Xloader
XLoader is a modular Malware-as-a-Service (MaaS) platform primarily functioning as a "stealer" and a "loader." Active since at least 2016 (under its original guise, Formbook), it has remained a dominant force in the threat landscape due to its agility, sophisticated obfuscation techniques, and a business model that lowers the barrier to entry for cybercriminals.
While often referred to interchangeably with Formbook, XLoader represents the evolution of that strain, specifically rebranded around 2020 to introduce cross-platform capabilities (macOS and Windows) and enhanced anti-analysis features. It is designed to steal credentials, log keystrokes, take screenshots, and download and execute subsequent payloads (hence the term "loader"). xloader
rule XLoader_Windows_Loader
meta:
description = "Detects XLoader dropper based on embedded RC4 key"
strings:
$rc4_key = 4D 61 72 6B 65 74 69 6E 67 // "Marketing"
$xor_loop = 80 34 08 01 41 80 3C 08 00 // XOR + counter
condition:
uint16(0) == 0x5A4D and ($rc4_key or $xor_loop)
As of 2025, XLoader remains a top-tier threat. The original operators have consistently updated the malware to bypass Windows Defender and Apple's Notarization checks. As of 2025, XLoader remains a top-tier threat
Recent variants (v2.0 and above) have added: Law enforcement has attempted takedowns
Law enforcement has attempted takedowns, but the decentralized nature of MaaS makes it difficult. As long as there is a market for stolen credentials (which there always will be), XLoader—or whatever it rebrands to next—will persist.