- Check Point used GenAI to semi-automate the reverse engineering of the elusive XLoader infostealer
- AI Decrypted Code, Exposed APIs and Revealed 64 Hidden C2 Domains and Sandbox Evasion Tricks
- XLoader evolved from Formbook; AI increases the speed of analysis, but does not replace human malware analysts
Cyber security researchers from Check Point Research may have just cracked one of the most insidious malware families ever, thanks to Generative Artificial Intelligence (GenAI).
In a new blog post, the researchers explained how analyzing the malware is a slow, manual process that requires researchers to “unpack binaries, trace functions, and build decryption scripts.” Analyzing XLoader—a notorious infostealer that’s been around for about half a decade—is even more difficult because it can’t be sandboxed.
That’s when Check Point turned to AI for help. Using ChatGPT, the researchers combined two complementary workflows: cloud-based static analysis and MCP-assisted runtime analysis. The first exports data from IDA Pro and lets AI analyze it in the cloud. “The model identified encryption algorithms, recognized data structures, and even generated Python scripts to decrypt sections of code,” the researchers explained.
Unpacking XLoader
The second connected the AI to a live debugger to extract runtime values such as encryption keys, decrypted buffers, and C2 data in memory. “This hybrid AI workflow transformed tedious manual reverse engineering into a semi-automated process that is faster, repeatable and easy to share across teams.”
Check Point was impressed with the results. They claim to have decrypted kernel code, revealed encryption layers, exposed hidden APIs, recovered 64 hidden C2 domains and discovered a new sandbox evasion mechanism called “secure-call-trampoline”.
In short, AI helped unpack how XLoader hides, communicates and protects itself, which is crucial information in the fight against infections. Still, Check Point emphasized that despite the great work, AI “does not replace malware analysts,” but rather “supercharges” them with speed, reproducibility, insight and defense.
The earliest records of XLoader date back to 2021, when Check Point Research saw it in the wild stealing data from MacOS users. It evolved from the infamous Formbook malware, which at the time had been active for over five years. While Formbook was originally created to be a simple keylogger, it was upgraded and renamed XLoader. Formbook was used to primarily target Windows users.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
