{
	"id": "cd9ec595-abf0-4854-931a-300cbe8789a4",
	"created_at": "2026-04-06T00:09:56.757573Z",
	"updated_at": "2026-04-10T03:21:04.865583Z",
	"deleted_at": null,
	"sha1_hash": "64779644fa4002b17e9c3f38eeeee5b7abfe9333",
	"title": "XLoader Botnet: Find Me If You Can - Check Point Research",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 699804,
	"plain_text": "XLoader Botnet: Find Me If You Can - Check Point Research\r\nBy alexeybu\r\nPublished: 2022-05-31 · Archived: 2026-04-02 12:08:19 UTC\r\nResearch by: Alexey Bukhteyev \u0026 Raman Ladutska\r\nIntroduction\r\nIn July 2021, CPR released a series of three publications covering different aspects of how the Formbook and\r\nXLoader malware families function. We described how XLoader emerged in the Darknet community to fill the\r\nempty niche after Formbook sales were abruptly stopped by its author. We did a deep technical analysis followed by\r\na description of XLoader for macOS along with common points and differences in how both malware families\r\nconceal the heart of the whole operation, the Command-and-Control (C\u0026C) infrastructure. However, the world does\r\nnot stand still, and this applies to the malware cyber-world as well.\r\nA couple of months after our publications were released, we spotted a new XLoader version in-the-wild which was\r\nan upgrade of all the ones we described previously.  The enhanced version features significant modifications in key\r\nparts of the malware logic to truly deserve the differentiation if compared with XLoader’s previous implementation.\r\nIn this article, we describe the changes malware authors applied to XLoader to obscure the C\u0026C infrastructure –\r\nmore than anything we saw before. Now it is significantly harder to separate the wheat from the chaff and discover\r\nthe real C\u0026C servers among thousands of legitimate domains used by Xloader as a smokescreen. We explain how we\r\ngot to the essence and identified the real C\u0026C nodes in the evolving botnet.\r\nDeep technical dive\r\nThe Formbook malware has not been updated for quite a long time. The latest version of this stealer is 4.1, and we\r\nalready observed samples of this version in far 2020. This gives us reason to believe that Formbook has been\r\ndiscontinued.\r\nAt the same time, XLoader, Formbook’s successor which we described last year, has already received 2 updates\r\nsince our publication. In this article, we describe the most important changes that we found in XLoader version 2.5.\r\nCamouflaging real C\u0026C servers – methods used in 2021\r\nAll XLoader samples have 64 domains and one URI in their configurations. The XLoader configuration has the same\r\nstructure as the Formbook configuration. In earlier versions Formbook used the URI stored separately in the\r\nconfiguration to access its C\u0026C server. The 64 domains from the malware configuration are actually decoys,\r\nintended to distract the researchers’ attention.\r\nIn Formbook version 4.1, the malware developers added another level of stealth which also migrated to early\r\nversions of XLoader (up to 2.5). A domain name for the real C\u0026C server was hidden among the 64 decoys, while the\r\nURI that was always thought to be an address of the C\u0026C server became another decoy and could point to a\r\nhttps://research.checkpoint.com/2022/xloader-botnet-find-me-if-you-can/\r\nPage 1 of 15\n\nlegitimate website. The malware of versions mentioned above randomly choose 16 decoy domains, two of which are\r\nreplaced with the fake C\u0026C server address and a real C\u0026C server address. The real C\u0026C server is accessed after a\r\nlong delay.\r\nFigure 1 – Creating a list of domains for C\u0026C communication in XLoader 2.3 and Formbook 4.1.\r\nThis already looks complicated. However, the newer version introduced an even more sophisticated algorithm.\r\nNew version – a new level of protection\r\nThe first samples of the new version of XLoader appeared in-the-wild a month after our publications in August 2021,\r\nRevealing the XLoader’s C\u0026C infrastructure. At first glance, we didn’t see any difference because the configuration\r\nstructure remained exactly the same.\r\nHowever, when emulating samples in a sandbox, we noticed a change. With a long emulation time, the sample\r\naccessed more than 16 domains, unlike earlier versions. This behavior forced us to put aside automated analysis tools\r\nand arm ourselves with a disassembler. We soon discovered the part of the code responsible for the detected anomaly.\r\nAs in the previous versions, XLoader first creates a list of 16 domains that are randomly selected from the 64\r\ndomains stored in the configuration. After each attempt to access the selected 16 domains, the following code is\r\nexecuted:\r\nFigure 2 – XLoader 2.5 overwrites the first 8 domains before each communication cycle.\r\nhttps://research.checkpoint.com/2022/xloader-botnet-find-me-if-you-can/\r\nPage 2 of 15\n\nThe purpose of this piece of code is to partially overwrite the list of accessed domains with new random values.\r\nTherefore, if XLoader runs long enough, it will access new randomly selected domains. It’s important to pay\r\nattention to the fact that only the first 8 values are overwritten, and the remaining 8 remain the same as those that\r\nwere selected immediately after launch.\r\nIn addition, XLoader, as we thought, saves the index of its C\u0026C server and does not allow it to be overwritten:\r\nFigure 3 – XLoader doesn’t overwrite the C\u0026C domain index.\r\nHowever, while checking hosts that were supposed to be XLoader C\u0026C servers, it turned out that many of them did\r\nnot respond or else looked to be legitimate, such as this one:\r\nFigure 4 – Fake C\u0026C domain points to a likely legitimate site.\r\nAlso, most of them appear only once in various configurations, making them the underdogs in our preliminary bet\r\nfor the real C\u0026C candidates. From our previous research, we remembered that the number of real C\u0026C servers was\r\nrelatively small (we found less than 100 C\u0026C servers among 90,000 domains used by the malware), and they were\r\nreused in many of the campaigns of different XLoader customers.\r\nIn this case, we also found many domains that appear multiple times in samples that belong to different campaigns.\r\nHowever, these domains belong to the list of decoys and do not stand out at first glance. Let’s look at the websites\r\npointed to by some of these domains. The root page looks like a parked domain page of famous domain registrars\r\nand hosting service providers (usually Hostinger and Namecheap):\r\nhttps://research.checkpoint.com/2022/xloader-botnet-find-me-if-you-can/\r\nPage 3 of 15\n\nFigure 5 – Real C\u0026C servers disguised as Hostinger and Namecheap parked domain pages.\r\nHowever, if we check the source code of the page and compare it with the original page generated by the service\r\nprovider, we see many differences:\r\nFigure 6 – Differences in the fake (on the left side) and the real (on the right side) Namecheap parked domain page.\r\nIn the fake Hostinger page, we also see some visual differences:\r\nhttps://research.checkpoint.com/2022/xloader-botnet-find-me-if-you-can/\r\nPage 4 of 15\n\nFigure 7 – Visual differences in the fake (on the left side) and the real (on the right side) Hostinger parked domain\r\npage.\r\nWe then collected IP addresses of all presumably malicious hosts and root pages from the corresponding websites. It\r\nappeared that all the domains point to a few IP address ranges, all of which belong to Namecheap. Some domains\r\npoint to the same IP addresses.\r\nDomain IP Root Page MD5 hash Description\r\nbubu3cin.com 162.0.214.189 ce866938b246a89fd98fc6a6f666d21c\r\nFake\r\nHostinger\r\nhighpacts.com 162.0.216.5 ce866938b246a89fd98fc6a6f666d21c\r\nFake\r\nHostinger\r\nhype-clicks.com 162.0.223.146 f891f22cd94c80844fcfe6fddb4b7912\r\nFake\r\nNamecheap\r\nmoukse.com 162.0.223.146 f891f22cd94c80844fcfe6fddb4b7912\r\nFake\r\nNamecheap\r\nbesasin09.com 162.0.223.94 8d85df16ced80502c796649e4c806d31\r\nFuture home\r\nof…\r\nbrasbux.com 162.0.223.94 8d85df16ced80502c796649e4c806d31\r\nFuture home\r\nof…\r\nfinsits.com 162.0.225.82 ce866938b246a89fd98fc6a6f666d21c\r\nFake\r\nHostinger\r\narabatas.com 162.0.225.82 ce866938b246a89fd98fc6a6f666d21c\r\nFake\r\nHostinger\r\nocvcoins.com 162.0.238.238 ce866938b246a89fd98fc6a6f666d21c\r\nFake\r\nHostinger\r\ngingure.com 162.0.238.238 ce866938b246a89fd98fc6a6f666d21c\r\nFake\r\nHostinger\r\ncoalmanses.com 162.213.253.206 ce866938b246a89fd98fc6a6f666d21c\r\nFake\r\nHostinger\r\nfendoremi.com 162.213.253.206 ce866938b246a89fd98fc6a6f666d21c\r\nFake\r\nHostinger\r\nnoun-bug.com 199.188.206.146 f891f22cd94c80844fcfe6fddb4b7912\r\nFake\r\nNamecheap\r\nhttps://research.checkpoint.com/2022/xloader-botnet-find-me-if-you-can/\r\nPage 5 of 15\n\ncobere9.com 199.188.206.146 f891f22cd94c80844fcfe6fddb4b7912\r\nFake\r\nNamecheap\r\n…      \r\nTable 1 – XLoader domains and IP addresses to which they point.\r\nAll the websites display pages that appear to be “under construction”, primarily the fake Namecheap or Hostinger\r\nparked domain page, even though all the IP addresses belong to Namecheap.\r\nIt looks like we found the C\u0026C servers, but is it possible to distinguish them in the list of 64 decoy domains in the\r\nmalware configuration?\r\nLet’s now look at the function that fills the initial list of 16 domains in XLoader 2.5 and compare it with the function\r\nfrom XLoader 2.3:\r\nFigure 8 – XLoader 2.5 replaces three domains in the created list with 2 decoys and the real C\u0026C server domain.\r\nAs we can see, XLoader 2.5 introduced an additional code that replaces one more domain in the list with a fixed\r\nvalue. Interestingly, this value doesn’t appear anywhere else in the code and is not saved; its position in the list of 16\r\ndomains is chosen randomly.\r\nAs the first 8 domains are overwritten with new values after the first hit, there is a 50% chance that this domain will\r\nbe overwritten. However, we think that this is the domain which points to the real C\u0026C server.\r\nThe domain selection scheme is as follows:\r\nhttps://research.checkpoint.com/2022/xloader-botnet-find-me-if-you-can/\r\nPage 6 of 15\n\nFigure 9 – Creating a list of domains for C\u0026C communication in XLoader 2.5.\r\nIf the real C\u0026C domain appears in the second part of the list, it is accessed in every cycle once in approximately 80-\r\n90 seconds. If it appears in the first part of the list, it will be overwritten by another random domain name.\r\nHowever, there is still a probability that this domain will appear in the list again. This is possible because the 8\r\ndomains that overwrite the first part of the list are chosen randomly, and the real C\u0026C domain might be one of them.\r\nIn this case, the probability that a real C\u0026C server will be accessed in the next cycle is 7/64 or 1/8 depending on the\r\nposition of the “fake c2 (2)” domain (see Figure 9 above).\r\nThe malware authors once again proved their high technical skills and out-of-the-box approach. By implementing the\r\nLaw of Large Numbers in the malware, they achieved two goals: not only did they disguise the real C\u0026C servers in\r\ncommon sandbox emulations (which are usually short), but also kept up the effectiveness of the malware.\r\nIn the table below we provide the probabilities of the real C\u0026C server not being accessed again within a given time-frame. We take into consideration the lowest possible probability for the server to appear in any given cycle, which is\r\n7/64, as well as the longest possible pause between two cycles, which is 90 seconds.\r\nTime\r\npassed\r\nProbability of the real C\u0026C server being not\r\naccessed\r\nNotes\r\n9 minutes 50% Like a coin toss\r\n15 minutes 31% Less than 1 in 3\r\n18 minutes 25% 1 in 4\r\n30 minutes 10% 1 in 10\r\n1 hour 1% 1 in 100\r\nhttps://research.checkpoint.com/2022/xloader-botnet-find-me-if-you-can/\r\nPage 7 of 15\n\n2 hours 0.09% Less than 1 in 10,000\r\n2.5 hours 0.0009%\r\nLess than 1 in\r\n1,000,000\r\nWe see from the table that out of one million launches, only in one case the malware might not access the real C\u0026C\r\nserver in a period of 2.5 hours. In reality, the probability of such an event is even lower as a cycle time period can\r\nvary between 80 and 90 seconds, and the probability of the real C\u0026C server to show up in a cycle may be higher and\r\nequal to 1/8.\r\nEven 9 minutes are enough to fool the emulators and prevent the detection of the real C\u0026C server, based on the\r\ndelays between accesses to the domains. At the same time, the regular knockback period maintained by the malware\r\nwith the help of probability theory allows it to keep victims as botnet parts without sacrificing the functionality.\r\nXLoader 2.6\r\nOn May 5, 2022, we spotted a new version of XLoader malware in-the-wild. The main update in XLoader v2.6\r\nconcerns the network communication. The random index of the real C\u0026C server is now saved in the malware state\r\nstructure:\r\nFigure 10 – XLoader 2.6 generates and stores the index of a real C\u0026C server.\r\nDuring each communication cycle, when the malware overwrites the first 8 entries in the list of accessed domains, it\r\nkeeps the values for the real and the fake C\u0026C domains:\r\nFigure 11 – XLoader 2.6 doesn’t overwrite the fake and the C\u0026C domain indices.\r\nTherefore, the real C\u0026C server is now accessed in every communication cycle, or once in approximately 80-90\r\nseconds.\r\nHowever, this logic is activated only when the malware runs in an x64 system. When it runs in an x86 system, the\r\nvariable real_c2_index stores the same value as is stored in the fake_c2_index. This results in the real C\u0026C server\r\nbeing accessed with the same probability as any of the 63 decoys while running in x86 system. This looks like an\r\nevasion technique, as currently a lot of sandboxes still use x86 virtual machines.\r\nConclusion\r\nhttps://research.checkpoint.com/2022/xloader-botnet-find-me-if-you-can/\r\nPage 8 of 15\n\nTo stay in business, malware actors have to stay in the forefront of progress and invent new tricks to prolong the\r\nlives of their creations as long as possible. In the case of XLoader malware, we see a vivid example of such a\r\nprocess.\r\nIn July 2021, we described the method of uncovering real C\u0026C servers among the thousands of legitimate servers\r\nabused by XLoader v.2.3. The upgraded XLoader v.2.5 introduced significant changes in this algorithm using the\r\npower of the Law of Big Numbers from probability theory. These modifications achieve two goals at once: each\r\nnode in the botnet maintains a steady knockback rate while fooling automated scripts and preventing the discovery of\r\nthe real C\u0026C servers. The latter indeed became more difficult, but not impossible.\r\nIn this article we described all the steps you need to take, and all the details you need to pay attention to in order to\r\nidentify the real C\u0026C domain among the 65 encountered in every XLoader sample. We analyzed more than 100,000\r\ndomains to discover a tiny percentage of actual C\u0026C servers in the multitude of abused domains – only 120 of the\r\nreal servers, which is about 0.12% of the total number.\r\nWe continue to stay vigilant for any upcoming changes that might be implemented by future versions, not only in\r\nXLoader but in other malware families as well.\r\nCheck Point Protections\r\nCheck Point Provides Zero-Day Protection across Its Network, Cloud, Users and Access Security Solutions. Whether\r\nyou’re in the cloud, the data center, or both, Check Point’s Network Security solutions simplify your security without\r\nimpacting network performance, provide a unified approach for streamlined operations, and enable you to scale for\r\ncontinued business growth. Quantum provides the best zero-day protection while reducing security overhead. \r\nSandBlast Network Protections:\r\n Trojan.WIN32.Formbook.A\r\n  Trojan.WIN32.Formbook.B\r\n  Trojan.WIN32.Formbook.C\r\n  Trojan.WIN32.Formbook.D\r\n  Trojan.WIN32.Formbook.E\r\n  Trojan.WIN32.Formbook.F\r\n  Trojan.WIN32.Formbook.G\r\n  Trojan.WIN32.Formbook.H\r\n  Trojan.WIN32.Formbook.I\r\n  Trojan.WIN32.Formbook.J\r\n  Trojan.WIN32.Formbook.K\r\n  Trojan.WIN32.Formbook.L\r\n  Trojan.WIN32.Formbook.M\r\n  Trojan.WIN32.Formbook.N\r\n  Trojan.WIN32.Formbook.O\r\n  Trojan.WIN32.Formbook.P\r\n  Trojan.WIN32.Formbook.Q\r\n  Trojan.WIN32.Formbook.R\r\nhttps://research.checkpoint.com/2022/xloader-botnet-find-me-if-you-can/\r\nPage 9 of 15\n\nThreat Emulation protections:\r\n Infostealer.Win32.Formbook.C\r\n  Infostealer.Win32.Formbook.D\r\n  Infostealer.Win32.Formbook.E\r\n  Infostealer.Win32.Formbook.gl.F\r\n  Infostealer.Win32.Formbook.TC\r\n  Formbook.TC\r\n  Infostealer.Win32.XLoader.TC\r\n  XLoader.TC\r\n  Trojan.Mac.XLoader.B\r\nAppendix: Indicators of Compromise\r\nXLoader samples\r\nSHA256 Version C\u0026C domain\r\nc3bf0677dfcb32b35defb6650e1f81ccfa2080e934af6ef926fd378091a25fdb 2.6 travelsagas.com\r\n77ed8c0589576ecaf87167bc9e178b15da57f7b341ea2fda624ecc5874b1464b 2.6\r\nclick-tokens.com\r\n041992cc47137cb45d4e93658be392bb82cdc7ec53f959c6af4761d41dfc9160 2.6 motarasag.com\r\ne704bc09c7da872b5d430d641e9bd7c8c396cf79ea382870e138f88d166df4a8 2.6 tumpiums.com\r\na7023d5b16691b20334955294a80c10d435e24048f6416d1b3af3c58d0b48954 2.5 sasanos.com\r\n862fba20ce7613356018ca44f665819522f862f040b34410a58892229aba6d9c 2.5 binbin-ads.com\r\nd56e8522cf147e2b964a5a03e51a17d24d4cb3a4a20f36ef3fd3caeda0b105f3 2.5 range4tis.com\r\n59048fa3b523121866f79a8a2f7a3c9c7cf609a98be5a1ec296030de2353d559 2.5 cablinqee.com\r\nXLoader C\u0026C servers\r\nDomain IP\r\nbesasin09.com 162.0.223.94\r\nbrasbux.com 162.0.223.94\r\nmunixc.info 162.0.223.94\r\nceser33.com 162.0.223.94\r\nducer.info 199.192.23.209\r\nhttps://research.checkpoint.com/2022/xloader-botnet-find-me-if-you-can/\r\nPage 10 of 15\n\namenosu.com 199.192.23.209\r\nsanfireman.info 199.192.23.209\r\ntrc-clicks.com 199.192.25.68\r\nbantasis.com 199.192.25.68\r\nbrass-tip.info 199.192.25.68\r\nneurosise.com 199.192.30.112\r\nfinsith.com 199.192.30.112\r\ngate334.com 199.192.30.112\r\nseo-clicks6.com 199.192.30.247\r\ntangodo9.info 199.192.31.5\r\nnu865ci.com 199.192.31.5\r\nrapibest.com 199.192.31.5\r\nrecbi56ni.com 199.192.31.5\r\nheinousas.com 66.29.143.39\r\npordges.com 66.29.143.39\r\nserenistin.com 66.29.143.39\r\naminsfy.com 66.29.155.250\r\ndempius.com 66.29.155.250\r\nbuge-link.com 66.29.155.250\r\nnorllix.com 66.29.155.250\r\nsacremots.com 66.29.155.250\r\nbeputis4.com 68.65.121.46\r\nbubu3cin.com 162.0.214.189\r\nhighpacts.com 162.0.216.5\r\nfinsits.com 162.0.225.82\r\narabatas.com 162.0.225.82\r\ncutos2.com 162.0.225.82\r\nhttps://research.checkpoint.com/2022/xloader-botnet-find-me-if-you-can/\r\nPage 11 of 15\n\nnropes.com 162.0.233.84\r\ngogoma3.com 162.0.233.84\r\nfraiuhs.com 162.0.233.84\r\nbusipe6.com 162.0.238.116\r\nbupis44.info 162.0.238.116\r\ngesips.com 162.0.238.116\r\nocvcoins.com 162.0.238.238\r\ngingure.com 162.0.238.238\r\nnifaji.com 162.0.238.238\r\ncoalmanses.com 162.213.253.206\r\nfendoremi.com 162.213.253.206\r\ncusio3c.com 162.213.253.206\r\nnutri6si.com 162.213.253.206\r\nbreskizci.com 192.64.116.180\r\nhigh-clicks.com 192.64.116.180\r\ngunnipes.com 199.192.23.164\r\ndugerits.com 199.192.23.164\r\nkeepitng.com 199.192.23.164\r\nfellasies.com 199.192.28.149\r\nbutuns.com 199.192.28.149\r\nbendisle.com 66.29.155.108\r\nci-ohio.com 66.29.155.108\r\nminimi36.com 66.29.155.108\r\npedorc.com 68.65.121.125\r\ncures8t.com 68.65.121.125\r\nmecitiris.com 162.0.222.70\r\nhigh-clicks2.com 162.0.224.219\r\nhttps://research.checkpoint.com/2022/xloader-botnet-find-me-if-you-can/\r\nPage 12 of 15\n\nnerosbin.info 162.0.231.105\r\nb8ceex.com 162.0.231.105\r\ndashmints.com 162.0.231.244\r\nrap8b55d.com 198.54.112.103\r\nrastipponmkh.com 199.192.17.24\r\nblendeqes.com 199.192.17.24\r\nprivate-clicks.com 199.192.26.170\r\nabros88.com 199.192.30.127\r\nbracunis.com 199.192.30.127\r\nhugefries3.com 199.192.30.127\r\nsaint444.com 63.250.44.164\r\nbra866.com 66.29.130.171\r\nhype-clicks.com 162.0.223.146\r\nmoukse.com 162.0.223.146\r\nammarus.com 162.0.223.146\r\ncablinqee.com 162.0.223.146\r\nfuntabse.com 162.0.223.146\r\ngulebic.com 162.0.223.146\r\ncatdanos.com 199.188.206.146\r\nnoun-bug.com 199.188.206.146\r\ncobere9.com 199.188.206.146\r\nranbix.com 199.188.206.146\r\ntes5ci.com 199.188.206.146\r\nblackbait6.com 199.188.206.146\r\nmimihin.com 199.192.18.217\r\ncesiesis.com 199.192.18.217\r\nmoreosin.com 199.192.18.217\r\nhttps://research.checkpoint.com/2022/xloader-botnet-find-me-if-you-can/\r\nPage 13 of 15\n\nside-clicks.com 199.192.29.43\r\ndavinci65.info 199.192.29.43\r\nplick-click.com 199.192.29.43\r\nredandseven.com 199.192.29.61\r\nberdisen.com 199.192.29.61\r\narches2.com 199.192.29.61\r\nprice-hype.com 199.192.30.202\r\nbecbares.com 199.192.30.202\r\nbudistx.com 199.192.30.202\r\ndain6544.com 199.192.30.202\r\nerisibu85.com 199.192.30.202\r\npiecebin.com 66.29.133.181\r\nprobinns.com 66.29.133.181\r\nbumabagi.com 66.29.133.181\r\nhughers3.com 66.29.133.181\r\nn4sins.com 66.29.133.181\r\nbusy-clicks.com 66.29.140.185\r\nminismi2.com 66.29.140.185\r\nwecuxs.com 66.29.140.185\r\nlopsrental.lease 66.29.140.185\r\nalpeshpate.com 66.29.142.52\r\nmotometics.com 66.29.142.52\r\ncinasing.com 66.29.142.52\r\ngamusemenu.com 66.29.142.52\r\nkraines3.com 66.29.142.52\r\nban-click.com 66.29.145.216\r\nbutsins.com 66.29.145.216\r\nhttps://research.checkpoint.com/2022/xloader-botnet-find-me-if-you-can/\r\nPage 14 of 15\n\nearches3.com 66.29.145.216\r\njervinse.com 66.29.154.112\r\ngimbases.com 66.29.154.112\r\nmotarase.com 66.29.154.112\r\ncusmose.com 66.29.154.157\r\nbecu84ts.com 66.29.154.157\r\nburesdx.com 66.29.154.157\r\ntravelsagas.com 162.0.216.71\r\nclick-tokens.com 66.29.142.85\r\nmotarasag.com 162.0.233.154\r\ntumpiums.com 66.29.155.51\r\nsasanos.com 45.132.241.87\r\nbinbin-ads.com 31.220.18.33\r\nrange4tis.com 45.15.25.154\r\nSource: https://research.checkpoint.com/2022/xloader-botnet-find-me-if-you-can/\r\nhttps://research.checkpoint.com/2022/xloader-botnet-find-me-if-you-can/\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://research.checkpoint.com/2022/xloader-botnet-find-me-if-you-can/"
	],
	"report_names": [
		"xloader-botnet-find-me-if-you-can"
	],
	"threat_actors": [],
	"ts_created_at": 1775434196,
	"ts_updated_at": 1775791264,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/64779644fa4002b17e9c3f38eeeee5b7abfe9333.pdf",
		"text": "https://archive.orkl.eu/64779644fa4002b17e9c3f38eeeee5b7abfe9333.txt",
		"img": "https://archive.orkl.eu/64779644fa4002b17e9c3f38eeeee5b7abfe9333.jpg"
	}
}