Blog
/
Endpoint
/
November 23, 2022

How Darktrace Could Have Stopped a Surprise DDoS Incident

Learn how Darktrace could revolutionize DDoS defense, enabling companies to stop threats without 24/7 monitoring. Read more about how we thwart attacks!
Written by
Steven Sosa
Analyst Team Lead
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Steven Sosa
Analyst Team Lead
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
23
Nov 2022

When is the best time to be hit with a cyber-attack?

The answer that springs to most is ‘Never’,  however in today’s threat landscape, this is often wishful thinking. The next best answer is ‘When we’re ready for it’. Yet, this does not take into account the intention of those committing attacks. The reality is that the best time for a cyber-attack is when no one else is around to stop it.

When do cyber attacks happen?

Previous analysis from Mandiant reveals that over half of ransomware compromises occur at out of work hours, a trend Darktrace has also witnessed in the past two years [1]. This is deliberate, as the fewer people that are online, the harder it is to get ahold of security teams and the higher the likelihood there is of an attacker achieving their goals. Given this landscape, it is clear that autonomous response is more important than ever. In the absence of human resources, autonomous security can fill in the gap long enough for IT teams to begin remediation. 

This blog will detail an incident where autonomous response provided by Darktrace RESPOND would have entirely prevented an infection attempt, despite it occurring in the early hours of the morning. Because the customer had RESPOND in human confirmation mode (AI response must first be approved by a human), the attempt by XorDDoS was ultimately successful. Given that the attack occurred in the early hours of the morning, there was likely no one around to confirm Darktrace RESPOND actions and prevent the attack.

XorDDoS Primer

XorDDoS is a botnet, a type of malware that infects devices for the purpose of controlling them as a collective to carry out specific actions. In the case of XorDDoS, it infects devices in order to carry out denial of service attacks using said devices. This year, Microsoft has reported a substantial increase in activity from this malware strain, with an increased focus on Linux based operating systems [2]. XorDDoS most commonly finds its way onto systems via SSH brute-forcing, and once deployed, encrypts its traffic with an XOR cipher. XorDDoS has also been known to download additional payloads such as backdoors and cryptominers. Needless to say, this is not something you have on a corporate network. 

Initial Intrusion of XorDDoS

The incident begins with a device first coming online on 10th August. The device appeared to be internet facing and Darktrace saw hundreds of incoming SSH connections to the device from a variety of endpoints. Over the course of the next five days, the device received thousands of failed SSH connections from several IP addresses that, according to OSINT, may be associated with web scanners [3]. Successful SSH connections were seen from internal IP addresses as well as IP addresses associated with IT solutions relevant to Asia-Pacific (the customer’s geographic location). On midnight of 15th August, the first successful SSH connection occurred from an IP address that has been associated with web scanning. This connection lasted around an hour and a half, and the external IP uploaded around 3.3 MB of data to the client device. Given all of this, and what the industry knows about XorDDoS, it is likely that the client device had SSH exposed to the Internet which was then brute-forced for initial access. 

There were a few hours of dwell until the device downloaded a ZIP file from an Iraqi mirror site, mirror[.]earthlink[.]iq at around 6AM in the customer time zone. The endpoint had only been seen once before and was 100% rare for the network. Since there has been no information on OSINT around this particular endpoint or the ZIP files downloaded from the mirror site, the detection was based on the unusualness of the download.

Following this, Darktrace saw the device make a curl request to the external IP address 107.148.210[.]218. This was highlighted as the user agent associated with curl had not been seen on the device before, and the connection was made directly to an IP address without a hostname (suggesting that the connection was scripted). The URIs of these requests were ‘1.txt’ and ‘2.txt’. 

The ‘.txt’ extensions on the URIs were deceiving and it turned out that both were executable files masquerading as text files. OSINT on both of the hashes revealed that the files were likely associated with XorDDoS. Additionally, judging from packet captures of the connection, the true file extension appeared to be ‘.ELF’. As XorDDoS primarily affects Linux devices, this would make sense as the true extension of the payload. 

Figure 1: Packet capture of the curl request made by the breach device.

C2 Connections

Immediately after the ‘.ELF’ download, Darktrace saw the device attempting C2 connections. This included connections to DGA-like domains on unusual ports such as 1525 and 8993. Luckily, the client’s firewall seems to have blocked these connections, but that didn’t stop XorDDoS. XorDDoS continued to attempt connections to C2 domains, which triggered several Proactive Threat Notifications (PTNs) that were alerted by SOC. Following the PTNs, the client manually quarantined the device a few hours after the initial breach. This lapse in actioning was likely due to an early morning timing with the customer’s employees not being online yet. After the device was quarantined, Darktrace still saw XorDDoS attempting C2 connections. In all, hundreds of thousands of C2 connections were detected before the device was removed from the network sometime on 7th September.

Figure 2: AI Analyst was able to identify the anomalous activity and group it together in an easy to parse format.

An Alternate Timeline 

Although the device was ultimately removed, this attack would have been entirely prevented had RESPOND/Network not been in human confirmation mode. Autonomous response would have kicked in once the device downloaded the ‘.ZIP file’ from the Iraqi mirror site and blocked all outgoing connections from the breach device for an hour:

Figure 3: Screenshot of the first Antigena (RESPOND) breach that would have prevented all subsequent activity.

The model breach in Figure 3 would have prevented the download of the XorDDoS executables, and then prevented the subsequent C2 connections. This hour would have been crucial, as it would have given enough time for members of the customer’s security team to get back online should the compromised device have attempted anything else. With everyone attentive, it is unlikely that this activity would have lasted as long as it did. Had the attack been allowed to progress further, the infected device would have at the very least been an unwilling participant in a future DDoS attack. Additionally, the device could have a backdoor placed within it, and additional malware such as cryptojackers might have been deployed. 

Conclusions 

Unfortunately, we do not exist in the alternate timeline that autonomous response would have prevented this whole series of events.Luckily, although it was not in place, the PTN alerts provided by Darktrace’s SOC team still sped up the process of remediation in an event that was never intended to be discovered given the time it occurred. Unusual times of attack are not just limited to ransomware, so organizations need to have measures in place for the times that are most inconvenient to them, but most convenient to attackers. With Darktrace/RESPOND however, this is just one click away.

Thanks to Brianna Leddy for their contribution.

Appendices

Darktrace Model Detections

Below is a list of model breaches in order of trigger. The Proactive Threat Notification models are in bold and only the first Antigena [RESPOND] breach that would have prevented the initial compromise has been included. A manual quarantine breach has also been added to show when the customer began remediation.

  • Compliance / Incoming SSH, August 12th 23:39 GMT +8
  • Anomalous File / Zip or Gzip from Rare External Location, August 15th, 6:07 GMT +8 
  • Antigena / Network / External Threat / Antigena File then New Outbound Block, August 15th 6:36 GMT +8 [part of the RESPOND functionality]
  • Anomalous Connection / New User Agent to IP Without Hostname, August 15th 6:59 GMT +8
  • Anomalous File / Numeric Exe Download, August 15th 6:59 GMT +8
  • Anomalous File / Masqueraded File Transfer, August 15th 6:59 GMT +8
  • Anomalous File / EXE from Rare External Location, August 15th 6:59 GMT +8
  • Device / Internet Facing Device with High Priority Alert, August 15th 6:59 GMT +8
  • Compromise / Rare Domain Pointing to Internal IP, August 15th 6:59 GMT +8
  • Device / Initial Breach Chain Compromise, August 15th 6:59 GMT +8
  • Compromise / Large Number of Suspicious Failed Connections, August 15th 7:01 GMT +8
  • Compromise / High Volume of Connections with Beacon Score, August 15th 7:04 GMT +8
  • Compromise / Fast Beaconing to DGA, August 15th 7:04 GMT +8
  • Compromise / Suspicious File and C2, August 15th 7:04 GMT +8
  • Antigena / Network / Manual / Quarantine Device, August 15th 8:54 GMT +8 [part of the RESPOND functionality]

List of IOCs

MITRE ATT&CK Mapping

Reference List

[1] They Come in the Night: Ransomware Deployment Trends

[2] Rise in XorDdos: A deeper look at the stealthy DDoS malware targeting Linux devices

[3] Alien Vault: Domain Navicatadvvr & https://www.virustotal.com/gui/domain/navicatadvvr.com & https://maltiverse.com/hostname/navicatadvvr.com

Written by
Steven Sosa
Analyst Team Lead
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Steven Sosa
Analyst Team Lead

Xillen Stealer Updates to Version 5 to Evade AI Detection

Network
November 20, 2025
Tara Gould
Threat Researcher
Watch the NIS2 Webinar
Trending blogs
1
Pre-CVE Threat Detection: 10 Examples Identifying Malicious Activity Prior to Public Disclosure of a Vulnerability
Jul 2, 2025
2
Darktrace Recognized as a Leader in the 2025 Gartner® Magic Quadrant™ for Network Detection and Response
Jun 2, 2025
3
Evaluating Email Security: How to Select the Best Solution for Your Organization
May 21, 2025
4
2025 Cyber Threat Landscape: Darktrace’s Mid-Year Review
Aug 5, 2025
5
Introducing the AI Maturity Model for Cybersecurity
Jul 16, 2025

More in this series

No items found.
Continue reading
Endpoint
December 12, 2022

ML Integration for Third-Party EDR Alerts

The advantages and benefits of combining EDR technologies with Darktrace: how this integration can enhance your cybersecurity strategy.
Max Heinemeyer
Global Field CISO
Read more
Endpoint
December 1, 2022

Prevent Data Exfiltration & Know When to Respond

Over 300GB of data was exfiltrated from a customer network before Darktrace services intervened. Learn the power of Darktrace in autonomous mode.
Anna Gilbertson
Cyber Security Analyst
Read more
Endpoint
September 12, 2022

Self-Learning AI: Protecting Endpoints Effectively

How effective is self-learning AI in endpoint security? Get insights from a customer's experience with Darktrace's innovative solutions.
Narinder Bains
Infrastructure Manager, National Farmers' Union (Guest Contributor)
Read more

Blog

/

OT

/

November 20, 2025

Managing OT Remote Access with Zero Trust Control & AI Driven Detection

managing OT remote access with zero trust control and ai driven detectionDefault blog imageDefault blog image

The shift toward IT-OT convergence

Recently, industrial environments have become more connected and dependent on external collaboration. As a result, truly air-gapped OT systems have become less of a reality, especially when working with OEM-managed assets, legacy equipment requiring remote diagnostics, or third-party integrators who routinely connect in.

This convergence, whether it’s driven by digital transformation mandates or operational efficiency goals, are making OT environments more connected, more automated, and more intertwined with IT systems. While this convergence opens new possibilities, it also exposes the environment to risks that traditional OT architectures were never designed to withstand.

The modernization gap and why visibility alone isn’t enough

The push toward modernization has introduced new technology into industrial environments, creating convergence between IT and OT environments, and resulting in a lack of visibility. However, regaining that visibility is just a starting point. Visibility only tells you what is connected, not how access should be governed. And this is where the divide between IT and OT becomes unavoidable.

Security strategies that work well in IT often fall short in OT, where even small missteps can lead to environmental risk, safety incidents, or costly disruptions. Add in mounting regulatory pressure to enforce secure access, enforce segmentation, and demonstrate accountability, and it becomes clear: visibility alone is no longer sufficient. What industrial environments need now is precision. They need control. And they need to implement both without interrupting operations. All this requires identity-based access controls, real-time session oversight, and continuous behavioral detection.

The risk of unmonitored remote access

This risk becomes most evident during critical moments, such as when an OEM needs urgent access to troubleshoot a malfunctioning asset.

Under that time pressure, access is often provisioned quickly with minimal verification, bypassing established processes. Once inside, there’s little to no real-time oversight of user actions whether they’re executing commands, changing configurations, or moving laterally across the network. These actions typically go unlogged or unnoticed until something breaks. At that point, teams are stuck piecing together fragmented logs or post-incident forensics, with no clear line of accountability.  

In environments where uptime is critical and safety is non-negotiable, this level of uncertainty simply isn’t sustainable.

The visibility gap: Who’s doing what, and when?

The fundamental issue we encounter is the disconnect between who has access and what they are doing with it.  

Traditional access management tools may validate credentials and restrict entry points, but they rarely provide real-time visibility into in-session activity. Even fewer can distinguish between expected vendor behavior and subtle signs of compromise, misuse or misconfiguration.  

As a result, OT and security teams are often left blind to the most critical part of the puzzle, intent and behavior.

Closing the gaps with zero trust controls and AI‑driven detection

Managing remote access in OT is no longer just about granting a connection, it’s about enforcing strict access parameters while continuously monitoring for abnormal behavior. This requires a two-pronged approach: precision access control, and intelligent, real-time detection.

Zero Trust access controls provide the foundation. By enforcing identity-based, just-in-time permissions, OT environments can ensure that vendors and remote users only access the systems they’re explicitly authorized to interact with, and only for the time they need. These controls should be granular enough to limit access down to specific devices, commands, or functions. By applying these principles consistently across the Purdue Model, organizations can eliminate reliance on catch-all VPN tunnels, jump servers, and brittle firewall exceptions that expose the environment to excess risk.

Access control is only one part of the equation

Darktrace / OT complements zero trust controls with continuous, AI-driven behavioral detection. Rather than relying on static rules or pre-defined signatures, Darktrace uses Self-Learning AI to build a live, evolving understanding of what’s “normal” in the environment, across every device, protocol, and user. This enables real-time detection of subtle misconfigurations, credential misuse, or lateral movement as they happen, not after the fact.

By correlating user identity and session activity with behavioral analytics, Darktrace gives organizations the full picture: who accessed which system, what actions they performed, how those actions compared to historical norms, and whether any deviations occurred. It eliminates guesswork around remote access sessions and replaces it with clear, contextual insight.

Importantly, Darktrace distinguishes between operational noise and true cyber-relevant anomalies. Unlike other tools that lump everything, from CVE alerts to routine activity, into a single stream, Darktrace separates legitimate remote access behavior from potential misuse or abuse. This means organizations can both audit access from a compliance standpoint and be confident that if a session is ever exploited, the misuse will be surfaced as a high-fidelity, cyber-relevant alert. This approach serves as a compensating control, ensuring that even if access is overextended or misused, the behavior is still visible and actionable.

If a session deviates from learned baselines, such as an unusual command sequence, new lateral movement path, or activity outside of scheduled hours, Darktrace can flag it immediately. These insights can be used to trigger manual investigation or automated enforcement actions, such as access revocation or session isolation, depending on policy.

This layered approach enables real-time decision-making, supports uninterrupted operations, and delivers complete accountability for all remote activity, without slowing down critical work or disrupting industrial workflows.

Where Zero Trust Access Meets AI‑Driven Oversight:

  • Granular Access Enforcement: Role-based, just-in-time access that aligns with Zero Trust principles and meets compliance expectations.
  • Context-Enriched Threat Detection: Self-Learning AI detects anomalous OT behavior in real time and ties threats to access events and user activity.
  • Automated Session Oversight: Behavioral anomalies can trigger alerting or automated controls, reducing time-to-contain while preserving uptime.
  • Full Visibility Across Purdue Layers: Correlated data connects remote access events with device-level behavior, spanning IT and OT layers.
  • Scalable, Passive Monitoring: Passive behavioral learning enables coverage across legacy systems and air-gapped environments, no signatures, agents, or intrusive scans required.

Complete security without compromise

We no longer have to choose between operational agility and security control, or between visibility and simplicity. A Zero Trust approach, reinforced by real-time AI detection, enables secure remote access that is both permission-aware and behavior-aware, tailored to the realities of industrial operations and scalable across diverse environments.

Because when it comes to protecting critical infrastructure, access without detection is a risk and detection without access control is incomplete.

Continue reading
About the author
Pallavi Singh
Product Marketing Manager, OT Security & Compliance

Blog

/

Network

/

November 21, 2025

Xillen Stealer Updates to Version 5 to Evade AI Detection

xillen stealer updates to version 5 to evade ai detectionDefault blog imageDefault blog image

Introduction

Python-based information stealer “Xillen Stealer” has recently released versions 4 and 5, expanding its targeting and functionality. The cross-platform infostealer, originally reported by Cyfirma in September 2025, targets sensitive data including credentials, cryptocurrency wallets, system information, browser data and employs anti-analysis techniques.  

The update to v4/v5 includes significantly more functionality, including:

  • Persistence
  • Ability to steal credentials from password managers, social media accounts, browser data (history, cookies and passwords) from over 100 browsers, cryptocurrency from over 70 wallets
  • Kubernetes configs and secrets
  • Docker scanning
  • Encryption
  • Polymorphism
  • System hooks
  • Peer-to-Peer (P2P) Command-and-Control (C2)
  • Single Sign-On (SSO) collector
  • Time-Based One-Time Passwords (TOTP) and biometric collection
  • EDR bypass
  • AI evasion
  • Interceptor for Two-Factor Authentication (2FA)
  • IoT scanning
  • Data exfiltration via Cloud APIs

Xillen Stealer is marketed on Telegram, with different licenses available for purchase. Users who deploy the malware have access to a professional-looking GUI that enables them to view exfiltrated data, logs, infections, configurations and subscription information.

Screenshot of the Xillen Stealer portal.
Figure 1: Screenshot of the Xillen Stealer portal.

Technical analysis

The following technical analysis examines some of the interesting functions of Xillen Stealer v4 and v5. The main functionality of Xillen Stealer is to steal cryptocurrency, credentials, system information, and account information from a range of stores.

Xillen Stealer specifically targets the following wallets and browsers:

AITargetDectection

Screenshot of Xillen Stealer’s AI Target detection function.
Figure 2: Screenshot of Xillen Stealer’s AI Target detection function.

The ‘AITargetDetection’ class is intended to use AI to detect high-value targets based on weighted indicators and relevant keywords defined in a dictionary. These indicators include “high value targets”, like cryptocurrency wallets, banking data, premium accounts, developer accounts, and business emails. Location indicators include high-value countries such as the United States, United Kingdom, Germany and Japan, along with cryptocurrency-friendly countries and financial hubs. Wealth indicators such as keywords like CEO, trader, investor and VIP have also been defined in a dictionary but are not in use at this time, pointing towards the group’s intent to develop further in the future.

While the class is named ‘AITargetDetection’ and includes placeholder functions for initializing and training a machine learning model, there is no actual implementation of machine learning. Instead, the system relies entirely on rule-based pattern matching for detection and scoring. Even though AI is not actually implemented in this code, it shows how malware developers could use AI in future malicious campaigns.

Screenshot of dead code function.
Figure 3: Screenshot of dead code function.

AI Evasion

Screenshot of AI evasion function to create entropy variance.
Figure 4: Screenshot of AI evasion function to create entropy variance.

‘AIEvasionEngine’ is a module designed to help malware evade AI-based or behavior-based detection systems, such as EDRs and sandboxes. It mimics legitimate user and system behavior, injects statistical noise, randomizes execution patterns, and camouflages resource usage. Its goal is to make the malware appear benign to machine learning detectors. The techniques used to achieve this are:

  • Behavioral Mimicking: Simulates user actions (mouse movement, fake browser use, file/network activity)
  • Noise Injection: Performs random memory, CPU, file, and network operations to confuse behavioral classifiers
  • Timing Randomization: Introduces irregular delays and sleep patterns to avoid timing-based anomaly detection
  • Resource Camouflage: Adjusts CPU and memory usage to imitate normal apps (such as browsers, text editors)
  • API Call Obfuscation: Random system API calls and pattern changes to hide malicious intent
  • Memory Access Obfuscation: Alters access patterns and entropy to bypass ML models monitoring memory behavior

PolymorphicEngine

As part of the “Rust Engine” available in Xillen Stealer is the Polymorphic Engine. The ‘PolymorphicEngine’ struct implements a basic polymorphic transformation system designed for obfuscation and detection evasion. It uses predefined instruction substitutions, control-flow pattern replacements, and dead code injection to produce varied output. The mutate_code() method scans input bytes and replaces recognized instruction patterns with randomized alternatives, then applies control flow obfuscation and inserts non-functional code to increase variability. Additional features include string encryption via XOR and a stub-based packer.

Collectors

DevToolsCollector

Figure 5: Screenshot of Kubernetes data function.

The ‘DevToolsCollector’ is designed to collect sensitive data related to a wide range of developer tools and environments. This includes:

IDE configurations

  • VS Code, VS Code Insiders, Visual Studio
  • JetBrains: Intellij, PyCharm, WebStorm
  • Sublime
  • Atom
  • Notepad++
  • Eclipse

Cloud credentials and configurations

  • AWS
  • GCP
  • Azure
  • Digital Ocean
  • Heroku

SSH keys

Docker & Kubernetes configurations

Git credentials

Database connection information

  • HeidiSQL
  • Navicat
  • DBeaver
  • MySQL Workbench
  • pgAdmin

API keys from .env files

FTP configs

  • FileZilla
  • WinSCP
  • Core FTP

VPN configurations

  • OpenVPN
  • WireGuard
  • NordVPN
  • ExpressVPN
  • CyberGhost

Container persistence

Screenshot of Kubernetes inject function.
Figure 6: Screenshot of Kubernetes inject function.

Biometric Collector

Screenshot of the ‘BiometricCollector’ function.
Figure 7: Screenshot of the ‘BiometricCollector’ function.

The ‘BiometricCollector’ attempts to collect biometric information from Windows systems by scanning the C:\Windows\System32\WinBioDatabase directory, which stores Windows Hello and other biometric configuration data. If accessible, it reads the contents of each file, encodes them in Base64, preparing them for later exfiltration. While the data here is typically encrypted by Windows, its collection indicates an attempt to extract sensitive biometric data.

Password Managers

The ‘PasswordManagerCollector’ function attempts to steal credentials stored in password managers including, OnePass, LastPass, BitWarden, Dashlane, NordPass and KeePass. However, this function is limited to Windows systems only.

SSOCollector

The ‘SSOCollector’ class is designed to collect authentication tokens related to SSO systems. It targets three main sources: Azure Active Directory tokens stored under TokenBroker\Cache, Kerberos tickets obtained through the klist command, and Google Cloud authentication data in user configuration folders. For each source, it checks known directories or commands, reads partial file contents, and stores the results as in a dictionary. Once again, this function is limited to Windows systems.

TOTP Collector

The ‘TOTP Collector’ class attempts to collect TOTPs from:

  • Authy Desktop by locating and reading from Authy.db SQLite databases
  • Microsoft Authenticator by scanning known application data paths for stored binary files
  • TOTP-related Chrome extensions by searching LevelDB files for identifiable keywords like “gauth” or “authenticator”.

Each method attempts to locate relevant files, parse or partially read their contents, and store them in a dictionary under labels like authy, microsoft_auth, or chrome_extension. However, as before, this is limited to Windows, and there is no handling for encrypted tokens.

Enterprise Collector

The ‘EnterpriseCollector’ class is used to extract credentials related to an enterprise Windows system. It targets configuration and credential data from:

  • VPN clients
    • Cisco AnyConnect, OpenVPN, Forticlient, Pulse Secure
  • RDP credentials
  • Corporate certificates
  • Active Directory tokens
  • Kerberos tickets cache

The files and directories are located based on standard environment variables with their contents read in binary mode and then encoded in Base64.

Super Extended Application Collector

The ‘SuperExtendedApplication’ Collector class is designed to scan an environment for 160 different applications on a Windows system. It iterates through the paths of a wide range of software categories including messaging apps, cryptocurrency wallets, password managers, development tools, enterprise tools, gaming clients, and security products. The list includes but is not limited to Teams, Slack, Mattermost, Zoom, Google Meet, MS Office, Defender, Norton, McAfee, Steam, Twitch, VMWare, to name a few.

Bypass

AppBoundBypass

This code outlines a framework for bypassing App Bound protections, Google Chrome' s cookie encryption. The ‘AppBoundBypass’ class attempts several evasion techniques, including memory injection, dynamic-link library (DLL) hijacking, process hollowing, atom bombing, and process doppelgänging to impersonate or hijack browser processes. As of the time of writing, the code contains multiple placeholders, indicating that the code is still in development.

Steganography

The ‘SteganographyModule’ uses steganography (hiding data within an image) to hide the stolen data, staging it for exfiltration. Multiple methods are implemented, including:

  • Image steganography: LSB-based hiding
  • NTFS Alternate Data Streams
  • Windows Registry Keys
  • Slack space: Writing into unallocated disk cluster space
  • Polyglot files: Appending archive data to images
  • Image metadata: Embedding data in EXIF tags
  • Whitespace encoding: Hiding binary in trailing spaces of text files

Exfiltration

CloudProxy

Screenshot of the ‘CloudProxy’ class.
Figure 8: Screenshot of the ‘CloudProxy’ class.

The CloudProxy class is designed for exfiltrating data by routing it through cloud service domains. It encodes the input data using Base64, attaches a timestamp and SHA-256 signature, and attempts to send this payload as a JSON object via HTTP POST requests to cloud URLs including AWS, GCP, and Azure, allowing the traffic to blend in. As of the time of writing, these public facing URLs do not accept POST requests, indicating that they are placeholders meant to be replaced with attacker-controlled cloud endpoints in a finalized build.

P2PEngine

Screenshot of the P2PEngine.
Figure 9: Screenshot of the P2PEngine.

The ‘P2PEngine’ provides multiple methods of C2, including embedding instructions within blockchain transactions (such as Bitcoin OP_RETURN, Ethereum smart contracts), exfiltrating data via anonymizing networks like Tor and I2P, and storing payloads on IPFS (a distributed file system). It also supports domain generation algorithms (DGA) to create dynamic .onion addresses for evading detection.

After a compromise, the stealer creates both HTML and TXT reports containing the stolen data. It then sends these reports to the attacker’s designated Telegram account.

Xillen Killers

 Xillen Killers.
FIgure 10: Xillen Killers.

Xillen Stealer appears to be developed by a self-described 15-year-old “pentest specialist” “Beng/jaminButton” who creates TikTok videos showing basic exploits and open-source intelligence (OSINT) techniques. The group distributing the information stealer, known as “Xillen Killers”, claims to have 3,000 members. Additionally, the group claims to have been involved in:

  • Analysis of Project DDoSia, a tool reportedly used by the NoName057(16) group, revealing that rather functioning as a distributed denial-of-service (DDos) tool, it is actually a remote access trojan (RAT) and stealer, along with the identification of involved individuals.
  • Compromise of doxbin.net in October 2025.
  • Discovery of vulnerabilities on a Russian mods site and a Ukrainian news site

The group, which claims to be part of the Russian IT scene, use Telegram for logging, marketing, and support.

Conclusion

While some components of XillenStealer remain underdeveloped, the range of intended feature set, which includes credential harvesting, cryptocurrency theft, container targeting, and anti-analysis techniques, suggests that once fully developed it could become a sophisticated stealer. The intention to use AI to help improve targeting in malware campaigns, even though not yet implemented, indicates how threat actors are likely to incorporate AI into future campaigns.  

Credit to Tara Gould (Threat Research Lead)
Edited by Ryan Traill (Analyst Content Lead)

Appendicies

Indicators of Compromise (IoCs)

395350d9cfbf32cef74357fd9cb66134 - confid.py

F3ce485b669e7c18b66d09418e979468 - stealer_v5_ultimate.py

3133fe7dc7b690264ee4f0fb6d867946 - xillen_v5.exe

https://github[.]com/BengaminButton/XillenStealer

https://github[.]com/BengaminButton/XillenStealer/commit/9d9f105df4a6b20613e3a7c55379dcbf4d1ef465

MITRE ATT&CK

ID Technique

T1059.006 - Python

T1555 - Credentials from Password Stores

T1555.003 - Credentials from Password Stores: Credentials from Web Browsers

T1555.005 - Credentials from Password Stores: Password Managers

T1649 - Steal or Forge Authentication Certificates

T1558 - Steal or Forge Kerberos Tickets

T1539 - Steal Web Session Cookie

T1552.001 - Unsecured Credentials: Credentials In Files

T1552.004 - Unsecured Credentials: Private Keys

T1552.005 - Unsecured Credentials: Cloud Instance Metadata API

T1217 - Browser Information Discovery

T1622 - Debugger Evasion

T1082 - System Information Discovery

T1497.001 - Virtualization/Sandbox Evasion: System Checks

T1115 - Clipboard Data

T1001.002 - Data Obfuscation: Steganography

T1567 - Exfiltration Over Web Service

T1657 - Financial Theft

Continue reading
About the author
Tara Gould
Threat Researcher
Your data. Our AI.
Elevate your network security with Darktrace AI