{
	"id": "0d8c19ff-9151-4c3c-8d16-b1087aeeb22d",
	"created_at": "2026-04-06T00:19:59.066344Z",
	"updated_at": "2026-04-10T13:13:05.283337Z",
	"deleted_at": null,
	"sha1_hash": "a1c41481b4da76c5779334577e6661cd17f7c0de",
	"title": "Top prevalent malware with a thousand campaigns migrates to macOS - Check Point Research",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 118885,
	"plain_text": "Top prevalent malware with a thousand campaigns migrates to\r\nmacOS - Check Point Research\r\nBy ramanl\r\nPublished: 2021-07-21 · Archived: 2026-04-05 16:21:43 UTC\r\nBy: Alexey Bukhteyev and Raman Ladutska\r\nFrom a simple keylogger to a top prevalent malware\r\nFormbook is currently one of the most prevalent malware. It has been active for more than 5 years already. Check\r\nPoint reported in December 2020 that Formbook affected 4% of organizations worldwide and made it to the top 3\r\nlist of the most prevalent malware.\r\nAccording to AnyRun Malware Trends Tracker, Formbook occupies the 4th place in a list of the most prevalent\r\nmalware families in 2020.\r\nFigure 1 – Formbook is in 4th place among the most prevalent malware families of the past 12 months (June 2020 – June 2021) –\r\nAnyRun.\r\nFormbook is an Info Stealer that harvests credentials from various web browsers, collects screenshots, monitors\r\nand logs keystrokes, and can download and execute files according to the orders received from Command-and-Control (C\u0026C) servers. The code is written in C with assembly inserts and contains a number of tricks to make it\r\nharder for researchers to analyze it.\r\nAs stated by its author, Formbook was intended to be “a simple keylogger.”  However, customers immediately\r\nsaw its potential as a universal tool for use in broad spam campaigns that target organizations all over the world.\r\nhttps://research.checkpoint.com/2021/top-prevalent-malware-with-a-thousand-campaigns-migrates-to-macos/\r\nPage 1 of 16\n\nAs this potential became a reality, the author stopped sales of the product without giving detailed explanations\r\nabout the motives behind this decision.\r\nA short time later, Formbook was reborn as XLoader, and the malware is now available for sale in the\r\nunderground forum by a different avatar. XLoader opened up several new opportunities, with the ability to operate\r\nin the macOS being one of the most exciting. XLoader’s story is on-going, and judging by the popularity of the\r\nmalware, shows no signs of ending any time soon.\r\nLet’s take a look at how it all began.\r\nFormbook: unintended popularity\r\nA post offering the earliest version of Formbook (what we could call a beta-version) for sale appeared on the\r\nunderground forum on February 13, 2016.\r\nFigure 2 – ng-Coder offering Formbook malware for sale.\r\nAlthough the first sales thread appeared on February 13, 2016, Formbook samples were seen earlier as evidenced\r\nby AnyRun:\r\nhttps://research.checkpoint.com/2021/top-prevalent-malware-with-a-thousand-campaigns-migrates-to-macos/\r\nPage 2 of 16\n\nFigure 3 – First Formbook sample was seen on January 1, 2016, according to AnyRun.\r\nThe Formbook’s seller was hidden under “ng-Coder” avatar.\r\nNote: we assume ng-Coder is a male, though we have no direct evidence, and will refer to the avatar as “he”\r\nthroughout this article.\r\n \r\nProfile\r\n e-mail: ng2Coder@gmail.com\r\n Skype: Ng.Coder\r\n skills:\r\n * strong c\\c++ knowledge\r\n * strong assembly x86\\x64 knowledge\r\nng-Coder joined the underground hack forum on October 27, 2015. According to his own statement on the forum,\r\nhe was selling exploits at that time. We cannot point to ng-Coder’s exact country of origin, but judging by his\r\nphrasing, English is likely not his native language.\r\nA day before creating the sales thread we saw above, ng-Coder requested a review of his product from an\r\nexperienced member of the community.\r\nhttps://research.checkpoint.com/2021/top-prevalent-malware-with-a-thousand-campaigns-migrates-to-macos/\r\nPage 3 of 16\n\nFigure 4 – Formbook review requested by ng-Coder.\r\nOn May 9, 2016, three months later after publishing the first sales thread, Formbook v.0.3 was offered for sale.\r\nFigure 5 – Formbook v.0.3 icon.\r\nFormbook was advertised as a product supporting multiple features:\r\nFigure 6 – Formbook v.0.3 features.\r\nhttps://research.checkpoint.com/2021/top-prevalent-malware-with-a-thousand-campaigns-migrates-to-macos/\r\nPage 4 of 16\n\nWhat attracted our attention here is a strange description including the phrase “Balloon Executable” and the\r\nacronyms MPIE and MEE. These terms, which do not exist in the cyber community, were used by ng-Coder to\r\ndescribe how Formbook operates, i.e., uses position-independent code (shellcode) to inject the malware into a\r\nlegitimate system process and initiate the shellcode execution.\r\nOther features listed include network traffic sniffing, keylogging, clipboard monitoring, and password extraction\r\nfor almost one hundred applications including browsers, messengers, FTP and email clients.\r\nThe sales pitch was a combined model, in which a customer could choose where to host the panel: on the host\r\nprovided by the seller (thus using a “Malware-as-a-Service” scheme) or the customer’s own machine (direct\r\nacquiring). If the latter was selected, the author also provided the panel source code along with a pre-built binary.\r\nDifferent types of Formbook subscriptions had different prices:\r\nFigure 7 – The Formbook pricing as offered by ng-Coder.\r\nng-Coder offered a number different source code protectors to support Formbook. For example, Net-Protector is\r\na cross-platform crypting service with the price of $100 for a Windows executable and $200 for a macOS one:\r\nFigure 8 – Net-Protector logo.\r\nng-Coder was so confident in his creation that he offered to re-crypt an executable for free if it was detected by\r\nany AV in the first 30 days after the encryption:\r\nIf the crypted PE file gets flagged by AV in less than 30 days after the first crypt, we will recrypt the\r\nsame crypted SHA1 for free.\r\nhttps://research.checkpoint.com/2021/top-prevalent-malware-with-a-thousand-campaigns-migrates-to-macos/\r\nPage 5 of 16\n\nOther examples of protectors included shared source codes of crypting solutions on .NET and Delphi.\r\nOn October 6, 2017, Formbook sales abruptly stopped. The reason given was its use in spam campaigns:\r\nFigure 9 – ng-Coder indicates that Formbook sales have ceased.\r\nAs we stated at the beginning of this article, the Formbook author didn’t want his creation to be used in email\r\ncampaigns and banned all customers who did so.\r\nOn May 27, 2018, ng-Coder made his last public post on the forum where he provided a technical answer to one\r\nof the questions not related to Formbook. No further activity from him has been observed since.\r\nAs we will see, although Formbook sales were stopped, its activity was continuing. Not only could users who\r\nbought the malware to be hosted on their own servers continue to use it, but ng-Coder could make use of\r\nFormbook as well.\r\nUsed for the author’s own purposes?\r\nWe found evidence that ng-Coder might have his own plans for his creation. We analyzed the domains linked to\r\nthe ng-Coder email address “ng2coder@gmail[.com” and discovered that these were used in Formbook\r\nconfigurations for particular campaigns labeled “private”, “list” and “zog”. We found 16 unique C\u0026C URLs\r\ninside the Formbook malware that pointed to 13 different sub-campaigns.\r\n http[://www.unlimitedgiveaways.net/zog/hx/\r\n http[://www.unlimitedgiveaways.net/zog/hx69/\r\n http[://www.unlimitedgiveaways.net/zog/ab/\r\n http[://www.socialbumps.net/zog/ct2/\r\n \r\n http[://www.alienzouks.com/private/\r\n http[://www.adomax1.com/private/\r\n http[://www.ryandeby.com/private/\r\n http[://www.gfather.net/private/\r\n \r\n http[://www.surfpay.website/list/ch/\r\n http[://www.bingo-clicker.site/list/jo/\r\n http[://www.click-bingo.site/list/le/\r\n http[://www.click-bingo.site/list/kv/\r\n http[://www.click-bingo.site/list/mo/\r\nhttps://research.checkpoint.com/2021/top-prevalent-malware-with-a-thousand-campaigns-migrates-to-macos/\r\nPage 6 of 16\n\nhttp[://www.jesse-list.info/list/kw/\r\n http[://www.wowtracking.info/list/hx47/\r\n http[://www.wowtracking.info/list/oz/\r\nAll the listed domains share common features. They all were registered by the GoDaddy registrar:\r\nFigure 10 – GoDaddy registrar appears in domains’ details.\r\nAnd they all shared the same details about the person who registered them:\r\nFigure 11 – Details for registering domains as provided by ng-Coder.\r\nAccording to the LocateFamily site, “Amanda George” was living at the address provided at the time of\r\nregistering the domains. However, we cannot link this person with ng-Coder avatar.\r\nThe Formbook activity didn’t just stop there. For example, in May 2020 we discovered a Formbook sample\r\ndropped by GuLoader. It was submitted to VirusTotal in June 2020:\r\nhttps://research.checkpoint.com/2021/top-prevalent-malware-with-a-thousand-campaigns-migrates-to-macos/\r\nPage 7 of 16\n\nFigure 12 – A Formbook sample dropped in May 2020 by GuLoader.\r\nThe campaign name in this sample was “private” and the main domain was registered by ng-Coder\r\n(ryandeby[.com).\r\nXLoader: the time-proved tricks re-applied in a new environment\r\nOn February 6, 2020 a new era began: the era of the Formbook successor called XLoader. On this day, XLoader\r\nwas advertised for sale in one of the underground groups.\r\nFigure 13 – XLoader as advertised in the underground group.\r\nFormbook and XLoader share the same code base, and there are other connections between them as well, as we\r\nwill see later.\r\nFigure 14 – The seller confirms that Formbook’s code has contributed a lot to the development of XLoader.\r\nOn October 20, 2020, XLoader was offered for sale on the same forum which was used for selling Formbook.\r\nhttps://research.checkpoint.com/2021/top-prevalent-malware-with-a-thousand-campaigns-migrates-to-macos/\r\nPage 8 of 16\n\nFigure 15 – XLoader as advertised on the forum.\r\nNote: XLoader malware for PC and Mac should not be confused with XLoader malware for Android, first\r\ndiscovered in 2019.\r\nOne of the most exciting things about the new malware was its ability to operate in the macOS. With\r\napproximately 200 million users operating macOS in 2018 (as reported by Apple), this is definitely a promising\r\nnew market for the malware to enter.\r\nhttps://research.checkpoint.com/2021/top-prevalent-malware-with-a-thousand-campaigns-migrates-to-macos/\r\nPage 9 of 16\n\nFigure 16 – Mac sales by year, taken from https://www.businessofapps.com/data/apple-statistics/\r\nNote: Apple stopped reporting Mac sales in Q4 2018. All subsequent values are estimates.\r\nThe malware now features a more lucrative economic model for the authors as compared to Formbook. Customers\r\nmay only buy the malware for a limited time and are only able to use a server provided by the seller; no panel\r\nsources codes are sold anymore. Thus, a “Malware-as-a-Service” scheme is used. Centralized C\u0026C infrastructure\r\nallows the authors to control how the malware is used by the customers.\r\nFigure 17 – xloader announces the decision to stop selling panels and underlines the importance of controlling the customers’ actions.\r\nThe pricing for different options is listed in the table below:\r\nPackage Price\r\nWindows, executable, 1 month $59\r\nWindows, executable, 3 months $129\r\nmacOS, Mach-O, 1 month $49\r\nmacOS, Mach-O, 3 months $99\r\nXLoader’s seller also released a free Java binder which is intended to create a standalone JAR file uniting Mach-O\r\nand exe binaries:\r\nhttps://research.checkpoint.com/2021/top-prevalent-malware-with-a-thousand-campaigns-migrates-to-macos/\r\nPage 10 of 16\n\nFigure 18 – Interface of the XBinder tool.\r\nA new developer?\r\nDid the new seller also take on duties as the developer and maintainer of this version of the original Formbook\r\nmalware? We believe this is not the case. A new seller is just a seller, not a developer.  There must be someone\r\nelse behind the curtain to handle the technical part.\r\nFigure 19 – XLoader’s seller states that he is an official seller, not a developer of the malware.\r\nWe already saw that ng-Coder wasn’t completely out of the picture, even though he no longer operated publicly.\r\nCould he be the one continuing to develop the new malware? Apart from technical similarities, we found evidence\r\nof a connection between XLoader’s seller and ng-Coder, namely a  message from xloader to ng-Coder saying,\r\n“Thank you for the help”:\r\nhttps://research.checkpoint.com/2021/top-prevalent-malware-with-a-thousand-campaigns-migrates-to-macos/\r\nPage 11 of 16\n\nFigure 20 – xloader saying “thank you” to ng-Coder.\r\nWe cannot say for sure if the thanks were for a one-time helping hand or if it was for continuous support.\r\nAnother piece of evidence that points at ng-Coder’s continued participation is the statement by XLoader’s seller\r\n(posted on December 14, 2020) where he shared his hope that ng-Coder could create a newer cross-platform\r\ncrypting service:\r\nFigure 21 – xloader sharing the hope about a new crypting service from ng-Coder.\r\nRecap\r\nWe recap the malware activity timeline and its milestones in the diagram below.\r\nhttps://research.checkpoint.com/2021/top-prevalent-malware-with-a-thousand-campaigns-migrates-to-macos/\r\nPage 12 of 16\n\nFigure 22 – The activity timeline of both malware versions.\r\nRe-sellers\r\nDuring the lifecycle of Formbook/XLoader malware, a number of impersonators and re-sellers claimed they were\r\nthe official contacts.\r\nIt began 5 years ago when ng-Coder raised a warning not to send a payment to him or anyone impersonating him\r\nfor the exploit, as he stopped selling exploits in 2016. Note that there were impersonators even before Formbook\r\nwas first available for sale.\r\nIn 2021, the situation hasn’t changed much. For example, there is a site freely accessible from the Internet which\r\noffers XLoader for sale, but for a higher price than the malware is sold for in the Darknet:\r\nFigure 23 – A site in the Internet offering XLoader for sale.\r\nThe biggest difference is in the 3 months package for macOS, which is $40 higher than the Darknet price.\r\nAnother site offers XLoader for $120:\r\nhttps://research.checkpoint.com/2021/top-prevalent-malware-with-a-thousand-campaigns-migrates-to-macos/\r\nPage 13 of 16\n\nFigure 24 – Another Internet site offering XLoader for sale.\r\nPrevalence: countries and campaigns\r\nDuring the 6 months between December 1, 2020 and June 1, 2021, we saw Formbook/XLoader requests from as\r\nmany as 69 countries, which is more than a third of the total 195 countries recognized in the world today.\r\nThe breakdown of victims by country is presented in the diagram below:\r\nFigure 25 – Formbook requests by countries between December 1, 2020 and June 1, 2021.\r\nhttps://research.checkpoint.com/2021/top-prevalent-malware-with-a-thousand-campaigns-migrates-to-macos/\r\nPage 14 of 16\n\nVictims from the United States constitute more than the half of the victims worldwide.\r\nAs we stated previously, according to AnyRun, Formbook is in 4th place among the most prevalent malware\r\nfamilies of the last year and in 6th place for all time. This fact implies that there should be quite a lot of\r\nFormbook\\XLoader campaigns in-the-wild. Indeed, we observed more than 1400 different campaigns of the\r\nmalware during several years of monitoring its activity.\r\nIn the upcoming articles we share the technical details of the malware’s macOS version which reveal how\r\nXLoader operates under the hood and help us to understand how the Formbook\\XLoader family secured its place\r\nin malware top prevalence lists.\r\nWe also describe a distinctive feature of the XLoader malware which helps it to fool sandboxes and researchers\r\nand keep its real C\u0026C servers hidden. Out of almost 90,000 domains used in network communication by the\r\nmalware, only 1,300 are the real C\u0026C servers – which constitutes just 1.5% of the total. The other 88,000 domains\r\nbelong to legitimate sites; however, the malware sends malicious traffic to them as well. This presents security\r\nvendors with the dilemma of how to determine which are the real C\u0026C servers and not false-positively identify\r\nlegitimate sites as malicious.\r\nWe also share our methods to correctly analyze the XLoader’s communication with the servers and to identify the\r\nreal C\u0026C – only one out of all the 64 domains present in any chosen sample.\r\nStay tuned!\r\nCheck Point Protections\r\nCheck Point Provides Zero-Day Protection Across Its Network, Cloud, Users and Access Security Solutions,\r\nSandBlast provides the best zero-day protection while reducing security overhead \r\nSandBlast Network Protections:\r\n Trojan.WIN32.Formbook.A\r\n  Trojan.WIN32.Formbook.B\r\n  Trojan.WIN32.Formbook.C\r\n  Trojan.WIN32.Formbook.D\r\n  Trojan.WIN32.Formbook.E\r\n  Trojan.WIN32.Formbook.F\r\n  Trojan.WIN32.Formbook.G\r\n  Trojan.WIN32.Formbook.H\r\n  Trojan.WIN32.Formbook.I\r\n  Trojan.WIN32.Formbook.J\r\n  Trojan.WIN32.Formbook.K\r\n  Trojan.WIN32.Formbook.L\r\n  Trojan.WIN32.Formbook.M\r\n  Trojan.WIN32.Formbook.N\r\n  Trojan.WIN32.Formbook.O\r\n  Trojan.WIN32.Formbook.P\r\nhttps://research.checkpoint.com/2021/top-prevalent-malware-with-a-thousand-campaigns-migrates-to-macos/\r\nPage 15 of 16\n\nTrojan.WIN32.Formbook.Q\r\n Trojan.WIN32.Formbook.R\r\nThreat Emulation protections:\r\n Infostealer.Win32.Formbook.C\r\n  Infostealer.Win32.Formbook.D\r\n  Infostealer.Win32.Formbook.E\r\n  Infostealer.Win32.Formbook.gl.F\r\n  Infostealer.Win32.Formbook.TC\r\n  Formbook.TC\r\n  Infostealer.Win32.XLoader.TC\r\n  XLoader.TC\r\n  Trojan.Mac.XLoader.B\r\nSources\r\n1. Check Point Press Release December 2020 // https://www.checkpoint.com/press/2021/december-2020s-most-wanted-malware-emotet-returns-as-top-malware-threat/#\r\n2. Malware Trends Tracker // https://any.run/malware-trends/\r\n3. Malware Analysis Spotlight: Formbook (September 2020) // https://www.vmray.com/cyber-security-blog/formbook-september-2020-malware-analysis-spotlight/ \r\n4. Significant FormBook Distribution Campaigns Impacting the U.S. and South Korea //\r\nhttps://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html\r\n5. Formbook Research Hints Large Data Theft Attack Brewing // https://www.cyberbit.com/blog/endpoint-security/formbook-research-hints-large-data-theft-attack-brewing/\r\n6. Selling FormBook // https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/selling-formbook/\r\n7. Cybercrime, new Formbook malspam campaign against hotels //\r\nhttps://www.difesaesicurezza.com/en/defence-and-security/cybercrime-new-formbook-malspam-campaign-against-hotels/\r\n8. VB 2018: Inside Formbook Infostealer // https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-\r\npaper-inside-formbook-infostealer/\r\n9. GuLoader? No, CloudEyE // https://research.checkpoint.com/2020/guloader-cloudeye/\r\n10. Yes, Cyber Adversaries are still using Formbook in 2021 // https://yoroi.company/research/yes-cyber-adversaries-are-still-using-formbook-in-2021/\r\nSource: https://research.checkpoint.com/2021/top-prevalent-malware-with-a-thousand-campaigns-migrates-to-macos/\r\nhttps://research.checkpoint.com/2021/top-prevalent-malware-with-a-thousand-campaigns-migrates-to-macos/\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://research.checkpoint.com/2021/top-prevalent-malware-with-a-thousand-campaigns-migrates-to-macos/"
	],
	"report_names": [
		"top-prevalent-malware-with-a-thousand-campaigns-migrates-to-macos"
	],
	"threat_actors": [],
	"ts_created_at": 1775434799,
	"ts_updated_at": 1775826785,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a1c41481b4da76c5779334577e6661cd17f7c0de.pdf",
		"text": "https://archive.orkl.eu/a1c41481b4da76c5779334577e6661cd17f7c0de.txt",
		"img": "https://archive.orkl.eu/a1c41481b4da76c5779334577e6661cd17f7c0de.jpg"
	}
}