S1207: XLoader
Analyst context for executives and security teams
XLoader is a Windows infostealer, also known historically as Formbook, described by ATT&CK as Malware-as-a-Service in use since at least 2016. Its business significance is credential and session exposure: ATT&CK links it to stealing from browsers, email clients, FTP applications, password stores, web session cookies, keylogging, clipboard collection, and screen capture. For leaders, this is less about one malware name and more about whether the organization can quickly prove which identities, browser sessions, and application credentials may be exposed after a Windows endpoint compromise.
Executive priority
Prioritize XLoader-relevant readiness where endpoint compromise could become identity, SaaS, email, or FTP compromise. Executives should ask whether SOC and IR teams can rapidly answer: which user was affected, what credentials or cookies were accessible, whether persistence was created through scheduled tasks or Run keys, whether outbound web-protocol command-and-control occurred, and what password/session reset actions are required. Because ATT&CK provides no official detection guidance for this object, coverage should be validated through telemetry and response playbooks rather than assumed from malware naming alone.
Technical view
ATT&CK lists XLoader on Windows and relates it to obfuscation, packing, encrypted or encoded files, deobfuscation, sandbox evasion, discovery, persistence via Scheduled Task and Registry Run Keys/Startup Folder, process injection via APC injection and Process Hollowing, execution through Native API and AutoHotKey/AutoIT, collection through keylogging, clipboard data, screen capture, browser session hijacking, credential theft from password stores and web browsers, web session cookie theft, web-protocol C2, file deletion, exploitation for client execution, and system shutdown/reboot. SOC and IR teams should validate behavior-based detection and triage around these relationships, especially where endpoint, identity, browser, and network evidence can be correlated to a single Windows user session.
Likely telemetry
- Windows endpoint process creation and command-line telemetry, including scripting and automation activity such as AutoHotKey or AutoIT where present
- Windows scheduled task creation or modification events
- Registry Run key and Startup Folder modification events
- Endpoint memory/process telemetry capable of surfacing process injection patterns such as APC injection or process hollowing
- File creation, deletion, packing/obfuscation indicators, and encoded or encrypted payload artifacts
Detection direction
- Do not depend only on static signatures; ATT&CK relationships include packing, encoded/encrypted files, deobfuscation, and sandbox evasion, which can reduce simple file-based confidence.
- Correlate persistence signals, especially Scheduled Task and Registry Run Key or Startup Folder changes, with unusual parent processes, newly written binaries, or user-context execution.
- Tune for process injection behavior on Windows, including suspicious suspended-process creation, memory manipulation, and execution in another process context, while accounting for legitimate security and administration tools that may produce similar low-level signals.
- Treat browser credential store access, web session cookie access, keylogging, clipboard capture, and screen capture as high-value collection behaviors when they occur outside normal application patterns.
- Review outbound web-protocol traffic from suspicious processes rather than only from browsers, because the related command-and-control behavior uses web protocols that can blend into normal traffic.
Mitigation priorities
- Prioritize endpoint hardening and monitoring on Windows systems that handle email, browser-based business applications, FTP workflows, or stored credentials.
- Reduce credential exposure by limiting saved browser passwords where policy allows, strengthening credential management, and ensuring rapid password and session invalidation procedures are available after suspected infostealer activity.
- Harden persistence paths by monitoring and controlling Scheduled Tasks, Registry Run keys, and Startup Folder execution, with change review for unusual user-context autoruns.
- Maintain client application patching discipline because ATT&CK relates XLoader to exploitation for client execution; vulnerability management should focus on software exposed to user-delivered content.
- Ensure EDR or equivalent endpoint controls can capture process, registry, file, memory, and network context needed for behavior-based triage, especially for obfuscation and injection-related activity.
Analyst notes and limits
The supplied ATT&CK object identifies XLoader as a Windows infostealer and Malware-as-a-Service, previously known as Formbook, with relationships to numerous ATT&CK techniques. The strongest defensive value is using those relationships to test whether endpoint, network, browser, and identity teams can jointly scope credential and session theft from a Windows host. The object itself has tactics listed as not specified, so tactic framing here is derived from the related techniques rather than the malware object’s tactic field.
ATT&CK provides no official detection text for S1207 in the supplied fields. The relationship list supports likely behavior areas but does not prove every observed sample or incident will use every technique. Local telemetry, software inventory, identity architecture, browser policy, and incident evidence are required to determine actual exposure and response actions.
XLoader
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1113 | Screen Capture | XLoader can capture screenshots on compromised hosts.CitationGoogle XLoader 2017CitationNetskope XLoader 2022 |
| Enterprise | T1555 | Credentials from Password Stores | XLoader can collect credentials stored in email clients.CitationGoogle XLoader 2017CitationNetskope XLoader 2022 |
| Enterprise | T1055.012 | Process Hollowing Sub-technique | XLoader uses process hollowing by injecting itself into the `explorer.exe` process and other files ithin the Windows `SysWOW64` directory.CitationZscaler XLoader 2025CitationGoogle XLoader 2017CitationANY.RUN XLoader 2023 |
| Enterprise | T1685 | Disable or Modify Tools | |
| Enterprise | T1539 | Steal Web Session Cookie | XLoader can capture web session cookies and session information from victim browsers.CitationGoogle XLoader 2017 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | XLoader features encrypted functions using the RC4 algorithm and bytecode operations.CitationZscaler XLoader 2025CitationANY.RUN XLoader 2023 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | XLoader can create scheduled tasks for persistence.CitationNetskope XLoader 2022 |
| Enterprise | T1059.010 | AutoHotKey & AutoIT Sub-technique | XLoader can use an AutoIT script to decrypt a payload file, load it into victim memory, then execute it on the victim machine.CitationGoogle XLoader 2017 |
| Enterprise | T1056.001 | Keylogging Sub-technique | XLoader can capture keystrokes from the victim machine.CitationGoogle XLoader 2017 |
| Enterprise | T1070.004 | File Deletion Sub-technique | XLoader can delete malicious executables from compromised machines.CitationAcronis XLoader 2021 |
| Enterprise | T1203 | Exploitation for Client Execution | XLoader has exploited Office vulnerabilities during local execution such as CVE-2017-11882 and CVE-2018-0798.CitationNetskope XLoader 2022 |
| Enterprise | T1497 | Virtualization/Sandbox Evasion | XLoader can utilize decoy command and control domains within the malware configuration to circumvent sandbox analysis.CitationANY.RUN XLoader 2023CitationCheckPoint XLoader 2022 |
| Enterprise | T1115 | Clipboard Data | XLoader can collect data stored in the victim's clipboard.CitationGoogle XLoader 2017CitationNetskope XLoader 2022 |
| Enterprise | T1106 | Native API | XLoader uses the native Windows API for functionality, including defense evasion.CitationZscaler XLoader 2025 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | XLoader can gather credentials from several web browsers.CitationZscaler XLoader 2025CitationGoogle XLoader 2017CitationNetskope XLoader 2022 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | XLoader has been delivered as a phishing attachment, including PDFs with embedded links, Word and Excel files, and various archive files (ZIP, RAR, ACE, and ISOs) containing EXE payloads.CitationGoogle XLoader 2017CitationAcronis XLoader 2021 |
| Enterprise | T1185 | Browser Session Hijacking | XLoader can conduct form grabbing, steal cookies, and extract data from HTTP sessions.CitationGoogle XLoader 2017 |
| Enterprise | T1529 | System Shutdown/Reboot | XLoader can initiate a system reboot or shutdown.CitationGoogle XLoader 2017 |
| Enterprise | T1622 | Debugger Evasion | XLoader uses anti-debugging mechanisms such as calling `NtQueryInformationProcess` with `InfoClass=7`, referencing `ProcessDebugPort`, to determine if it is being analyzed.CitationGoogle XLoader 2017 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | |
| Enterprise | T1497.001 | System Checks Sub-technique | XLoader performs timing checks using the Read-Time Stamp Counter (RDTSC) instruction on the victim CPU.CitationGoogle XLoader 2017 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | XLoader uses HTTP and HTTPS for command and control communication.CitationGoogle XLoader 2017 |
| Enterprise | T1055.004 | Asynchronous Procedure Call Sub-technique | XLoader injects code into the APC queue using `NtQueueApcThread` API.CitationZscaler XLoader 2025 |
| Enterprise | T1033 | System Owner/User Discovery | XLoader can identify the username from a victim machine.CitationAcronis XLoader 2021 |
| Enterprise | T1082 | System Information Discovery | XLoader can collect system information and supported language information from the victim machine.CitationAcronis XLoader 2021 |
| Enterprise | T1583.001 | Domains Sub-technique | XLoader can utilize hardcoded command and control domain configurations created by the XLoader authors. These are designed to mimic domain registrars and hosting service providers such as Hostinger and Namecheap.CitationCheckPoint XLoader 2022 |
| Enterprise | T1027.002 | Software Packing Sub-technique | XLoader uses various packers, including CyaX, to obfuscate malicious executables.CitationNetskope XLoader 2022 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | XLoader establishes persistence by copying its executable in a subdirectory of `%APPDATA%` or `%PROGRAMFILES%`, and then modifies Windows Registry Run keys or policies keys to execute the executable on system start.CitationZscaler XLoader 2025CitationGoogle XLoader 2017 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | ca66366f0ecd… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Zscaler XLoader 2025
Zscaler Threatlabz. (2025, January 27). Technical Analysis of Xloader Versions 6 and 7 | Part 1. Retrieved March 11, 2025.
Open source URL -
[2]
ANY.RUN XLoader 2023
ANY.RUN. (2023, February 28). XLoader/FormBook: Encryption Analysis and Malware Decryption . Retrieved March 11, 2025.
Open source URL -
[3]
CheckPoint XLoader 2022
Alexey Bukhteyev & Raman Ladutska, Check Point Research. (2022, May 31). XLoader Botnet: Find Me If You Can. Retrieved March 11, 2025.
Open source URL -
[4]
Acronis XLoader 2021
Acronis. (2021, November 26). Trojan-as-a-service: From Formbook to XLoader. Retrieved March 11, 2025.
Open source URL -
[5]
Google XLoader 2017
Nart Villeneuve, Randi Eitzman, Sandor Nemes & Tyler Dean, Google Cloud. (2017, October 5). Significant FormBook Distribution Campaigns Impacting the U.S. and South Korea. Retrieved March 11, 2025.
Open source URL -
[6]
Formbook
(Citation: Zscaler XLoader 2025)(Citation: ANY.RUN XLoader 2023)(Citation: CheckPoint XLoader 2022)(Citation: Google XLoader 2017)
-
[7]
mitre-attack S1207Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.