{ "id": "2326cc20-6837-423d-b546-fca1a6081f55", "created_at": "2026-04-06T00:12:47.363273Z", "updated_at": "2026-04-10T03:26:37.641605Z", "deleted_at": null, "sha1_hash": "efea60fe79b46c44ce8183b9bf26540c4576df5a", "title": "Analysis \u0026 Comparison of X-FILES Stealer Evolution | Zscaler", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2165436, "plain_text": "Analysis \u0026 Comparison of X-FILES Stealer Evolution | Zscaler\r\nBy Stuti Chaturvedi\r\nPublished: 2022-08-04 · Archived: 2026-04-05 17:11:57 UTC\r\nIntroduction\r\nZscaler’s ThreatLabz threat research team recently has spotted a new variant of the emerging X-FILES infostealer\r\nattack with enhanced features to exfiltrate sensitive information. X-FILES is a stealer that aims to steal sensitive\r\ninformation, including logins and financial data.\r\nThis blog will walk through the differences between the variants of X-FILES that we have observed until now,\r\nincluding differences in features, attack chains, and command-and-control (C2) patterns. Following our in-depth\r\nanalysis, we’ll include a tabular feature comparison.\r\nInteresting Facts\r\n1. X-FILES stealer was first observed in March 2021 by 3xp0rt. A second variant was observed in the month\r\nof December, 2021 again by 3xp0rt.\r\n2. In June 2022, ThreatLabz discovered a revised version of the stealer.\r\n3. We have observed that the malware is mostly coming from phishing domains hosted on Russian IPs. Even\r\nthe C2 panel (xfilesreborn[.]ru), for the latest variant, is hosted on Russian IP (46[.]8[.]153[.]137).\r\n4. Recently, it has been seen that the threat actors are now exploiting the Follina vulnerability to deliver X-FILES stealer.\r\n5. Like other infostealers, X-FILES aims to steal and exfiltrate sensitive information such as saved browser\r\ncredentials, Crypto wallets, FTP credentials, and credit card information.\r\n6. All the variants that we have stumbled upon are written using C# programming language, with new\r\nfeatures added over time by the threat actors.\r\n7. With the latest variant, the threat actors have switched to hiding interesting strings in base64 format rather\r\nthan keeping it in plain text format. Changes in C2 patterns are also observed.\r\nWebsite Analysis\r\nOur investigation has revealed a number of phishing websites that have been created and used by threat actors to\r\ndistribute X-FILES stealer, with some still active. \r\nIn Scenario 1, the threat actors have distributed malware by pretending to be legitimate VPN software and Nitro\r\nGenerator software, respectively. The downloaded files from the phishing websites are the X-FILES stealer.\r\nhttps://www.zscaler.com/blogs/security-research/x-files-stealer-evolution-analysis-and-comparison-study\r\nPage 1 of 15\n\nFigure 1: Phishing websites 1 and 2\r\nIn Scenario 2, the main payload was downloaded by another malicious file hosted on a phishing website, which is\r\na Russian domain associated with multiple malwares. As the domain is currently down, the following screenshot\r\nis taken from VirusTotal to show the relationship graph of the malicious domain.\r\nFigure 2: Graphical representation of the malicious domain\r\nAttack Chain\r\nFrom the above scenarios, we have deduced the layout of the attack chain, illustrated in Figure 3. \r\nhttps://www.zscaler.com/blogs/security-research/x-files-stealer-evolution-analysis-and-comparison-study\r\nPage 2 of 15\n\nFigure 3 : X-FILES attack chain\r\nTechnical Analysis\r\nIn this section, we will lay out the differences and additional features that we have seen amongst different variants\r\nof the stealer, obfuscation of interesting strings, and the C2 pattern of the latest variant.\r\nNote:- For the purpose of studying  differences in features, the following md5s were analyzed:\r\n1. Latest Variant :123fd0237ca90f8a606009461fe2bb76 (June, 2022)\r\n2. Second Variant : 1ed070e0d33db9f159a576e6430c273c (Dec, 2021)\r\n3. Oldest Variant  : 1b85d1786c4dde6ca1ee03a95e19531e(March, 2021)\r\nSystem Information\r\nAlong with the information of IP, Country, Region, City, Operating System and Screen resolution (all of which\r\nwere data collected by previous variants), the latest variant collects additional information about Windows\r\nActivation key, graphic cards, memory, processor, and antiviruses installed on the victim’s machine.\r\nhttps://www.zscaler.com/blogs/security-research/x-files-stealer-evolution-analysis-and-comparison-study\r\nPage 3 of 15\n\nFigure 4: Code comparison\r\nThe PC info is collected in the following manner by the latest variant:\r\n:\r\nhttps://www.zscaler.com/blogs/security-research/x-files-stealer-evolution-analysis-and-comparison-study\r\nPage 4 of 15\n\nFigure 5: System Information collected by the latest variant\r\nWallet Information\r\nAs in the second variant (but not the first), the latest variant collects information about wallets and crypto wallet\r\nextensions. The uniqueness of this variant is that, unlike the second variant in which file paths were embedded in\r\ncode, in this variant a list of targeted files gets downloaded from the C2 panel first and then the information is\r\ncollected.\r\n#Latest Variant\r\nFigure 6: Paths of Wallets and crypto-wallets extensions from C2 server\r\n#Second Variant\r\nFigure 7: Paths of wallets and crypto-wallet extensions embedded in the code\r\nBrowser Information\r\nThe latest variant is, like earlier variants, capable of stealing saved browser information. However, the interesting\r\nthing is that in the latest variant, the targeted files are searched using a directory crawling technique at targeted\r\nhttps://www.zscaler.com/blogs/security-research/x-files-stealer-evolution-analysis-and-comparison-study\r\nPage 5 of 15\n\nfolders. After getting a list of the matched patterns and file paths, the same are used for further stealing activities.\r\nIt is worth noting that the paths are hard-coded in the second and the oldest variant.\r\n# Latest variant\r\nFigure 8: Latest variant code\r\n#Second \u0026 Oldest variant\r\nhttps://www.zscaler.com/blogs/security-research/x-files-stealer-evolution-analysis-and-comparison-study\r\nPage 6 of 15\n\nFigure 9: Older variants code\r\nFTP Information\r\nBoth the latest and the second variant are capable of collecting FTP-related information, which wasn’t present in\r\nthe oldest version. It is noteworthy that the second variant steals only Filezilla-related information, whereas the\r\nlatest variant is also capable of stealing WinScp information, as shown in the below snapshot. Moreover, the latest\r\nvariant is making use of XmlReader to get values, whereas in the second variant Regex is used to get the targeted\r\ninformation.\r\n#Filezilla [Latest variant]\r\nhttps://www.zscaler.com/blogs/security-research/x-files-stealer-evolution-analysis-and-comparison-study\r\nPage 7 of 15\n\nFigure 10: Filezilla Information stealing code in latest variant\r\n#WinScp [Latest variant]\r\nFigure 11: WinScp Information stealing code in latest variant\r\n# Second variant\r\nhttps://www.zscaler.com/blogs/security-research/x-files-stealer-evolution-analysis-and-comparison-study\r\nPage 8 of 15\n\nFigure 12: Filezilla Information stealing code in older variant\r\nStrings Before and After Decryption\r\nIn order to hide the stuff at static level, the latest variant is now making use of base64 encoded strings (refer to the\r\nbelow snapshot), whereas in earlier versions the strings were in plain text format.\r\nFigure 13: Base64 encoded and decoded strings.\r\nC2 Communications\r\nAfter performing stealing activities, the malware then exfiltrates data in JSON format to its embedded C2 server. \r\nhttps://www.zscaler.com/blogs/security-research/x-files-stealer-evolution-analysis-and-comparison-study\r\nPage 9 of 15\n\nNote:- The attackers nowadays prefer using JSON as a data exchange mechanism as it can be used with any\r\nprogramming language and is easy to handle. Also, as it is a lightweight and structured notation, it is relatively\r\neasy to serialize and deserialize the data.\r\n Figure 14: JSON data exfiltration - latest variant\r\nThe description of the C2 pattern of the latest variant is as follows:\r\nParameters Description\r\ncookies_x Number of cookies information collected\r\ncountry_x Country Code\r\ncredit_x Number of Credit cards information retrieved\r\nice_o_lator_hash MD5 hash value of zip file\r\nip_x IP information\r\npasswords_x Number of password retrieved\r\npostal_x Postal code\r\ntag_x  Attacker’s hardcoded predefined value\r\nuser_id Attacker’s hardcoded predefined value\r\nwallets_x Names of wallets for which information is collected\r\nhttps://www.zscaler.com/blogs/security-research/x-files-stealer-evolution-analysis-and-comparison-study\r\nPage 10 of 15\n\nx_type Type of coverage i.e full or partial\r\nzipx Base64 encrypted ZIP file consisted of files created by the stealer\r\nIn the second variant, the POST request is also made and sent with similar parameters, but not in JSON format. \r\n Figure 15: Data exfiltration - second variant\r\nIn the oldest variant, the C2 pattern was simple and in readable format as shown below:\r\n Figure 16: Data exfiltration - earliest variant\r\nFeatures Comparison \r\nTarget Information\r\nLatest Variant \r\n [June, 2022]\r\nSecond Variant\r\n[Dec, 2021]\r\nOldest Variant\r\n [March, 2021]\r\nSystem Information Yes* Yes Yes\r\nBrowser Information Yes* Yes* Yes\r\nhttps://www.zscaler.com/blogs/security-research/x-files-stealer-evolution-analysis-and-comparison-study\r\nPage 11 of 15\n\nWallets Information Yes Yes No\r\nTelegram Information Yes Yes No\r\nFTP Information Yes* Yes No\r\nFiles Collection Yes Yes Yes\r\nSteam Information Yes Yes No\r\nDiscord Tokens Yes Yes No\r\nScreenShot Yes Yes Yes\r\nNote:  ”*” implies additional features have been added\r\nConclusion\r\nIt seems that the threat actors behind the X-FILES stealer campaign are continuously making changes or\r\nenhancement in the code and delivery mechanisms to steal a wider variety of sensitive user and system\r\ninformation. In the future, we anticipate additional variants that continue in this trend. Zscaler’s ThreatLabz team\r\nis continuously monitoring the campaign and will publish any new findings. \r\nMITRE ATT\u0026CK AND TTP Mapping\r\nID Tactic\r\nT1189  Drive-by Compromise\r\nT1140 Deobfuscate/Decode Files or Information\r\nT1082 System Information Discovery\r\nhttps://www.zscaler.com/blogs/security-research/x-files-stealer-evolution-analysis-and-comparison-study\r\nPage 12 of 15\n\nT1083 File and Directory Discovery\r\nT1005  Data from Local System \r\nT1047 Windows Management Instrumentation\r\nT1003 OS Credential Dumping\r\nT1018 Remote System Discovery\r\nT1552.002 Credentials in Registry\r\nT1518.001 Security Software Discovery\r\nZscaler Sandbox Coverage: \r\nIn addition to sandbox detections, Zscaler’s multilayered cloud security platform detects payloads with following\r\nthreat name:\r\nhttps://www.zscaler.com/blogs/security-research/x-files-stealer-evolution-analysis-and-comparison-study\r\nPage 13 of 15\n\nWin32.PWS.X-Files\r\n***Appendix 1- C2 Panel\r\n***Appendix 2 - IOCS\r\n[+]Network indicators\r\nohvwowohv[.]ru\r\nXfilesreborn[.]ru\r\ninsidervpn[.]com\r\nimportadoracandy[.]com\r\nxsph[.]ru\r\n[+]MD5s\r\n123fd0237ca90f8a606009461fe2bb76\r\n1ed070e0d33db9f159a576e6430c273c\r\n1b85d1786c4dde6ca1ee03a95e19531e\r\n53ea3df8e2e5749eccd4334b8666da4d\r\n908665f3d7fd15ac69eb2ac320a5338a\r\n707e79d19e602986960fc3717c89d5c4\r\n[+] Filenames\r\nclient.exe\r\nhttps://www.zscaler.com/blogs/security-research/x-files-stealer-evolution-analysis-and-comparison-study\r\nPage 14 of 15\n\nReadLineS0SAT.exe\r\nSvc_host.exe\r\nConsoleA.exe\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/x-files-stealer-evolution-analysis-and-comparison-study\r\nhttps://www.zscaler.com/blogs/security-research/x-files-stealer-evolution-analysis-and-comparison-study\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.zscaler.com/blogs/security-research/x-files-stealer-evolution-analysis-and-comparison-study" ], "report_names": [ "x-files-stealer-evolution-analysis-and-comparison-study" ], "threat_actors": [ { "id": "9041c438-4bc0-4863-b89c-a32bba33903c", "created_at": "2023-01-06T13:46:38.232751Z", "updated_at": "2026-04-10T02:00:02.888195Z", "deleted_at": null, "main_name": "Nitro", "aliases": [ "Covert Grove" ], "source_name": "MISPGALAXY:Nitro", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b44a04-a080-4465-973d-976ce53777de", "created_at": "2022-10-25T16:07:23.911791Z", "updated_at": "2026-04-10T02:00:04.786538Z", "deleted_at": null, "main_name": "Nitro", "aliases": [ "Covert Grove", "Nitro" ], "source_name": "ETDA:Nitro", "tools": [ "AngryRebel", "Backdoor.Apocalipto", "Chymine", "Darkmoon", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Moudour", "Mydoor", "PCClient", "PCRat", "Poison Ivy", "SPIVY", "Spindest", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434367, "ts_updated_at": 1775791597, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/efea60fe79b46c44ce8183b9bf26540c4576df5a.pdf", "text": "https://archive.orkl.eu/efea60fe79b46c44ce8183b9bf26540c4576df5a.txt", "img": "https://archive.orkl.eu/efea60fe79b46c44ce8183b9bf26540c4576df5a.jpg" } }