XLoader is highly regarded in the cybercriminal underground for its defense evasion strategies, which allow it to dwell within a network unnoticed. Kaspersky - Facebook
def update_progress(self, progress): self.progress = progress self.progress_bar['value'] = progress self.progress_label['text'] = f"Loading... progress%"
While often referred to interchangeably with Formbook, XLoader represents the evolution of that strain, specifically rebranded around 2020 to introduce cross-platform capabilities (macOS and Windows) and enhanced anti-analysis features. It is designed to steal credentials, log keystrokes, take screenshots, and download and execute subsequent payloads (hence the term "loader").
Credentials stored in local email clients (Outlook, Thunderbird). xloader
This public link is valid for 7 days and shares a thread, including any personal information you added. This link or copies made by others cannot be deleted. If you share with third parties, their policies apply. Can’t copy the link right now. Try again later.
However, subsequent iterations have evolved into native binaries compiled specifically for Apple's architecture. XLoader often disguises itself as legitimate productivity software, Microsoft Office installers, or fake Adobe Flash updates. Once executed, it bypasses Apple's Gatekeeper protections by using compromised developer certificates or exploiting social engineering tricks to convince users to override operating system warnings. Detection and Mitigation Strategies
Users receive an email with an attachment—commonly an Excel ( .xlsx ) or Word ( .docx ) file—or a link to a malicious website. XLoader is highly regarded in the cybercriminal underground
malware in early 2020, XLoader is a sophisticated information stealer and backdoor trojan. It is widely used by cybercriminals because it is sold under a MaaS model, where attackers rent the command-and-control (C2) infrastructure rather than buying the code outright. Capabilities:
XLoader’s primary objective is data exfiltration. However, its underlying mechanics reveal layers of evasion tactics engineered to bypass standard signature-based Antivirus (AV) and Endpoint Detection and Response (EDR) solutions.
As of 2025, XLoader remains a top-tier threat. The original operators have consistently updated the malware to bypass Windows Defender and Apple's Notarization checks. It is designed to steal credentials, log keystrokes,
When the original developer of FormBook allegedly stopped active public sales on underground forums, the codebase was rebranded, optimized, and re-released as XLoader. Unlike standard malware sold for a flat fee, XLoader adopted a strict subscription-based model. Threat actors rent the malware builders or specific command-and-control (C2) hosting resources for set periods, making it highly profitable for its core developers. Cross-Platform Expansion
: A major distribution channel for XLoader is malicious "cracks," keygens, and compromised software installers hosted on shady sites.
XLoader is sold on the dark web using a subscription model. Cybercriminals rent access to the malware, choosing between Windows and macOS builds for a specific duration. This lowers the barrier to entry for novice attackers. 2. Technical Capabilities: What Can XLoader Do?
Data from wallets such as Bitcoin or Ethereum.
XLoader employs a multi-pronged approach to hide its code and behavior from security researchers and automated sandboxes: