observed that Xloader looks like a prominent malware variant that is constantly\r\nupdated by improving its code which adds new features, more obfuscation, the use of anti-analysis techniques, etc.\r\nCyble Research Labs will closely monitor Xloader malware and other information stealers and analyze them to\r\nunderstand their TTPs better and update our readers accordingly.\r\nOur Recommendations\r\nAvoid downloading pirated software from unverified sites.\r\nUse strong passwords and enforce multi-factor authentication wherever possible.\r\nKeep updating your passwords after certain intervals.\r\nUse a reputed anti-virus and internet security software package on your connected devices, including PC,\r\nlaptop, and mobile.\r\nRefrain from opening untrusted links and email attachments without first verifying their authenticity.\r\nBlock URLs that could be used to spread the malware, e.g., Torrent/Warez.\r\nMonitor the beacon on the network level to block data exfiltration by malware or TAs.\r\nEnable Data Loss Prevention (DLP) Solutions on employees’ systems.\r\nMITRE ATT\u0026CK® Techniques\r\nTactic Technique ID Technique Name\r\nInitial Access T1566 Phishing\r\nExecution\r\nT1204\r\nT1203\r\nUser Execution\r\nExploitation for Client Execution\r\nPersistence T1547 Registry Run Keys / Startup Folder\r\nDefence Evasion T1497 Virtualization/Sandbox Evasion\r\nCredential Access T1552 Credentials In Files\r\nLateral Movement T1021 Remote Services\r\nCNC T1071 Application Layer Protocol\r\nIndicator Of Compromise (IOCs)\r\nIndicators\r\nIndicator\r\nType\r\nDescription\r\nafa05a84f53f793fdad59d8af603b497\r\nbdbc99cb9698f3754dea53bb192e650b2f0c203c\r\nMD5\r\nSHA1\r\nSpam email\r\nhttps://blog.cyble.com/2022/07/01/xloader-returns-with-new-infection-technique/\r\nPage 11 of 13\n\n9d3c9168bc5d52c0372f31565bf2ec690a39cfd52bc76d0ef01083e419da805b Sha256\r\n96d95ee6d0c9da16d245579ad1ff2e9f\r\nf852ac58b11e6b314271e2afdd33da84fc3cb8d8\r\n6d45a03b32c4a9bab48c75bec8443b5af40ae43e055db77796a6328cb6e87ffe\r\nMD5\r\nSHA1\r\nSha256\r\nPDF\r\n2fc6db5b63ba91752b946d76b803a4a9\r\n45982471aca75de846442d16c84c5b61caa6c045\r\n30d5632ef75e81aa6a48eae64f2155acc39e64f6367a5c6152e8ec74b44ac6de\r\nMD5\r\nSHA1\r\nSha256\r\nXLSX\r\ne5cde34f443cab2ebecf850518d0aeeb\r\n375ecc13e71755cc4ab260f518207892e87c55e3\r\nd106de4854f334b826f7ed6e97b02eff34e8ab8ea956d461d67c4225792185a1\r\nMD5\r\nSHA1\r\nSha256\r\nRTF\r\n1f65d7826fbcc2d6c50f6c493c901588\r\n4290f6b300595e807e8cacd5ff172b0a0f37c845\r\nd0c85ba5e6d88e1e0b5f068f125829b4e224b90be2488f2c21317447dc51fb9e\r\nMD5\r\nSHA1\r\nSha256\r\nObfuscated\r\n.NET exe\r\nMain file\r\na0dc449956fd7eefaeb204d66b668330\r\n76b958e128a7f2dd052634d5e7dfbf2f67f20ae9\r\n50204673d080635b23b8f219a70e276acd3dd3779543fbd4b82a217c06dc14fb\r\nMD5\r\nSHA1\r\nSha256\r\nDe-obfuscated\r\n.NET exe\r\nMain file\r\n39f524c1ab0eb76dfd79b2852e5e8c39\r\n428018e1701006744e34480b0029982a76d8a57d\r\n79823e47436e129def4fba8ee225347a05b7bb27477fb1cc8be6dc9e9ce75696\r\nMD5\r\nSHA1\r\nSha256\r\nObfuscated\r\n.NET exe\r\nStage 1\r\nbc31d889dd60360d38796521b452d775\r\n7e52c29418bd13c749da76506251ad3ad291d06c\r\n32abba85bb16f812822c789882e37cd37c62e15ea0aceade45eaad1d93ff012a\r\nMD5\r\nSHA1\r\nSha256\r\nDe-obfuscated\r\n.NET exe\r\nStage 1\r\n73aac8ac5dc4ded42398f9fe2a191c19\r\n4f3ed7fa592f4ae4c4462928543dcbd4997f2549\r\n6672b26a03db7ec5d61e90ce7827c422cb6a8a942cc1c77f92f97e263a35d8e5\r\nMD5\r\nSHA1\r\nSha256\r\nObfuscated\r\n.NET exe\r\nStage 2\r\n0227a4419e2948a886a2e324180f23e6\r\n43c1ee78411b939e19688ff9ea9ebc433d9051a1\r\nc7b2597253067c1169aeef5e04948575bf7df65e1787098cc9afc2e10685acdf\r\nMD5\r\nSHA1\r\nSha256\r\nDe-obfuscated\r\n.NET exe\r\nStage 2\r\n7d4539bd445cf9821fd2e05dc0b1107e\r\n964e56a5e1f32101f04fa3fc62ec17c66b3c174e\r\n3b65b859612be75eb528caf7b0cc66bc049fdfb062b6b6aa29ea9c356114a4fe\r\nMD5\r\nSHA1\r\nSha256\r\nFinal\r\npayload\r\nMASM exe\r\nhxxps[:]//htmlpreview[.]github[.]io@oshi[.]at/Nmtw URL download\r\nRTF\r\nhttps://blog.cyble.com/2022/07/01/xloader-returns-with-new-infection-technique/\r\nPage 12 of 13\n\nfile from\r\nC\u0026C\r\nhxxp[:]//192[.]227[.]173[.]33/71/vbc[.]exe URL\r\nDownload\r\nEXE\r\nfile from\r\nC\u0026C\r\nSource: https://blog.cyble.com/2022/07/01/xloader-returns-with-new-infection-technique/\r\nhttps://blog.cyble.com/2022/07/01/xloader-returns-with-new-infection-technique/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.cyble.com/2022/07/01/xloader-returns-with-new-infection-technique/"
	],
	"report_names": [
		"xloader-returns-with-new-infection-technique"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434424,
	"ts_updated_at": 1775826746,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/38f123ce45aed2df17e6637bf60419d4144966ef.pdf",
		"text": "https://archive.orkl.eu/38f123ce45aed2df17e6637bf60419d4144966ef.txt",
		"img": "https://archive.orkl.eu/38f123ce45aed2df17e6637bf60419d4144966ef.jpg"
	}
}