{"description": "Enterprise techniques used by XLoader, ATT&CK software S1207 (v1.0)", "name": "XLoader (S1207)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1583", "showSubtechniques": true}, {"techniqueID": "T1583.001", "comment": "[XLoader](https://attack.mitre.org/software/S1207) can utilize hardcoded command and control domain configurations created by the XLoader authors. These are designed to mimic domain registrars and hosting service providers such as Hostinger and Namecheap.(Citation: CheckPoint XLoader 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[XLoader](https://attack.mitre.org/software/S1207) uses HTTP and HTTPS for command and control communication.(Citation: Google XLoader 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[XLoader](https://attack.mitre.org/software/S1207) establishes persistence by copying its executable in a subdirectory of `%APPDATA%` or `%PROGRAMFILES%`, and then modifies Windows Registry Run keys or policies keys to execute the executable on system start.(Citation: Zscaler XLoader 2025)(Citation: Google XLoader 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1185", "comment": "[XLoader](https://attack.mitre.org/software/S1207) can conduct form grabbing, steal cookies, and extract data from HTTP sessions.(Citation: Google XLoader 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1115", "comment": "[XLoader](https://attack.mitre.org/software/S1207) can collect data stored in the victim's clipboard.(Citation: Google XLoader 2017)(Citation: Netskope XLoader 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.010", "comment": "[XLoader](https://attack.mitre.org/software/S1207) can use an AutoIT script to decrypt a payload file, load it into victim memory, then execute it on the victim machine.(Citation: Google XLoader 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "comment": "[XLoader](https://attack.mitre.org/software/S1207) can collect credentials stored in email clients.(Citation: Google XLoader 2017)(Citation: Netskope XLoader 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "[XLoader](https://attack.mitre.org/software/S1207) can gather credentials from several web browsers.(Citation: Zscaler XLoader 2025)(Citation: Google XLoader 2017)(Citation: Netskope XLoader 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1622", "comment": "[XLoader](https://attack.mitre.org/software/S1207) uses anti-debugging mechanisms such as calling `NtQueryInformationProcess` with `InfoClass=7`, referencing `ProcessDebugPort`, to determine if it is being analyzed.(Citation: Google XLoader 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[XLoader](https://attack.mitre.org/software/S1207) uses XOR and RC4 algorithms to decrypt payloads and functions.(Citation: Zscaler XLoader 2025) [XLoader](https://attack.mitre.org/software/S1207) can be distributed as a self-extracting RAR archive that launches an AutoIT loader.(Citation: Google XLoader 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1203", "comment": "[XLoader](https://attack.mitre.org/software/S1207) has exploited Office vulnerabilities during local execution such as CVE-2017-11882 and CVE-2018-0798.(Citation: Netskope XLoader 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "[XLoader](https://attack.mitre.org/software/S1207) loads a copy of NTDLL to evade hooks from security monitoring tools on this library.(Citation: Zscaler XLoader 2025) [XLoader](https://attack.mitre.org/software/S1207) can add the path of its executable to the Microsoft Defender exclusion list.(Citation: Netskope XLoader 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[XLoader](https://attack.mitre.org/software/S1207) can delete malicious executables from compromised machines.(Citation: Acronis XLoader 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[XLoader](https://attack.mitre.org/software/S1207) can capture keystrokes from the victim machine.(Citation: Google XLoader 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[XLoader](https://attack.mitre.org/software/S1207) uses the native Windows API for functionality, including defense evasion.(Citation: Zscaler XLoader 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[XLoader](https://attack.mitre.org/software/S1207) uses various packers, including CyaX, to obfuscate malicious executables.(Citation: Netskope XLoader 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[XLoader](https://attack.mitre.org/software/S1207) features encrypted functions using the RC4 algorithm and bytecode operations.(Citation: Zscaler XLoader 2025)(Citation: ANY.RUN XLoader 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[XLoader](https://attack.mitre.org/software/S1207) has been delivered as a phishing attachment, including PDFs with embedded links, Word and Excel files, and various archive files (ZIP, RAR, ACE, and ISOs) containing EXE payloads.(Citation: Google XLoader 2017)(Citation: Acronis XLoader 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.004", "comment": "[XLoader](https://attack.mitre.org/software/S1207) injects code into the APC queue using `NtQueueApcThread` API.(Citation: Zscaler XLoader 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055.012", "comment": "[XLoader](https://attack.mitre.org/software/S1207) uses process hollowing by injecting itself into the `explorer.exe` process and other files ithin the Windows `SysWOW64` directory.(Citation: Zscaler XLoader 2025)(Citation: Google XLoader 2017)(Citation: ANY.RUN XLoader 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[XLoader](https://attack.mitre.org/software/S1207) can create scheduled tasks for persistence.(Citation: Netskope XLoader 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1113", "comment": "[XLoader](https://attack.mitre.org/software/S1207) can capture screenshots on compromised hosts.(Citation: Google XLoader 2017)(Citation: Netskope XLoader 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1539", "comment": "[XLoader](https://attack.mitre.org/software/S1207) can capture web session cookies and session information from victim browsers.(Citation: Google XLoader 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[XLoader](https://attack.mitre.org/software/S1207) can collect system information and supported language information from the victim machine.(Citation: Acronis XLoader 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[XLoader](https://attack.mitre.org/software/S1207) can identify the username from a victim machine.(Citation: Acronis XLoader 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1529", "comment": "[XLoader](https://attack.mitre.org/software/S1207) can initiate a system reboot or shutdown.(Citation: Google XLoader 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1497", "comment": "[XLoader](https://attack.mitre.org/software/S1207) can utilize decoy command and control domains within the malware configuration to circumvent sandbox analysis.(Citation: ANY.RUN XLoader 2023)(Citation: CheckPoint XLoader 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497.001", "comment": "[XLoader](https://attack.mitre.org/software/S1207) performs timing checks using the Read-Time Stamp Counter (RDTSC) instruction on the victim CPU.(Citation: Google XLoader 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by XLoader", "color": "#66b1ff"}]}