{
	"id": "07644971-2be7-4800-a2c0-80b7220391f3",
	"created_at": "2026-04-06T00:19:34.67901Z",
	"updated_at": "2026-04-10T03:21:44.861383Z",
	"deleted_at": null,
	"sha1_hash": "7c2a2c8cb9d48f29aeb0a27a40228f5b80ada390",
	"title": "Detecting XLoader | A macOS ‘Malware-as-a-Service’ Info Stealer and Keylogger",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5381475,
	"plain_text": "Detecting XLoader | A macOS ‘Malware-as-a-Service’ Info Stealer\r\nand Keylogger\r\nBy Phil Stokes\r\nPublished: 2021-07-26 · Archived: 2026-04-05 21:15:58 UTC\r\nThreat actors have come to recognize the reality that today’s organizations operate fleets of devices encompassing\r\nall the major OS vendors – Apple, Microsoft, Google and many flavors of Linux – and are adapting accordingly.\r\nThreats that can be compiled on one platform but produce executables targeting many are a productivity boon to\r\ncriminals, who now operate in an increasingly competitive environment trying to sell their wares.\r\nThe latest such threat to come to attention is XLoader, a Malware-as-a-Service info stealer and keylogger that\r\nresearchers say was developed out of the ashes of FormBook. Unlike its Windows-only predecessor, XLoader\r\ntargets both Windows and macOS. In this post, we take an initial look at the macOS version of XLoader, describe\r\nits behavior and show how XLoader can be detected on Apple’s Mac platform.\r\nXLoader for Mac – Java Runtime For the Steal\r\nThe macOS sample we analyzed comes as both a standalone binary and as a compiled .jar file. The .jar file\r\nappears to be distributed as an attachment in a phishing lure, such as in this document Statement SKBMT\r\n09818.jar .\r\nhttps://www.sentinelone.com/blog/detecting-xloader-a-macos-malware-as-a-service-info-stealer-and-keylogger/\r\nPage 1 of 10\n\nXLoader is likely distributed by mail spam\r\nSuch files require the Java Runtime Environment, and for that reason the malicious .jar file will not execute on\r\na macOS install out of the box, since Apple stopped shipping JRE with Macs over a decade ago.\r\nNonetheless, Java is still a common requirement in enterprise environments and is still in use for some banking\r\napplications. As a result, many organizations will have users that either do or must install the Oracle version of\r\nJava to meet these needs. As a 3rd party plugin, the Oracle JRE is installed at /Library/Internet Plug-Ins/JavaAppletPlugin.plugin .\r\nWhen the malware is executed as a .jar file, the execution chain begins with the OS-provided JavaLauncher at\r\n/System/Library/CoreServices/JavaLauncher.app .\r\nXLoader’s execution chain begins with the JavaLauncher\r\nThe JavaLauncher is also populated in the Accessibility pane in System Preferences’ Privacy tab and a dialog is\r\npopped requesting the user to grant access for automation. As we shall see below, this is likely leveraged as part of\r\nthe info stealer’s functionality.\r\nhttps://www.sentinelone.com/blog/detecting-xloader-a-macos-malware-as-a-service-info-stealer-and-keylogger/\r\nPage 2 of 10\n\nThe JavaLauncher requests access to control other applications\r\nThe com.oracle.JavaInstaller will also populate the ‘Full Disk Access’ table in the same tab. This remains\r\nunchecked by default and, at least on our test, no dialog was presented to the user to request permissions.\r\nXLoader Behavior on macOS\r\nOn execution the malware drops a 32×32 pixel Windows image file in the user’s home directory called\r\nNVFFY.ico .\r\nA Windows icon file is dropped in the user’s home folder\r\nThe user’s default image viewer – typically the built-in Preview.app – will be launched to display this image. At\r\nthis point, one could imagine that even the most unsuspecting user opening the ‘Statement SKBT’ file is going to\r\nhttps://www.sentinelone.com/blog/detecting-xloader-a-macos-malware-as-a-service-info-stealer-and-keylogger/\r\nPage 3 of 10\n\nthink that something is amiss.\r\nThe .ico file as presented to the victim\r\nIt’s unclear what the malware authors were thinking here: perhaps the sample is an early development or a test\r\nsample. Alternatively, this may be a reflection of the hazards of cross-platform malware, where the author’s\r\nassumptions on the Windows platform were not fully tested on a macOS device.\r\nIn any case, no interaction is required from the user and the malware continues to drop and execute the rest of its\r\ncomponents. This involves dropping and executing a Mach-O file in the user’s Home folder. This file, kIbwf02l ,\r\nwrites a hidden application bundle, also located in the victim’s Home folder, and containing a copy of itself. It\r\nthen writes and loads a user LaunchAgent with a program argument pointing to the copy in the hidden app bundle.\r\nFrom then on, the kIbwF02l file appears to be redundant but is not cleaned up by the malware.\r\nExample of an XLoader LaunchAgent\r\nThe label for the LaunchAgent and the names of the hidden app and executable are all randomized and vary from\r\nexecution to execution. The binary is passed the argument start as a launch parameter.\r\nThe hidden application is itself a barebones bundle containing only the Info.plist and the Mach-O executable.\r\nhttps://www.sentinelone.com/blog/detecting-xloader-a-macos-malware-as-a-service-info-stealer-and-keylogger/\r\nPage 4 of 10\n\nXLoader’s hidden application bundle\r\nA copy of the same executable, sans bundle and with the filename kIbwf02l , is also dropped in the User’s home\r\ndirectory.\r\nAnalysis of the XLoader Mach-O\r\nThe compiled Mach-O executable pointed to by the persistence agent is heavily stripped and obfuscated. As the\r\nimage below indicates, static analysis using tools like strings will show little, and dynamic analysis is complicated\r\nby a number of anti-debugging features.\r\nLeft: the hidden app’s Info.plist. Right: strings and symbols in the executables\r\nFor the purposes of quick triage, we extracted the stackstrings from the Mach-O using otool to get an initial idea\r\nof the info stealer’s functionality. With further processing either manually or with radare2, we can match these\r\nstrings to particular functions.\r\nhttps://www.sentinelone.com/blog/detecting-xloader-a-macos-malware-as-a-service-info-stealer-and-keylogger/\r\nPage 5 of 10\n\nStack strings found in XLoader’s macOS version\r\nThe strings here show that XLoader attempts to steal credentials from Chrome and Firefox browsers. We also see\r\nan indication that the malware calls the NSWorkspace API to identify the front window via the Accessibility API\r\nAXTitleFocusedWindow and leverages NSPasteboard , likely to copy information from the window of the user’s\r\ncurrently active process. Calling Accessibility APIs requires user consent as this functionality is controlled by\r\nTCC. As noted above, the JavaLauncher has such permissions.\r\nOther researchers have suggested that XLoader’s internet traffic is laden with decoys to disguise the actual C2\r\nused to transmit data. As we did not observe any credential stealing traffic in our test, we cannot confirm that\r\nsuspicion, but XLoader’s internet traffic is certainly ‘noisy’. We observed the malware reaching out to a variety of\r\nknown phishing and malware sites.\r\nSome of the IP addresses contacted by the XLoader malware\r\nhttps://www.sentinelone.com/blog/detecting-xloader-a-macos-malware-as-a-service-info-stealer-and-keylogger/\r\nPage 6 of 10\n\nOne of a number of malicious domains XLoader contacts (VirusTotal)\r\nDetecting XLoader Infostealer on macOS\r\nAt the end of this post we provide a number of macOS-specific Indicators of Compromise to help organizations\r\nand users in general identify an XLoader infection. SentinelOne customers are protected against this malware\r\nautomatically, regardless of whether it is executed via the Java Runtime Environment or by the standalone\r\nXLoader Mach-O.\r\nIn our test, we set the agent to ‘Detect-only’ policy in order to observe the malware’s behaviour. Customers are\r\nadvised to always use the ‘Protect’ policy which prevents execution of malware entirely.\r\nIn ‘Detect-only’ mode, the target’s Mac device will immediately alert the user via Notifications:\r\nSecurity teams and IT administrators, meanwhile, would see something similar to the following in the\r\nManagement console.\r\nhttps://www.sentinelone.com/blog/detecting-xloader-a-macos-malware-as-a-service-info-stealer-and-keylogger/\r\nPage 7 of 10\n\nAfter remediation, the UI (version 21.7EA) on the device indicates that the threat has been successfully killed and\r\nquarantined.\r\nConclusion\r\nXLoader is an interesting and somewhat unusual example in the macOS malware world. It’s dependency on Java\r\nand its functionality suggests it is primarily targeting organizations where the threat actors expect Java\r\napplications to be in use. Among other things, that includes certain online banking applications, and the\r\nattractiveness from a criminal’s perspective of a keylogger and info stealer in that environment can certainly be\r\nunderstood. It is also worth noting that the malware’s minimum system requirement is 10.6 Snow Leopard (over\r\n10 years old), so the author’s are certainly casting their net wide. On the other hand, the implementation on\r\nmacOS is clumsy at best and is likely to raise suspicions. No doubt the malware authors will be looking to\r\nimprove on this in future iterations.\r\nIndicators of Compromise\r\nhttps://www.sentinelone.com/blog/detecting-xloader-a-macos-malware-as-a-service-info-stealer-and-keylogger/\r\nPage 8 of 10\n\nSHA1 Hashes\r\nXLoader Mach-O Executable: KIbwf02l\r\n7edead477048b47d2ac3abdc4baef12579c3c348\r\nSuspected Phishing lure attachment: Statement SKBMT 09818.jar\r\nb8c0167341d3639eb1ed2636a56c272dc66546fa\r\nExample Persistence LaunchAgent: com.j85H64iPLnW.rXxHYP\r\ncb3e7ac4e2e83335421f8bbc0cf953cb820e2e27\r\nContacted IPs\r\n128.65.195.232\r\n162.0.229.244\r\n184.168.131.241\r\n204.11.56.48\r\n216.239.38.21\r\n34.102.136.180\r\n63.250.34.223\r\n64.190.62.111\r\n64.32.8.70\r\n72.29.74.90\r\nInteresting Strings\r\n.appMacOSContentsInfo.plist\r\n.exe.dll\r\n/logins.json\r\n10.:1.1OS X XLNG:\r\n200 OK\r\n80987dat=\u0026=\u0026un=\u0026br=\u0026os=1\r\nDB1ChromeURL:\r\nguidURL: Firefox\r\nNSStringstringWithCString:encoding:\r\nopen\r\npasstokenemailloginsigninaccountHost: \u0026GETPUTPOSTOPTIONSGET\r\nr%s \u003c\u003c\u003c 2\u003e/dev/null\r\nRecovery\r\nrm -rf\r\nrm unzip nss3.zip -d\r\nsaltysalt\r\nUTF8StringNSPasteboardstringForType:generalPasteboardpublic.utf8-plain-text\r\nUTF8StringNSWorkspacesharedWorkspaceprocessIdentifierfrontmostApplicationAXTitleAXFocusedWindow\r\nhttps://www.sentinelone.com/blog/detecting-xloader-a-macos-malware-as-a-service-info-stealer-and-keylogger/\r\nPage 9 of 10\n\nSource: https://www.sentinelone.com/blog/detecting-xloader-a-macos-malware-as-a-service-info-stealer-and-keylogger/\r\nhttps://www.sentinelone.com/blog/detecting-xloader-a-macos-malware-as-a-service-info-stealer-and-keylogger/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.sentinelone.com/blog/detecting-xloader-a-macos-malware-as-a-service-info-stealer-and-keylogger/"
	],
	"report_names": [
		"detecting-xloader-a-macos-malware-as-a-service-info-stealer-and-keylogger"
	],
	"threat_actors": [],
	"ts_created_at": 1775434774,
	"ts_updated_at": 1775791304,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7c2a2c8cb9d48f29aeb0a27a40228f5b80ada390.pdf",
		"text": "https://archive.orkl.eu/7c2a2c8cb9d48f29aeb0a27a40228f5b80ada390.txt",
		"img": "https://archive.orkl.eu/7c2a2c8cb9d48f29aeb0a27a40228f5b80ada390.jpg"
	}
}