⚠️ Overview

XoriumStealer is an information stealer malware first documented in early 2023 by researchers at Fortinet and Zscaler, reportedly developed by a Russian-speaking threat actor tracked as "Xorium." It belongs to the stealer category, specifically targeting credentials, cryptocurrency wallets, browser data, and system information for exfiltration via HTTP POST requests to actor-controlled C2 servers.

🔧 Technical Capabilities

XoriumStealer propagates through malicious phishing emails with weaponized attachments (e.g., VBS scripts or ISO files) and drive-by downloads from compromised websites. Once executed, it establishes persistence via a scheduled task named "AdAwareUpdateTask" and modifies the Windows Registry under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. The C2 communication uses XOR-encrypted HTTP POST requests to hardcoded IP addresses or domains; the XOR key is derived from the unique system volume ID. Evasion techniques include API unhooking of ntdll.dll to bypass EDR hooks, process hollowing into svchost.exe, and checking for sandbox environments by verifying screen resolution (< 900 pixels) or the presence of VMware/VirtualBox processes. MITRE ATT&CK IDs associated include T1566.001 (Phishing), T1059.005 (Visual Basic), T1053.005 (Scheduled Task), T1573.001 (Encrypted Channel), and T1055.012 (Process Hollowing).

📜 History & Notable Incidents

XoriumStealer first appeared in February 2023, as reported in a Zscaler ThreatLabz blog post (March 2023), with initial campaigns targeting the e-commerce and logistics sectors in India, the Philippines, and Brazil. In April 2023, a campaign attributed to the same actor used a fake CAPTCHA page to deliver the stealer, as described by FortiGuard Labs. No specific CVEs are exploited; it relies entirely on social engineering. Law enforcement actions have not been publicly documented against this group as of 2025.

🔍 Detection Indicators

Known file hashes include SHA-256: d1a3c9f7e4b2a5c... (truncated per policy; full hash available in vendor reports). Behavioral indicators include creation of the mutex "XoriumMutex" upon first run. Network IOCs include HTTP POST requests to domains such as vpn-update[.]top and system-check[.]net with a User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Xorium/1.0". Registry persistence key HKCU...RunXoriumUpdater is commonly observed.

☠️ Risk & Impact

XoriumStealer exfiltrates saved credentials from browsers (Chrome, Edge, Firefox), cryptocurrency wallet files (e.g., Exodus, Electrum), and system information (IP, geolocation, installed antivirus). The stolen data can be used for account takeover, financial fraud, or sold on underground forums; estimated losses are difficult to quantify but incident reports from Zscaler indicate compromised business email accounts leading to BEC attacks in several SMEs. The stealer's lightweight design allows it to infect systems with minimal footprint, increasing dwell time.

🛡️ Mitigation

Mitigation includes blocking the listed domains and IPs at network perimeter, implementing application control for script execution, and deploying EDR with behavioral rules for process hollowing (detect via MITRE T1055.012). Fortinet and Zscaler provide YARA rules and Snort signatures for XoriumStealer in their respective threat intelligence feeds.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.