{
	"id": "057b9e8b-da6a-4ea3-8234-4b1d081ddeb8",
	"created_at": "2026-04-06T00:16:25.273824Z",
	"updated_at": "2026-04-10T13:11:34.615025Z",
	"deleted_at": null,
	"sha1_hash": "a530a303daca74f608ec3f4cb10287daa223fc55",
	"title": "Malware Analysis Spotlight: XLoader’ Cross-platform Support Utilizing XBinder",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 908230,
	"plain_text": "Malware Analysis Spotlight: XLoader’ Cross-platform Support\r\nUtilizing XBinder\r\nBy VMRay Labs\r\nPublished: 2022-01-06 · Archived: 2026-04-05 21:31:40 UTC\r\nXLoader’ Cross-platform Support Utilizing XBinder\r\nFrom the VMRay Labs Team\r\nIntroduction\r\nLately, a rebranded version of the stealer FormBook named XLoader has emerged. In contrast to FormBook,\r\nwhich targets Windows only, XLoader supports macOS as well. During our research, we observed Office\r\ndocuments, which exploit vulnerabilities in MS Office products, and malicious loaders like Smoke Loader or\r\nGuLoader distributing FormBook and XLoader Windows samples.\r\nIn addition to XLoader, the developers published another tool called XBinder written in Java. It combines samples\r\nthat target different operating systems into one single file. Given the executable file format differs between\r\nWindows and macOS, it is most likely the purpose of this tool to ease the platform-independent distribution of\r\nsamples.\r\nIn this Spotlight, we take a closer look at XBinder and XLoader’s behavior. We adopt the perspective of an\r\nattacker and use XBinder to combine two public XLoader samples into one single sample that we are going to\r\nanalyze further.\r\nView the VMRay Analyzer Report for XLoader macOS and XLoader Windows\r\nDistribution with XBinder\r\nAs mentioned before, XBinder is written in Java and combines two samples into one a Java Archive sample.\r\nTherefore, the generated sample is executable on both operating systems as long as the Java Runtime Environment\r\n(JRE) is installed. In case the JRE is missing, the Java Archive can’t be executed. Besides the samples for the\r\noperating systems Windows and macOS, XBinder requests a display file that it shows to the victim at execution\r\n(Figure 1). Attackers can use this display file to remain inconspicuous by, for example, executing benign software\r\nor showing an error message. For this Spotlight, we have chosen a simple text file as the display file.\r\nhttps://www.vmray.com/cyber-security-blog/malware-analysis-spotlight-xbinder-xloader/\r\nPage 1 of 6\n\nBy submitting the generated sample to the VMRay Platform and selecting a macOS and Windows Virtual\r\nMachine, we can observe its behavior and the behavior of both XLoader payloads (see XLoader macOS and\r\nXLoader Windows ). We can see that in both analyses, the sample tries to evade a debugger, achieves persistence,\r\nand access system data (Figure 2).\r\nFigure 3. shows the process graphs generated by the VMRay Platform for Windows (top) and macOS (bottom) of\r\nthe generated sample. In both analyses, the sample leads to payload execution and showing the display file using\r\nTextEdit or Notepad.\r\nThe payloads are dropped in the user’s home directory ( %USERPROFILE% or $HOME ). These dropped files\r\nare the respective XLoader payloads selected above.\r\nhttps://www.vmray.com/cyber-security-blog/malware-analysis-spotlight-xbinder-xloader/\r\nPage 2 of 6\n\nFigure 4. shows the main function of the decompiled sample file and its content. Both payloads and the display\r\nfile are encrypted with the AES (Advanced Encryption Standard) and stored as three separate resources. Upon\r\nexecution, the sample determines the current operating system, decrypts the display file and respective payload,\r\nand performs the previously seen behavior.\r\nhttps://www.vmray.com/cyber-security-blog/malware-analysis-spotlight-xbinder-xloader/\r\nPage 3 of 6\n\nSo far, we have seen that three different (executable) file types are involved in the analyses. Because XLoader is\r\ncompiled natively, it can only be executed on either Windows or macOS but not on both. To achieve cross-platform support at the sample level, actors can use XBinder and benefit from Java’s cross-platform support.\r\nComparison of XLoader Payloads\r\nUp until now, we have seen how the generated example executes the payloads and how XBinder adds cross-platform support on the sample level. Next, lets take a look at the behavior of both payloads.\r\nAt first glance, the behavior of the Windows payload is similar to FormBook’s. For example, both abuse the\r\nexplorer process to spawn a new process of a legitimate Windows binary. Next, they inject into this created\r\nprocess which has explorer as its parent and therefore looks like it was initially started by the user. FormBook and\r\nXLoader Windows steal credentials from browsers including Mozilla Firefox, Opera, and Chrome and target FTP\r\napplications. In addition to that, we can observe a similar anti-analysis behavior. For example, debugger detection\r\nand hiding the process.\r\nOn the other hand, the XLoader macOS payload avoids being debugged by calling ptrace with\r\nPT_DENY_ATTACH and seems to target browsers only. Another difference is that XLoader macOS starts a copy\r\nof itself directly without injecting into system-related processes (Figure 3 bottom).\r\nBoth payloads try to be persistent on the running system either by using the registry key (Windows) or by creating\r\na launch agent (macOS).\r\nhttps://www.vmray.com/cyber-security-blog/malware-analysis-spotlight-xbinder-xloader/\r\nPage 4 of 6\n\nBy taking a look at the binary level, we see that XLoader Windows resolves API functions at runtime which is\r\nsimilar to FormBook. Another commonality is the usage of so-called encbufs. These encbufs are part of the code\r\nsection and look at first sight like ordinary functions because they have a typical function prologue. However, they\r\nare used to store encrypted data. Both of these techniques complicate a manual analysis without a sandbox.\r\nMoving forward to the network communication, both XLoader and FormBook use a specific byte pattern, also\r\nknown as magic bytes, in the C2 communication which is build upon HTTP. These bytes are part of the messages\r\ntransmitted during the communication. While FormBook uses “FBNG”, XLoader uses the magic bytes “XLNG”.\r\nIn addition to the network connection to their C2 servers, both connect to multiple benign URLs at runtime, which\r\ninclude the mission-id of the respective sample. We refer to them in the following as decoy URLs. Figure 6. shows\r\nthe HTTP requests sent to one of the decoy URLs the sample connects to. As highlighted in the figure, it includes\r\nthe mission-id (“xzes”) despite being a decoy while the real C2 elsist[.]online is unreachable. This makes it\r\nchallenging to identify the real C2 server from the decoy URLs based on network connection attempts because the\r\nattempts look similar.\r\nhttps://www.vmray.com/cyber-security-blog/malware-analysis-spotlight-xbinder-xloader/\r\nPage 5 of 6\n\nThis behavior makes it hard to separate the real C2 URL from the decoy URLs and complicates the automatic\r\nextraction of IOCs in general.\r\nIn such a case, the VMRay platform’s artifact scoring feature assists analysts to distinguish artifacts from IOCs. It\r\ncan mark the real C2 URL as an IOC while the decoy URLs remain artifacts. Therefore, the platform can extract\r\nthe real network IOCs more reliable.\r\nConclusion\r\nIn this Spotlight, we discussed XLoader with a focus on the distribution with XBinder. The generated sample\r\ninvolves three different file types. Performing a dynamic analysis of the sample using a sandbox requires the\r\nsandbox supports these file types and respective operating systems.\r\nFurthermore, FormBook and XLoader use decoy domains to make the C2 connection unapparent. Through the\r\nVMRay platform’s custom IOC generation, the network IOC extraction of the real C2 URL is more reliable.\r\nResources\r\nhttps://blogs.blackberry.com/en/2021/09/threat-thursday-xloader-infostealer\r\nhttps://www.netscout.com/blog/asert/formidable-formbook-form-grabber\r\nIOCs\r\nC2 URLs – www[.]elsist[.]online/xzes\r\n-www[.]iregentos[.]info/09rb\r\nSHA-256 XLoader macOS – 97d6b194da410db82d9974aec984cff8ac0a6ad59ec72b79d4b2a4672b5aa8aa\r\nSHA-256 XLoader Windows – 4216ff4fa7533209a6e50c6f05c5216b8afb456e6a3ab6b65ed9fcbdbd275096\r\nSHA-256 XBinder Builder – 693d6f0ac1e3f5e3e5b68c45d2a77bcc9d8976f7b091d5bfa1e719ad8b97fd25\r\nSource: https://www.vmray.com/cyber-security-blog/malware-analysis-spotlight-xbinder-xloader/\r\nhttps://www.vmray.com/cyber-security-blog/malware-analysis-spotlight-xbinder-xloader/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.vmray.com/cyber-security-blog/malware-analysis-spotlight-xbinder-xloader/"
	],
	"report_names": [
		"malware-analysis-spotlight-xbinder-xloader"
	],
	"threat_actors": [],
	"ts_created_at": 1775434585,
	"ts_updated_at": 1775826694,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a530a303daca74f608ec3f4cb10287daa223fc55.pdf",
		"text": "https://archive.orkl.eu/a530a303daca74f608ec3f4cb10287daa223fc55.txt",
		"img": "https://archive.orkl.eu/a530a303daca74f608ec3f4cb10287daa223fc55.jpg"
	}
}