XFiles infostealer used the Follina vulnerability to infect targets

XFiles Infostealer Follina Vulnerability Infect Malware Targets

The infostealer malware dubbed XFiles has made its rounds of cybercriminal activities after researchers noticed that it had exploited the Follina critical flaw. Based on reports, the vulnerability (CVE-2022-30190) was abused by the malware operators to infect targeted devices with malicious payloads.

A cybersecurity solutions vendor has spotted the new infostealer malware that used Follina to download payload, run it, and acquire persistence on the targeted system.

The researchers claimed that the threat actors delivered the malware via spam email to the victims, including an OLE object that directs to an HTML file. The file is on an external resource, including JavaScript code, which exploits the vulnerability mentioned.

Moreover, if the target executes the codes, it will retrieve a base64-encoded string that contains PowerShell commands to develop persistence in the Windows startup directory and operate the malware.

Subsequently, the second-stage module has an AES decryption key with a hardcoded encrypted shellcode. The module was tracked by the researchers as ChimLacUpdate[.]exe. An API will then call and decrypt the code, executing it in the same operating process.

XFiles will then start a typical infostealer malware operation after the infection process. The infostealer will then execute the standard procedures of an information stealer, such as harvesting passwords, cookies, saved history, crypto wallets, screenshotting, and checking for Telegram and Discord credentials.

The files will then be stored locally in newly designed directories before transferring via Telegram.


Researchers noted that the XFiles infostealer has been expanding continuously since its operators have recruited new members for their upcoming projects.


The most recent campaign launched by the XFiles operator was called Punisher malware. The mining tool in their attack costs nearly $10, which is identical to how much the operators charges for one month of renting the malware.

Cybersecurity experts are concerned about the rapid growth of this new threat since the gang is actively recruiting exceptional individuals that can help them improve their malware. Currently, the group is finding success in every attack because the Follina exploit is up for grabs by any threat actor.

About the author

Leave a Reply