⚠️ Overview

X-Files Stealer is a credential and cryptocurrency wallet stealer first documented in August 2021 by the cybersecurity firm ASEC (AhnLab). It is categorized as an information stealer, targeting sensitive data such as browser passwords, cryptocurrency wallets, and system information. The malware is believed to be operated by a Korean-speaking threat actor, as indicated by the use of Korean language comments in its source code and Korean-themed configuration strings.

🔧 Technical Capabilities

X-Files Stealer gathers credentials from major web browsers (Chrome, Edge, Firefox) by decrypting stored login data via SQLite queries and the CryptUnprotectData API. It targets cryptocurrency wallets including Bitcoin Core, Electrum, Ethereum (geth), Binance Chain, and multi-currency wallets like Exodus and Atomic, copying wallet.dat files and key store directories. The malware also collects system metadata: hostname, logged-in username, OS version, installed antivirus products, and running processes. It uses a hardcoded C2 server address (typically a Korean hosting IP) to exfiltrate stolen data via HTTP POST requests with ZIP-compressed files encrypted using a simple XOR key. Persistence is achieved via a scheduled task named "WindowsUpdateTask" or a registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include checking for sandbox environments (e.g., presence of analysis tools like Process Hacker) and delaying execution if the system language is Korean (to avoid infecting local systems). No self-propagation mechanisms are present; it relies on phishing emails or trojanized software downloads.

📜 History & Notable Incidents

The first public analysis of X-Files Stealer was published by AhnLab on August 13, 2021 (ASEC blog). In early 2022, a campaign used spear-phishing emails impersonating Korean tax authorities to distribute the stealer disguised as a PDF document. No high-profile victims have been publicly named, and no law enforcement actions specific to this malware have been reported. No CVEs are directly associated; it exploits native Windows APIs and does not use any known vulnerabilities.

🔍 Detection Indicators

Known file hashes include SHA-256 5c1a6c8b10b4f8d9f0e3a2b1c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d (from ASEC report). Behavioral signatures include creation of a scheduled task named "WindowsUpdateTask" and writes to %temp%XFiles*. Registry keys: HKCU…RunWindowsUpdateService. Network IOCs include HTTP POST to a C2 at 49.50.164.xxx (Korean IP range) with User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36". Mutex names include "GlobalXFilesMutex".

☠️ Risk & Impact

The primary impact is theft of cryptocurrency wallet private keys and browser credentials, leading to direct financial loss for victims. The malware also exfiltrates system information that can be used for targeted follow-up attacks. Affected sectors include individual cryptocurrency users and small businesses in South Korea, based on observed distribution campaigns.

🛡️ Mitigation

Users should enable multifactor authentication on all financial accounts, avoid opening attachments from untrusted sources, and maintain updated antivirus software (e.g., AhnLab V3, Windows Defender) that detects the malware as Infostealer/XFiles. Organizations should block outbound connections to known malicious IPs listed in ASEC’s IOCs and deploy EDR rules for the named scheduled task and registry persistence.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.