{
	"id": "b06da76f-ce15-4e69-814b-734f69cf06b0",
	"created_at": "2026-04-06T01:31:12.295523Z",
	"updated_at": "2026-04-10T03:22:49.99398Z",
	"deleted_at": null,
	"sha1_hash": "67eb9189ece4b10cdd26ab6f0c8e7a4d988f5409",
	"title": "Trojan-as-a-service: From Formbook to XLoader",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 72731,
	"plain_text": "Trojan-as-a-service: From Formbook to XLoader\r\nArchived: 2026-04-06 00:53:19 UTC\r\nSummary\r\nName: XLoader\r\nFirst discovered in October 2020\r\nWorks as malware-as-a-service\r\nDistributed using spam emails as an email attachment and through vulnerable servers\r\nTargets Windows and macOS machinesPayload can record keystrokes, take screenshots and obtain info\r\nstored on the clipboard. It also steals usernames and passwords from browsers, messengers and email\r\nclients.\r\nWritten in C and Assembler\r\n32-bit samples, zipped in various file types\r\nIntroduction\r\nDiscovered in 2016, Formbook appeared on underground forums, advertised as an infostealer for Windows. In\r\nOctober 2020, Formbook was renamed XLoader; as its developers say, it has the same features, but has improved\r\nfrom the previous version. Written in C and Assembler, the malware can steal users’ information from various\r\nbrowsers, email clients and messengers. The developers offer malware-as-a-service for $59 per month for the\r\nWindows version and $49 for the macOS version.\r\nOn October 23, 2020, Formbook malware was rebranded and is now called XLoader, while possessing the same\r\npayload as before. On July 21, 2021, the community was informed about the new macOS version.\r\nTechnical details\r\nDelivery\r\nAs mentioned before, the backdoor is spread with spam emails as an email attachment. It can be single or multiple\r\nfiles camouflaged as archive files (.iso, .rar), pictures, or text files.\r\nEXE disguised as ISO\r\nAbove you can see the .iso — an optical disc image file that can be opened with any archiver. Although the file\r\nicon picture looks like a standard Microsoft Excel file (.xlsx), this file is a 32-bit executable without any digital\r\nsignatures (SHA256:8D20C36D499A614206967F9FFE68885A78AA2E7C718512A31B185BBAA529A4F6).\r\nThe file manifest contains supported OS ID, which tells that the program has compatibility with Windows 7 and\r\nWindows Vista.\r\nhttps://www.acronis.com/en-us/cyber-protection-center/posts/trojan-as-a-service-from-formbook-to-xloader/\r\nPage 1 of 6\n\nThe executable file is an installer, created with the Nullsoft Scriptable Installation System (NSIS). During\r\nexecution, an installer obtains access to the %Temp% folder where it creates its own folder, dropping a DLL there.\r\nIt will use this file for further operations. This whole process is invisible to the victim.\r\nDuring execution, the trojan will write some information to the one of dropped files, whose content is encoded in\r\nUTF-16 LE format. Also, XLoader adds a reference to itself to the Windows registry at\r\nHKLM\\System\\CurrentControlSet\\bam\\State\\UserSettings to enable autostart.\r\nThe full process tree captured with procdot utility:\r\nEXE disguised as RAR archive\r\nXLoader can be also delivered as a RAR archive, which contains only one file — a 32-bit executable\r\n(SHA256:3E23BF4937349C5F5CF233E30658562FCA94D58790EBBE693E176FB595FB0B34). Looking at the\r\nPE manifest, the supported OSs are Windows 7 and Windows Vista.\r\nAs with the previous file, this one is also an installer, created with NSIS. But in this case, it creates two folders,\r\ndropping two DLLs and two files without any extensions. During execution, the malware will also write\r\ninformation in these two files in an ANSI format.\r\nThe full process tree, captured with procdot utility:\r\nFile name\r\nSHA256\r\nDescription\r\nxvrlmglvtnb.dll\r\nEFE3E128AE092CA256430703134726A18A1E033D17743699FAFDA97116B3AA0F\r\nTrojan-Injector\r\nrove.exe\r\n3E23BF4937349C5F5CF233E30658562FCA94D58790EBBE693E176FB595FB0B34\r\nTrojan-Dropper\r\nxijmiin\r\n63B9DEFD2CC26656AEA4E223ED58280A411DD8FB56AF9F2810ABC27AB0897C43\r\ndata\r\nSystem.dll\r\nDC58D8AD81CACB0C1ED72E33BFF8F23EA40B5252B5BB55D393A0903E6819AE2F\r\nhttps://www.acronis.com/en-us/cyber-protection-center/posts/trojan-as-a-service-from-formbook-to-xloader/\r\nPage 2 of 6\n\nMemory management DLL\r\njml6b7kq4g0oolfd\r\n2AA973EADA8988FAAEF087616AB1F56697E1453190CBBF3F4A1338D92B6F30A0\r\ndata\r\nDecoy XLSX file that executes VBS\r\nXLoader can be also delivered in a spear-phishing email as an .xlsx file format, which is a spreadsheet created in\r\nMicrosoft Excel. The file is password-protected and contains a decoy picture with information stating that “the\r\ndocument is protected” and forces a user to “Enable Editing” to execute a Visual Basic script.\r\nMS Excel starts the Microsoft equation editor (EQNEDT32.exe) as a COM object and uses it to execute\r\n‘C:\\Users\\Public\\vbc.exe’ exploiting the CVE-2017-11882 vulnerability. On behalf of the EQNEDT32.exe\r\nprocess, the trojan will establish a connection to the server and retrieve the file (cc200.exe) from the following\r\ndestination:\r\nhxxp://vibexonly.ddns[.]net/taiwan/cc200.exe\r\nSHA256: 146f5b2544e98818cbe9813068d6f08037df0e29a3b83d4d2fce3e1bfc444f2a\r\nOriginal file name: VectorToListAdapter.exe\r\nPayload\r\nOnce executed, the downloaded version of XLoader (cc200.exe) performs the following operations:\r\nChecks supported languages\r\nReads the computer and user names\r\nChecks for the presence of debuggers and sandboxes\r\nObtains system information\r\nDecrypts malicious DLL files from resources and uses them\r\nInjects PE file into foreign processes\r\nCollects information for stealing\r\nConnects to the C\u0026C server through explorer.exe\r\nThe downloaded file is a 32-bit executable written in Visual Basic. It contains multiple resources, and also a file\r\ndescription which includes a false company name (Parklane Hosiery), file version and the original file name\r\nVectorToListAdapter.exe.\r\nHosiery.ExtendedLinguisticServices contains methods for determining user language and uses InteropTools for\r\nviewing and editing the device registry, certificates, application and device info.\r\nThe WebServices class, located in Hosiery.My.MyProject(), has functions for establishing connections to the\r\ninternet and uses a SOAP HTTP protocol for exchanging messages. Malware uses the system process explorer.exe\r\nto connect to the C\u0026C servers.\r\nhttps://www.acronis.com/en-us/cyber-protection-center/posts/trojan-as-a-service-from-formbook-to-xloader/\r\nPage 3 of 6\n\nDuring execution, XLoader decrypts three more libraries from the image resource, using steganography\r\ntechniques.\r\nOne of the libraries contains a Fedree() method with a function to decrypt the resource inside. Once the resource\r\nis loaded, it passes through the XOR_DEC function with a key. After the resource is decrypted, the Unscramble()\r\nfunction uses it to form the final payload.\r\nAfter the decryption routine is ended, the result will be given to the StartInject() function, which will proceed with\r\nthe injection process.\r\nC\u0026C communication\r\nInstead of connecting to C\u0026C servers by itself, XLoader uses one of the system processes; for example,\r\nexplorer.exe. XLoader then uses the process injection technique (Mitre Att\u0026ck ID: T1055.012 - Process Injection:\r\nProcess Hollowing). To do that, it starts the process in suspended mode using CreateProcess(), unmaps the\r\nprocess with NtUnmapViewOfSection() from ntdll.dll, writes malicious code to the process using\r\nWriteProcessMemory() and resumes the process. After XLoader successfully injects the process, it deletes its\r\noriginal executable file (rove.exe). The infected process starts execution of malicious code, which includes:\r\nChoosing one of domains from the list\r\nGenerating fake and real C\u0026C domains\r\nProviding a connection to the server\r\nExchanging messages\r\nObfuscation\r\nXLoader uses WinAPI call obfuscation. Instead of function names, their hash values are used, which makes the\r\nmalicious code more difficult to analyze and detect.\r\nDLL files, which are decrypted during execution from the downloaded .NET file, have very obfuscated function\r\nnames and variable values.\r\nNetwork activity\r\nAs mentioned before, XLoader connects to the C\u0026C servers through the altered explorer.exe process. Injected\r\nmalicious code randomly chooses 16 of 64 domains to search for servers and connects them. During the analysis,\r\nXLoader (cc200.exe) tried to establish a connection to the following C\u0026C servers:\r\nhxxp://www.ethanmillsom.com/\r\nhxxp://www.vectoroutlines.com/\r\nhxxp://www.adultpeace.com/\r\nhxxp://www.sonderbach.net/\r\nhxxp://www.bigplatesmallwallet.com/\r\nhxxp://www.alfenas.info/\r\nhxxp://www.newmopeds.com/\r\nhxxp://www.boogerstv.com/\r\nhttps://www.acronis.com/en-us/cyber-protection-center/posts/trojan-as-a-service-from-formbook-to-xloader/\r\nPage 4 of 6\n\nhxxp://www.dmgt4m2g8y2uh.net/\r\nhxxp://www.aideliveryrobot.com/\r\nhxxp://www.cyrilgraze.com/\r\nhxxp://www.brunoecatarina.com/\r\nhxxp://www.ololmychartlogin.com/\r\nhxxp://www.malcorinmobiliaria.com/\r\nhxxp://www.fuhaitongxin.com/\r\nDetected by Acronis\r\nXLoader components are successfully detected by Acronis Cyber Protect.\r\nConclusion\r\nXLoader is a botnet that evolved from the Formbook infostealer and promotes malware-as-a-service for Windows\r\nand macOS. This malware spreads via email attachments and its files can have normal-looking extensions with\r\nmalicious code, which will be automatically executed when the victim opens the file. Some files are created with\r\nthe NSIS system and are installers that can drop more files.\r\nAlthough all files have functions to create windows, they do not appear on the user's screen and all processes are\r\ninvisible. Malicious code also has obfuscated WinAPI functions, which makes it harder to analyze. The malware\r\ndoesn’t have hardcoded IPs for command-and-control servers and provides a connection to the servers via other\r\nsystem processes.\r\nIoCs\r\nFiles\r\nFile name\r\nSHA256\r\nBERN210819.iso\r\n1ea2c02f87744c96ef37390bbc851ddffde8cf691356a07810e590056acf7556\r\nBERN210819.exe\r\n8D20C36D499A614206967F9FFE68885A78AA2E7C718512A31B185BBAA529A4F6\r\nsbsuivaaf4\r\n40183F1A4E282A6BC4239EE44DA42D0BB36B882C10B2C10085BA27294D1D0C02\r\nxvrlmglvtnb.dll\r\nEFE3E128AE092CA256430703134726A18A1E033D17743699FAFDA97116B3AA0F\r\nhttps://www.acronis.com/en-us/cyber-protection-center/posts/trojan-as-a-service-from-formbook-to-xloader/\r\nPage 5 of 6\n\nNew P.O From customer.rar\r\n75b93f2e697b637978a15ebaa52fb3f2f325764b2dfef2f254bfba4caa2064b1\r\nrove.exe\r\n3E23BF4937349C5F5CF233E30658562FCA94D58790EBBE693E176FB595FB0B34\r\nxijmiin\r\n63B9DEFD2CC26656AEA4E223ED58280A411DD8FB56AF9F2810ABC27AB0897C43\r\nSystem.dll\r\nDC58D8AD81CACB0C1ED72E33BFF8F23EA40B5252B5BB55D393A0903E6819AE2F\r\njml6b7kq4g0oolfd\r\n2AA973EADA8988FAAEF087616AB1F56697E1453190CBBF3F4A1338D92B6F30A0\r\nCONTRACT.xlsx\r\n33ab3e8b6b9e120f172452af47ef4478cac25fac68982451ea0d5a773bae5488\r\ncc200.exe\r\n146F5B2544E98818CBE9813068D6F08037DF0E29A3B83D4D2FCE3E1BFC444F2A\r\nSource: https://www.acronis.com/en-us/cyber-protection-center/posts/trojan-as-a-service-from-formbook-to-xloader/\r\nhttps://www.acronis.com/en-us/cyber-protection-center/posts/trojan-as-a-service-from-formbook-to-xloader/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.acronis.com/en-us/cyber-protection-center/posts/trojan-as-a-service-from-formbook-to-xloader/"
	],
	"report_names": [
		"trojan-as-a-service-from-formbook-to-xloader"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775439072,
	"ts_updated_at": 1775791369,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/67eb9189ece4b10cdd26ab6f0c8e7a4d988f5409.pdf",
		"text": "https://archive.orkl.eu/67eb9189ece4b10cdd26ab6f0c8e7a4d988f5409.txt",
		"img": "https://archive.orkl.eu/67eb9189ece4b10cdd26ab6f0c8e7a4d988f5409.jpg"
	}
}