S1248: XORIndex Loader
XORIndex Loader is a XOR-encoded loader that collects host data, decodes follow-on scripts and acts as a downloader for the BeaverTail malware. XORIndex Loader was first reported in June 2025. XORIndex Loader has been leveraged by North Korea-affiliated threat actors identified as Contagious Interview. XORIndex Loader has been delivered to victims through code repository sites utilizing typo squatting naming conventions of various npm packages.[1]
Analyst context for executives and security teams
XORIndex Loader matters because it sits early in a compromise chain: it collects host details, decodes follow-on scripts, and downloads BeaverTail malware. The ATT&CK entry ties it to Windows activity and delivery through typo-squatted npm packages on code repository sites, making developer workstations and software supply-chain trust decisions especially relevant.
Executive priority
Leaders should treat this as a validation point for software development security, endpoint visibility, and incident readiness. The key business question is whether the organization can detect suspicious package-sourced execution, encoded script activity, host discovery, and web-based downloader behavior before follow-on malware is established. This is also useful evidence for audit and risk discussions around developer endpoint controls, dependency governance, and SOC coverage of command-and-control and exfiltration patterns.
Technical view
For SOC and IR teams, validate coverage around the supplied relationships: JavaScript execution, command and file obfuscation, decode/deobfuscation behavior, host/user/network/location discovery, web-protocol command-and-control, ingress tool transfer, and exfiltration over the C2 channel. Because no official ATT&CK detection text is provided, detections should be built from local telemetry and tested against behavior patterns rather than the malware name alone. Pay particular attention to Windows developer systems interacting with code repositories or npm-like package workflows, followed by script execution, encoded content, host enumeration, outbound web traffic, and downloader-like file retrieval.
Likely telemetry
- Endpoint process creation and command-line telemetry for JavaScript/script runtimes and child processes
- File creation and modification events for encoded or decoded scripts and downloaded payloads
- Network proxy, DNS, TLS, and HTTP/S metadata for outbound web-protocol communications
- Endpoint telemetry showing host, user, network configuration, and location discovery commands or API activity
- Package/dependency management logs where available, especially developer workstation package installation activity
Detection direction
- Do not rely only on static signatures; the ATT&CK relationships emphasize obfuscation, encoded files, and decoding behavior.
- Correlate package-source activity with subsequent script execution, host discovery, and outbound web communications from the same Windows endpoint.
- Tune for suspicious combinations of discovery plus downloader behavior, while accounting for legitimate developer tooling that may also execute JavaScript, fetch packages, and contact web services.
- Validate whether SOC tooling preserves command-line, script content, file hash/path, parent-child process, and network destination context long enough for investigation.
- Use the Contagious Interview relationship as threat-intelligence context, but avoid assuming attribution from telemetry alone.
Mitigation priorities
- Prioritize software supply-chain hygiene for developer endpoints: package provenance review, dependency controls, and awareness of typo-squatted packages.
- Harden Windows endpoints used for development with least privilege, controlled script execution where feasible, and monitored access to package repositories.
- Ensure egress monitoring and proxy controls can identify unusual web-protocol communications and downloader-like transfers.
- Prepare IR playbooks for encoded script loaders: isolate affected endpoints, preserve script/package artifacts, review outbound communications, and hunt for BeaverTail-related follow-on activity when supported by evidence.
- Map these controls to compliance evidence around endpoint monitoring, dependency governance, incident response, and access control.
Analyst notes and limits
This take is based on ATT&CK S1248 for XORIndex Loader, its official description, one external Socket reference, and the supplied relationships to Contagious Interview and ATT&CK techniques including discovery, obfuscation, JavaScript execution, web C2, ingress tool transfer, exfiltration over C2, and decoding behavior.
ATT&CK provides no official detection guidance and no object-level tactics for XORIndex Loader. Platform support is limited here to Windows for the malware object, while related techniques have broader platform lists that should not be assumed for this malware. Local package-management, endpoint, and network telemetry is required to confirm exposure or detection coverage.
XORIndex Loader
XORIndex Loader is a XOR-encoded loader that collects host data, decodes follow-on scripts and acts as a downloader for the BeaverTail malware. XORIndex Loader was first reported in June 2025. XORIndex Loader has been leveraged by North Korea-affiliated threat actors identified as Contagious Interview. XORIndex Loader has been delivered to victims through code repository sites utilizing typo squatting naming conventions of various npm packages.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1082 | System Information Discovery | XORIndex Loader has the ability to collect the hostname, OS Username, Geolocation, and OS version of an infected host.CitationSocket BeaverTail XORIndex HexEval Contagious Interview July 2025 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | XORIndex Loader can decode its payload prior to execution.CitationSocket BeaverTail XORIndex HexEval Contagious Interview July 2025 |
| Enterprise | T1614 | System Location Discovery | XORIndex Loader can identify the geographical location of a victim host.CitationSocket BeaverTail XORIndex HexEval Contagious Interview July 2025 |
| Enterprise | T1016 | System Network Configuration Discovery | XORIndex Loader has leveraged webservices to identify the public IP of the victim host.CitationSocket BeaverTail XORIndex HexEval Contagious Interview July 2025 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | XORIndex Loader has exfiltrated victim data using HTTPS POST requests to its C2 servers.CitationSocket BeaverTail XORIndex HexEval Contagious Interview July 2025 |
| Enterprise | T1105 | Ingress Tool Transfer | XORIndex Loader has been used to download a malicious payload to include BeaverTail.CitationSocket BeaverTail XORIndex HexEval Contagious Interview July 2025 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | XORIndex Loader has encoded module names and C2 URLs as hexadecimal strings in attempts to evade analysis.CitationSocket BeaverTail XORIndex HexEval Contagious Interview July 2025 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | XORIndex Loader has used HTTPS POST to communicate with C2.CitationSocket BeaverTail XORIndex HexEval Contagious Interview July 2025 |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | XORIndex Loader has obfuscated strings using ASCII buffers and TextDecoder.CitationSocket BeaverTail XORIndex HexEval Contagious Interview July 2025 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | XORIndex Loader has leveraged legitimate package names to mimic frequently utilized tools to entice victims to download and execute malicious payloads.CitationSocket BeaverTail XORIndex HexEval Contagious Interview July 2025 |
| Enterprise | T1059.007 | JavaScript Sub-technique | XORIndex Loader has executed malicious JavaScript code.CitationSocket BeaverTail XORIndex HexEval Contagious Interview July 2025 |
| Enterprise | T1033 | System Owner/User Discovery | XORIndex Loader has collected the username from the victim host.CitationSocket BeaverTail XORIndex HexEval Contagious Interview July 2025 |
Groups, software, and campaigns
G1052: Contagious Interview
Contagious Interview is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials. Contagious Interview targets Windows, Linux, and macOS systems, with a particular focus on individuals engaged in software development and cryptocurrency-related activities. [1][2][3][4][5][6][7][8]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 586445777a24… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Socket BeaverTail XORIndex HexEval Contagious Interview July 2025
Kirill Boychenko. (2025, July 14). Contagious Interview Campaign Escalates With 67 Malicious npm Packages and New Malware Loader. Retrieved October 19, 2025.
Open source URL -
[2]
mitre-attack S1248Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.