Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

X-Files

130
Global rank
122 infographic chevron month
Month rank
101 infographic chevron week
Week rank
0
IOCs

X-FILES Stealer is a sophisticated malware designed to infiltrate systems and steal sensitive information, targeting login credentials for email, social media, and other personal accounts. It captures data and transmits it back to the attacker’s command-and-control server. X-FILES Stealer employs advanced evasion techniques to avoid detection, making it a persistent threat in the cyber landscape.

Stealer
Type
Unknown
Origin
15 March, 2021
First seen
20 April, 2025
Last seen

How to analyze X-Files with ANY.RUN

Type
Unknown
Origin
15 March, 2021
First seen
20 April, 2025
Last seen

IOCs

Last Seen at

Recent blog posts

post image
How Threat Intelligence Feeds Help During Inc...
watchers 633
comments 0
post image
PE32 Ransomware: A New Telegram-Based Threat...
watchers 3339
comments 0
post image
Seamlessly Integrate ANY.RUN’s Services into...
watchers 479
comments 0

What is X-FILES malware?

X-FILES is a sophisticated infostealer that primarily targets sensitive data, including login credentials, financial information, and other personal details. Since its initial discovery in March 2021, the malware has undergone various updates that have enhanced its capabilities and delivery methods.

While specific campaigns are not widely publicized, X-FILES Stealer has been involved in various phishing campaigns targeting users and organizations, particularly focusing on individuals who store sensitive information in browsers and email clients.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

X-FILES malware technical details

X-FILES Stealer steals login credentials, hijacks accounts, and exfiltrates other sensitive data to its command-and-control (C2) servers. The malware can also use the compromised accounts to spread further infections.

The primary functionalities of X-FILES malware include:

  • Steals sensitive information like login credentials, cookies, browsing history, and cryptocurrency data.
  • Gains unauthorized access to personal and corporate accounts, including email and social media.
  • Alters startup directories or registry settings to ensure the malware runs on every system boot.
  • Runs its payload directly in memory to evade traditional detection methods.
  • Uses complex encoding and decryption to avoid detection by security tools.
  • Exploits known vulnerabilities through phishing emails with malicious attachments or links.

Cybercriminals often use a variety of file types to deliver X-FILES Stealer and other malware through phishing emails. These files include executable files (.exe), archive files like RAR and ZIP, and documents such as PDFs, JavaScript files, and Microsoft Office documents. The attachments are designed to appear legitimate, luring users into opening them and unknowingly initiating the malware infection.

A significant aspect of X-FILES Stealer’s operation is its integration with Telegram. The malware utilizes Telegram as a communication platform to exfiltrate stolen data.

This method is advantageous for attackers because Telegram offers end-to-end encryption, providing a level of anonymity and security that makes it difficult for cybersecurity professionals to trace the data back to its source. The malware sends the exfiltrated data directly to a Telegram bot or channel controlled by the attackers, where it can be accessed remotely and anonymously.

X-FILES Stealer execution process

To see how X-FILES stealer operates, let’s upload its sample to the ANY.RUN sandbox.

The infection chain usually begins with phishing emails containing malicious attachments, which are often disguised as legitimate documents, such as Word, Excel, or other Office files. When users open these documents, they may unknowingly execute embedded scripts that trigger the malware's payload.

One of the recent variants of X-FILES uses the Follina vulnerability (CVE-2022-30190), which allows attackers to execute PowerShell commands simply by opening a Word document. This document contains an OLE object that references an external HTML file, which subsequently executes JavaScript to download the malware payload.

X-FILES Stealer process graph in ANY.RUN X-FILES Stealer process graph shown in ANY.RUN sandbox

Once the document is opened, it retrieves a base64-encoded string containing PowerShell commands. These commands establish persistence on the infected machine by placing the malware in the Windows startup directory and executing it.

The main payload includes encrypted shellcode, which is decrypted and executed in memory. This approach enables the malware to run without leaving significant traces on the disk, making it more difficult to detect.

The stolen data is typically stored in newly created directories on the infected machine and is exfiltrated using secure channels, often via Telegram, providing attackers with a degree of anonymity.

X-FILES Stealer delivery methods

X-FILES Stealer is distributed through a variety of methods, each designed to exploit common vulnerabilities and user behaviors:

  • Infected email attachments: The most common method involves phishing emails with infected attachments, tricking users into opening them and initiating the malware.
  • Malicious online advertisements: Also known as malvertising, this method involves embedding malware in online ads. When users click on these ads, they are redirected to a compromised website or directly download the malware, unknowingly initiating the infection.
  • Social engineering: Attackers employ deceptive tactics like fake security alerts or bogus software updates to convince users to download and install the malware.
  • Pirated software: X-FILES Stealer is often bundled with pirated software and 'cracks,' leading users who download these tools to unknowingly infect their systems.

Conclusion

X-FILES Stealer’s focus on hijacking accounts and exfiltrating sensitive data highlights the need for strong security measures. Protecting against X-FILES Stealer requires a combination of security practices, including proactive analysis of suspicious emails, files, or links using a malware sandbox.

ANY.RUN offers a powerful solution for this, allowing anyone to analyze and understand the behavior of threats like X-FILES Stealer in a controlled environment. By using ANY.RUN, you can proactively identify and respond to these threats before they can compromise your data.

Sign up for a free ANY.RUN account to analyze malware and phishing without limits!

HAVE A LOOK AT

Wshrat screenshot
Wshrat
wshrat rat trojan
WSHRAT is a Remote Access Trojan — a malware that allows the attackers to take over the infected machines. The RAT has been in circulation since 2013 and it is arguably most notable for the numerous versions released into the wild.
Read More
Latrodectus screenshot
Latrodectus
latrodectus
Latrodectus is a malicious loader that is used by threat actors to gain a foothold on compromised devices and deploy additional malware. It has been associated with the IcedID trojan and has been used by APT groups in targeted attacks. The malware can gather system information, launch executables, and detect sandbox environments. It uses encryption and obfuscation to evade detection and can establish persistence on the infected device.
Read More
ValleyRAT screenshot
ValleyRAT
valleyrat
ValleyRAT is a classic remote access trojan first documented in 2023, targeting mainly Windows systems. It is used by threat actors to gain persistent access to infected devices, steal data, and control compromised machines. ValleyRAT is notable for its relatively advanced evasion techniques and its connections to a prominent Chinese APT group.
Read More