Skip to content
.ca
sign in
4 minhigh

Latest Xloader Obfuscation Code & C2 Protocol | ThreatLabz

Xloader is a highly obfuscated information stealer that evolved from Formbook. Recent versions (8.1+) introduce complex anti-analysis techniques, including out-of-order stack string construction and multi-layered RC4 encryption for its C2 communications, which utilize decoy servers to hide malicious traffic.

Conf:highAnalyzed:2026-03-31reports

Authors: THREATLABZ

ActorsXloaderFormbook
XloaderInfostealerObfuscationC2 ProtocolFormbook

Source:Zscaler ThreatLabz

Key Takeaways

  • Xloader (formerly Formbook) is an active infostealer, with version 8.7 being the latest observed.
  • Version 8.1 introduced advanced code obfuscation, including out-of-order stack parameter construction for function decryption, breaking traditional pattern matching.
  • Network communication utilizes multiple RC4 encryption layers, custom Base64 encoding, and 65 hardcoded C2 IP addresses (using decoys to mask the real C2).
  • Xloader actively checks for inline hooks on the gethostbyname API to evade analysis.
  • The malware supports various C2 commands, including downloading and executing second-stage payloads (EXE, DLL, PowerShell) and self-deletion.

Affected Systems

  • Windows
  • Web browsers
  • Email clients
  • FTP applications

Attack Chain

Xloader infects a Windows host and dynamically decrypts its functions using obfuscated stack parameters to evade detection. It checks for inline hooks on network APIs like gethostbyname before initiating C2 communication. The malware exfiltrates stolen credentials and cookies via multi-layer RC4-encrypted HTTP POST requests. It also polls C2 servers via HTTP GET requests to retrieve commands, which can instruct the host to download and execute secondary payloads (PowerShell, EXE, DLL), clear cookies, or reboot the system.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules (YARA, Sigma, etc.) are provided in the article.

Detection Engineering Assessment

EDR Visibility: Medium — EDR can detect the secondary payload executions (PowerShell, EXE drops) and potentially the API hook checks, but the heavy in-memory obfuscation and decoy network traffic may obscure the primary infection. Network Visibility: Medium — Network traffic is HTTP but heavily encrypted with multiple RC4 layers and custom Base64 alphabets. The use of 65 decoy C2s complicates automated network blocking. Detection Difficulty: Hard — Xloader uses out-of-order stack construction for function decryption, breaking static pattern matching. It also uses decoy C2s and multi-layered RC4 encryption for network traffic.

Required Log Sources

  • Process Creation (Event ID 4688/Sysmon 1)
  • Network Connections (Sysmon 3)
  • DNS Queries (Sysmon 22)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for HTTP GET or POST requests containing the URI parameters 'dat=', '&un=', and '&br=9' which are indicative of Xloader C2 check-ins.Web Proxy logs, Network Traffic AnalysisCommand and ControlLow
Monitor for processes checking the first byte of the gethostbyname API for 0xE9, 0xEA, or 0xCC, indicating anti-hooking checks.EDR API monitoring / Memory scanningDefense EvasionLow
Hunt for network packets containing the magic header 'XLNG' or the string 'PKT2:' in HTTP payloads.Network Intrusion Detection Systems (NIDS)Command and ControlLow

Control Gaps

  • Static AV pattern matching (defeated by out-of-order stack strings)
  • Automated sandbox C2 extraction (defeated by 65 decoy IPs)

Key Behavioral Indicators

  • HTTP requests with 'XLNG' magic header
  • Base64 encoded data with modified alphabet (+/=>-_.)
  • Presence of 'PKT2:' in network streams

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Implement network signatures for Xloader specific HTTP parameters (dat=, &un=, &br=9) and magic headers (XLNG).

Infrastructure Hardening

  • Deploy SSL/TLS inspection to analyze HTTP traffic for Xloader's custom RC4/Base64 payloads.
  • Restrict outbound HTTP/HTTPS traffic to known good domains where possible.

User Protection

  • Ensure EDR is deployed and configured to monitor for suspicious child processes (e.g., PowerShell or unknown EXEs) spawned by web browsers or email clients.
  • Implement credential guard and restrict local administrative privileges.

Security Awareness

  • Train users to identify phishing emails, which are the primary delivery mechanism for infostealers like Xloader.

MITRE ATT&CK Mapping

  • T1027 - Obfuscated Files or Information
  • T1573.001 - Encrypted Channel: Symmetric Cryptography
  • T1539 - Steal Web Session Cookie
  • T1059.001 - Command and Scripting Interpreter: PowerShell
  • T1562.001 - Impair Defenses: Disable or Modify Tools

Additional IOCs

  • Other:
    • &wn=1 - Parameter query appended when using high-level Windows API functions for network communication.
    • dat= - Parameter used in constructed POST request data for exfiltration.
    • &un= - Parameter used in constructed POST request data for exfiltration.
    • &br=9 - Parameter used in constructed POST request data for exfiltration.
    • RMTD - Command parameter instructing Xloader to download and execute a PowerShell script.
    • RMTU - Command parameter instructing Xloader to download and execute a Windows executable.

Related