{ "id": "64c01ba3-55fe-4a75-965e-c85326b91651", "created_at": "2026-04-06T01:32:20.64972Z", "updated_at": "2026-04-10T03:36:47.646091Z", "deleted_at": null, "sha1_hash": "5ab5e432d8d3cf1304a6c5bd8dcdc5dbad6261b5", "title": "IXWare - Kids will be skids", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1263594, "plain_text": "IXWare - Kids will be skids\r\nArchived: 2026-04-06 01:25:06 UTC\r\nIXWare is what happens when inexperienced malware developers create malware as a service. We'll be analysing\r\nIXWare and how it's used to attack players of the online video game Roblox.\r\nForeword\r\nAfter releasing my last blog post covering DiamondFox I have been very busy behind the scenes working on my\r\nthreat tracker (threatshare.io) and my personal site (fr3d.hk). A huge thank you as always to Steved3 for reviewing\r\nand editing this post. The threat landscape has mostly stayed the same and not many things have caught my eye\r\nuntil this piece of malware.\r\nOverview\r\nIXWare is a MaaS (Malware as a service) that offers the ability to steal Windows users' passwords. It became\r\nwidespread after they moved to a central website handling all of their users' needs. The malware seems to be\r\nappealing to actors attacking the video game Roblox as it offers many techniques to recover infected victims'\r\naccounts.\r\nIXWare is sold on a Roblox hacking forum that caters to reselling of stolen accounts. The malware sells for 10\r\neuros a month and 25 euros for 3 months. On purchase, you're given access to the webpanel. In the below\r\nhttps://fr3d.hk/blog/ixware-kids-will-be-skids\r\nPage 1 of 9\n\nscreenshot you will see pricing and features of the malware.\r\nPurchase Page \u0026 Features\r\nBelow is a list of features (some don't exist/work):\r\nCore Features\r\nWebpanel Builder\r\nWebpanel Delivery\r\nStable \u0026 Reliable\r\nClean Log Interface\r\nMutex (Single Instance Application)\r\nUAC Bypass (Windows 7, 8.1 \u0026 10)\r\nCritical System-Process (BSoD when killed)\r\nMelt File\r\nAnti Debug/Anti VM/Sandbox\r\nProcess Blocker\r\nWebsite Blocker\r\nScreenshot Logger\r\nProtected Stub\r\nAdvanced Keylogger\r\nClipboard Logging\r\nWindow Logging\r\nBrowser Password Recoveries\r\nHere's a video of the creator demoing another feature of a JavaScript cookie logger for the Roblox game.\r\nhttps://fr3d.hk/blog/ixware-kids-will-be-skids\r\nPage 2 of 9\n\nThe creators of the malware also provide reviews for their product on TrustPilot. Along with the reviews they also\r\noffer a TOS that they believe will protect them from law enforcement by stating that the malware is only to be\r\nused on a computer you own etc. This TOS will not do anything for them as the main creator icorex or\r\nghostelutsch is based in Germany\r\nIXWare is written in C# and is dependent on the .NET 4.0 framework. It is easy to find samples in the wild that\r\naren't obfuscated.\r\nAnti-VM\r\nMalware will employ different tactics to avoid being run in virtual machines (VM). This is usually done to evade\r\nanalysis. The malware begins by getting the running services and checking their names to see if it's running within\r\na VM. \r\nAnti-VM - Services\r\nIf anti-VM is enabled within the malware config, we'll see a new task being created named CheckVM. This task\r\ncalls another function named DetectVM. DetectVM uses the classic anti-VM method of creating a management\r\nobject, and then checking the specifics of the system to see whether they match. Here are the following checks.\r\nAnti-VM - Checks\r\nIf any of these checks succeed then the malware will exit.\r\nUAC Bypass\r\nIf the malware has not exited because of anti-VM checks, it will proceed to check if it is running as an elevated\r\nprocess by calling IsElevated. If the process isn't elevated then the malware will proceed to attempt a few different\r\nUAC bypasses. The malware is able to attempt a UAC bypass on the following windows versions.\r\nWindows 7 (CompMgmtLauncher)\r\nWindows Vista (CompMgmtLauncher)\r\nWindows 8 (CompMgmtLauncher)\r\nWindows 10 (fodhelper)\r\nhttps://fr3d.hk/blog/ixware-kids-will-be-skids\r\nPage 3 of 9\n\nThe bypass methods are all very similar, a simple Google search will give you more than enough information on\r\nhow these exploits work.\r\nStartup \u0026 Melt\r\nTo maintain persistence the malware will make sure that it is run at startup, and disappear when the malware is\r\nfirst run. If the melting functionality is enabled, the malware copies itself to the temp path with a random file\r\nname, and sets the file attributes to hidden. Once this has been completed the malware begins setting up its\r\npersistence.\r\nStartup\r\nWe see the malware setting a registry value in SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run set to the\r\nlocation of the malware. If the malware has the melting functionality enabled within its configuration, it will\r\ncreate a schtasks process with the following arguments \r\n/create /tn \"svchost\" /sc ONLOGON /tr filename /rl HIGHEST /f\r\nThis task will maintain persistence upon the computer logging on.\r\nPersistence\r\nIXWare offers persistence by making the malware a critical process that will blue screen the computer if ended.\r\nThis is done by first checking if persistence is enabled within the malware config and then calling the\r\ncriticalProcess function. The criticalProcess function will use NtSetInformationProcess to mark the malware\r\nprocess as critical. \r\nhttps://fr3d.hk/blog/ixware-kids-will-be-skids\r\nPage 4 of 9\n\ncriticalProcess\r\nNtSetInformationProcess will use a handle on the current process along with the processInformationClass\r\nparameter set to 29 which indicates BreakOnTermination. Along with BreakOnTermination another parameter is\r\nused named num which sets the process to critical when it is 1. In addition to doing this there is also an event\r\ncalled SessionEnd which does the same process described above except that num is set to 0 so that the process is\r\nno longer critical. \r\nDisable Windows Defender\r\nTo avoid detection by the in built anti-virus IXWare will attempt to disable it. The function that handles this will\r\ncheck if the current user is an administrator on the system and if not it will return. If the user is an admin then the\r\nmalware begins by editing some registry keys to disable Windows Defender.\r\nDisable Windows Defender\r\nAfter these registry values have been set the malware calls a function named CheckDefender. This function uses\r\npowershell to check the settings of Windows Defender. Then going through each preference it will update it with a\r\nnew setting that will disable any enabled functionality. The code for this is long so I have pasted it here. \r\nhttps://fr3d.hk/blog/ixware-kids-will-be-skids\r\nPage 5 of 9\n\nFurther Disabling\r\nAfter this function returns the malware finishes off by updating many different registry keys to maintain the\r\ndisabled Windows Defender. \r\nMore disabling\r\nOnce these registry values have been updated the malware will continue with its functionality.\r\nRecoveries\r\nThe main functionality of the malware is to steal browser and application passwords. IXWare concentrates on\r\nchromium browsers as they are easy to steal from, along with supporting theft from Discord. The stealing\r\nfunctionality is quite lacking even though it is one of the main features of the malware. To steal from chromium\r\nbrowsers the malware will begin by enumerating through all supported browsers.\r\nhttps://fr3d.hk/blog/ixware-kids-will-be-skids\r\nPage 6 of 9\n\nChromium Browsers\r\nThen going through each of the supported browsers the malware will attempt to get any accounts stored in the\r\nbrowser profile. Browsers store their login information within an SQLite file, the contents in this database are\r\nencrypted using AES with a key that is saved in the local state folder. We can see IXWare retrieving this key using\r\nregex.\r\nGetting Key\r\nOnce it has the key it will use CryptoAPI to unprotect it so that it can be used to decrypt login credentials. The\r\nmalware will then enumerate the logins table and proceed to get url, username and a decrypted password. These\r\npasswords are then written into a text file with a filename of a random string of characters in the temp path. The\r\nmalware also allows for the user to steal Discord accounts by grabbing the discord token files within the app data\r\npath.\r\nCookie Stealer\r\nTo steal cookies for the game Roblox the malware employs a very simple tactic. It enumerates the running\r\nprocesses and looks for a process with the name \"RobloxPlayerBeta\", and gets the command line arguments used\r\nto run this process and from this will grab the auth token.\r\nhttps://fr3d.hk/blog/ixware-kids-will-be-skids\r\nPage 7 of 9\n\nGet Roblox Cookie\r\nAfter the auth token has been stolen from the running process, the malware sends this auth token to the C2 so it\r\ncan be manipulated into a usable cookie. After the C2 has replied with the desired cookie, the malware will writes\r\ninto the temp path with a random filename.\r\nC2 Communications\r\nDue to the fact that the malware is a MaaS and all customers will be using the same webpanel, the\r\ncommunications within different samples are quite similar. The C2 communications are done in one POST request\r\nto the C2 gate. Specifics of the infected system are sent in the request headers.\r\nC2 Headers\r\nThis begins with the malware requesting another file on the C2 named UT.php, this file returns a unix timestamp.\r\nThis timestamp is then combined with the number \"877692\". Once this has been done the string is SHA265\r\nhashed and encrypted. Each header value is encrypted with the function encrypt, this function uses AES (CBC) to\r\nencrypt all strings with the first 32 bytes of a constant key. Once done, the malware gets the contents of the\r\nhttps://fr3d.hk/blog/ixware-kids-will-be-skids\r\nPage 8 of 9\n\npassword logs, and puts this along with the headers into a multipart form that is sent to the upload.php file on the\r\nC2. \r\nEpilogue\r\nThis malware is what happens when code is copied and pasted with no innovation. Most of what I have described\r\nin this post can probably be found on GitHub and simple YARA rules will be able to pick up this malware easily. I\r\nhave also not chosen to describe the flaws in this malware as it is still actively in development. I hope this post\r\nwill be of use and as always thank you for reading!\r\nSource: https://fr3d.hk/blog/ixware-kids-will-be-skids\r\nhttps://fr3d.hk/blog/ixware-kids-will-be-skids\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://fr3d.hk/blog/ixware-kids-will-be-skids" ], "report_names": [ "ixware-kids-will-be-skids" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439140, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5ab5e432d8d3cf1304a6c5bd8dcdc5dbad6261b5.pdf", "text": "https://archive.orkl.eu/5ab5e432d8d3cf1304a6c5bd8dcdc5dbad6261b5.txt", "img": "https://archive.orkl.eu/5ab5e432d8d3cf1304a6c5bd8dcdc5dbad6261b5.jpg" } }