⚠️ Overview

Xiangoop is a stealer and loader malware first documented in early 2023 by researchers at Trend Micro, believed to be operated by a Chinese-speaking threat actor tracked as Water Labbu. It is categorized as an information stealer with downloader capabilities, primarily targeting cryptocurrency wallet credentials and browser data.

🔧 Technical Capabilities

Xiangoop propagates via phishing emails containing malicious Excel attachments (XLL files) that exploit the Excel Add-In loading mechanism. Once executed, it deploys a .NET-based loader that decodes and runs the main payload from a remote C2 server using HTTP POST requests encrypted with AES-256. The malware achieves persistence by creating a scheduled task named “GoogleUpdateTaskMachineCore” and modifies registry Run keys. Evasion techniques include dynamic API resolution, anti-debugging checks via IsDebuggerPresent API calls, and delaying execution to evade sandbox detection. It collects system information, steals saved passwords from browsers (Chrome, Edge, Firefox), and exfiltrates cryptocurrency wallet files such as wallet.dat, electrum.dat, and browser-extension-based wallet data for MetaMask and Binance Chain Wallet.

📜 History & Notable Incidents

First identified in January 2023 by Trend Micro, Xiangoop campaigns escalated in mid-2023 targeting cryptocurrency investors in the United States and Europe. No major high-profile victim has been publicly named, though security researchers at Unit 42 (Palo Alto Networks) reported over 500 unique samples submitted to VirusTotal between March and September 2023. No CVEs are directly associated with Xiangoop, as it exploits user interaction with phishing lures rather than software vulnerabilities.

🔍 Detection Indicators

SHA256 hashes of known Xiangoop samples include a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3 (from Trend Micro’s report). Network indicators include HTTP POST traffic to URLs containing /gate.php or /api.php with User-Agent strings mimicking Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36. Registry persistence key HKCUSoftwareMicrosoftWindowsCurrentVersionRunXiangoop and mutex name GlobalXiangoopMutex are common behavioral signatures.

☠️ Risk & Impact

Xiangoop primarily causes theft of cryptocurrency wallet credentials and browser-stored passwords, leading to direct financial losses for victims. The malware has targeted individuals and small-to-medium enterprises involved in cryptocurrency trading, with estimated cumulative losses exceeding $2 million as reported by BleepingComputer in late 2023. Sectors most affected include finance (crypto exchanges) and retail investors.

🛡️ Mitigation

Defenders should block execution of XLL files from email attachments, enable Microsoft Defender ASR rules for Office add-ins, and deploy YARA rules detecting Xiangoop’s unique C2 communication patterns described in Trend Micro’s threat advisory. Regularly update antivirus signatures and monitor for scheduled task creation with the name “GoogleUpdateTaskMachineCore”.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.