Also at https://cstaipas\.pt/encrypt, though this one is #xloader, a fake c2 at: http://www.emberfmeadowzu\.store/jmy3/

#CheckPoint Research demonstrated a new way to use #ChatGPT for #malware analysis directly from the web interface, analyzing #XLoader malware. The workflow using exported IDA data enables static analysis, rapid decryption, IoC extraction, and hidden C2 discovery.

https://research.checkpoint.com/2025/generative-ai-for-reverse-engineering/

#malware #opendir #xloader (small one works, big one not so much) at:

https://royfils\.com/encrypt/

2cd9b8fb88e7cbbc5c049441fb61e0aea7be23dc7aa2c109c13abefe7a2ac943

4733feaca04e871d4e0bb052f2437a2f46f10852602ea4f8b2f0170f4838dd87

🤺 AI vs. XLoader: Guess who’s winning?

#CheckPoint Research used generative AI to tear through #XLoader, one of the most encrypted, evasive malware strains — uncovering its secrets in mere hours.

And here’s the twist: It all happened with #ChatGPT. No heavy tooling. No waiting.

#AI is changing the rules of malware analysis, and the race just shifted in our favor: https://blog.checkpoint.com/research/cracking-xloader-with-ai-how-generative-models-accelerate-malware-analysis

#CyberSecurity #AIsecurity

2025-08-11 (Monday): Quick post of an #XLoader ( #Formbook ) infection, with a #pcap, email, and #malware sample available at https://www.malware-traffic-analysis.net/2025/08/11/index.html

First time seeing SellOnEtsy UA for #xloader 🙃

First time I've seen #xloader use @tumblr for traffic noise:

https://www.joesandbox.com/analysis/1704731/0/iochtml#urls

@k3ym0 @FortiGuardLabs #xloader ;)

2025-02-26 (Wednesday): #XLoader (#Formbook) distributed through #malspam. The email has an attached PDF document. The PDF has links for a ZIP download, and the ZIP contains files that use DLL side-loading for XLoader.

https://bit.ly/4bgKRU8

Social media post I wrote for my employer on other platforms: 2025-02-26 (Wednesday): #XLoader (#Formbook) distributed through #malspam.

The email has an attached PDF document. The PDF has links for a ZIP download, and the ZIP contains files using DLL side-loading for XLoader.

Details at https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-02-26-IOCs-for-XLoader-infection.txt

2025-01-30 (Thursday): #XLoader infection

Unlike my previous XLoader infections, this one didn't run in a VM, so I used a physical host.

A #pcap of the infection traffic, the associated malware samples, and more info is available at https://malware-traffic-analysis.net/2025/01/30/index.html

Technical Analysis of Xloader Versions 6 and 7 | Part 1
#Xloader
https://www.zscaler.com/blogs/security-research/technical-analysis-xloader-versions-6-and-7-part-1

Hey @da_667 ...you seen this UA with #xloader yet?

<url method="POST" uri="/k2i2/" host="www\.gayhxi\.info" user_agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) FoxyWhore Safari/538.1"/>

An #expiro (believe it or not) dropping #xloader

https://app.any.run/tasks/43f807db-2361-4807-8e05-19831c56b5e4

fake c2 and campaign:
http ://www.sunnyz.store/px6j

@pawel_lukasik These have been #xloader as of late.

#xloader continues to change...never seen a samsung UA before:

fbe048c713eda8c6d74504c440ecba4507760aed537fbba6171a4566b6452455

This report has a link to a real example of how Revolver Rabbit uses an RDGA in Xloader. Tracking their domains is tricky and I suspect the full size is much larger than we have caught. if they invest such huge sums into their infrastructure, they must be making bank. #dns #threatintel #threatintelligence #malware #xloader #infoblox #rdga #cybercrime #cybersecurity #infosec #phishing @InfobloxThreatIntel https://www.bleepingcomputer.com/news/security/revolver-rabbit-gang-registers-500-000-domains-for-malware-campaigns/

We just released a landscape review of Registered DGAs. We review the many ways threat actors are leveraging these algorithms -- including malware, phishing, scams, porns, you name it. Our RDGA detectors find tens of thousands of domains every day, and we've seen the use continue to rise over the last several years. Most folks aren't even aware since actors are doing this in DNS and it often isn't obvious. #dns #threatintel #cybersecurity #cybercrime #infoblox #RDGA #DGA #DDGA #malware #phishing #scams #infoblox #infobloxthreatintel #cybersecurity #threatactor #c2 #revolverrabbit #threatintelligence #cyber #cyberintelligence #xloader #formbook #abusedtld https://insights.infoblox.com/resources-research-report/infoblox-research-report-registered-dgas-the-prolific-new-menace-no-one-is-talking-about

Not sure when it happened, but #xloader / #formbook now appears to rotate through campaign ID's:

https://app.any.run/tasks/4cb7b5ef-5c1d-4565-a370-5d0cf1a5c255

Experts warn of #JinxLoader loader used to spread #Formbook and #XLoader
https://securityaffairs.com/156760/malware/jinxloader-loader.html
#securityaffairs #hacking