XRed

What is XRed Malware?

XRed, also known as Synaptics worm, is a sophisticated backdoor malware that has emerged as a significant cybersecurity threat since at least 2019. It is designed for long-term system infiltration and control and stealing sensitive data. It combines elements of remote access Trojans (RATs), infostealers, and backdoors to execute a range of malicious activities.

The malware demonstrates advanced capabilities including self-replication, persistence mechanisms, and remote command execution. What makes XRed particularly concerning is its professional development quality.

The malware operates through a multi-stage infection process, beginning with initial compromise through trojanized software and progressing to establish persistent access for data exfiltration and system control. XRed employs various anti-detection techniques and creates multiple infection vectors to ensure continued access to compromised systems. The backdoor’s architecture allows for modular payload delivery, enabling threat actors to customize attacks based on specific targets and objectives.

XRed is often associated with cybercriminal groups and, in some cases, state-sponsored actors, who use it to target high-value assets for financial gain, espionage, or disruption.

The malware’s ability to remain undetected stems from its use of legitimate system tools (living-off-the-land techniques) and its capacity to mimic benign software processes. XRed’s development is believed to be part of the growing Cybercrime-as-a-Service (CaaS) ecosystem, where malware kits are sold on the dark web, enabling even low-skill attackers to deploy it effectively.

XRed Victimology

XRed targets a broad spectrum of victims, with particular focus on:

Individual Users:

• Consumers downloading software for peripheral devices (USB-C hubs, gaming mice, printers)
• Users seeking legitimate software from compromised distribution channels
• Technology enthusiasts and reviewers who frequently test new hardware and software

Business Sectors:

• Small to medium enterprises with limited cybersecurity infrastructure
• Organizations in the manufacturing and technology sectors
• Companies that rely heavily on peripheral devices and third-party software
• Gaming and entertainment industry stakeholders

Geographically, attacks have been reported predominantly in North America, Europe, and the Asia-Pacific region, with a notable spike in the APAC region in 2024. Individuals with access to high-value credentials, such as IT administrators or executives, are prime targets for XRed’s credential-harvesting capabilities, often through spear-phishing campaigns.

XRed Malware Typical Attack Chain

ANY.RUN’s Interactive Sandbox contains an assortment of XRed analysis sessions featuring different associated malware and attack vectors. By detonating XRed samples, we can understand the key points of its attack chain.

View analysis

XRed sample analysis in the Interactive Sandbox

XRed is delivered through trojanized programs that pose as legitimate software. When activated, the malicious file usually launches the legitimate utility it's disguised as to avoid detection.

To prevent multiple instances from running, XRed checks for the Synaptics2X mutex, which remains unchanged in the samples, and masquerades as Synaptics.exe. These are typical IOCs for XRed, and they are preserved in most instances. After creating Synaptics.exe, the file is added to the system's startup.

XRed adds file in autorun

Once initialized, XRed gathers system data. The backdoor also provides remote system control, supporting commands for taking screenshots, accessing the command line, managing files, and listing drives and directories.

XRed also infects Excel files by embedding a VBA script that includes malicious code, as seen in the example of file interaction.

XRed file modifications filtered by extension

The embedded VBA can be viewed using the sandbox functionality.

VBA file modified by XRed

Exploring the sandbox analyses, we can observe the key features of XRed:

• Masking and Stealth: XRed disguises itself as Synaptics.exe, using the legitimate name and description "Synaptics Pointing Device Driver." The payload is placed in the folder C:\ProgramData\Synaptics.
• Information Gathering: It collects data such as the MAC address, username, and computer name, which it then sends to the attacker's server.
• Keylogging: It uses keyboard hooks to record keystrokes.
• Remote Commands: XRed supports commands that allow for command-line access, taking screenshots, listing drives and directories, and downloading and deleting files.
• USB Propagation: It has an archaic feature that allows it to spread via USB drives by creating an autorun.inf file to automatically launch a copy of itself on vulnerable devices.
• Macro Manipulation: It injects a VBA script into Excel files that disables macro security warnings and copies the malicious file to directories with legitimate files.

How Does XRed Malware Function?

XRed operates leverages several sophisticated mechanisms:

Primary Distribution Vectors:

• Trojanized hardware drivers bundled with legitimate peripheral devices
• Compromised software distribution websites and official download channels
• Infected gaming peripheral configuration software
• Malicious printer and scanner drivers distributed by manufacturers

Persistence Mechanisms:

• Creates Windows Registry Run keys to ensure automatic startup
• Utilizes mutex named "Synaptics2X" to prevent multiple instances
• Implements self-replication capabilities for infection spread

Data Exfiltration:

• Monitors clipboard activity for sensitive information
• Captures keystrokes and system information
• Transmits collected data to attacker-controlled servers

Evasion Techniques:

• Use of legitimate digital certificates to bypass security controls
• Distribution through trusted vendor channels to avoid suspicion
• Timing-based installation to avoid real-time security scanning
• Polymorphic code variations to evade signature-based detection

Modular Architecture:

• Supports dynamic loading of additional malicious modules
• Enables customization of attack capabilities based on target environment
• Facilitates ongoing campaign adaptation and evolution

Most Notorious XRed Attacks

While specific XRed attacks are not well-documented in public sources due to its recent emergence, several high-profile incidents in 2024 align with its TTPs:

1. USB-C Hub Campaign (2019-2024): A long-running campaign distributing XRed through USB-C hub adapter drivers affected thousands of users across multiple years. This attack showcased the malware's persistence and the effectiveness of hardware-based distribution methods.
2. Manufacturing Sector Breach (2024): A major manufacturing firm in the Asia-Pacific region suffered a supply chain attack where XRed was embedded in a software update, leading to the theft of intellectual property and operational disruption.
3. Financial Institution Data Theft (2024): XRed’s infostealer capabilities compromised a U.S.-based bank, exfiltrating customer credentials and causing significant reputational damage.
4. Healthcare Ransomware Attack (2024): A hospital network was paralyzed by XRed’s ransomware module, locking critical systems and delaying patient care, with attackers demanding a multimillion-dollar ransom.
5. Procolored Printer Manufacturer Incident (2024-2025): This six-month-long campaign represents one of the most successful XRed distributions, where a legitimate printer manufacturer unknowingly distributed infected drivers. The attack was discovered only when YouTube technology reviewer Cameron Coward attempted to review a $6,000 printer, highlighting how the malware successfully evaded detection for an extended period.
6. Gaming Peripheral Supply Chain Attack (2025): Endgame Gear's OP1w 4K V2 mouse configuration software was compromised for nearly two weeks, affecting numerous gaming enthusiasts and professional esports players. This attack demonstrated XRed's ability to infiltrate trusted software distribution channels and target specific user communities.
7. Multi-Vendor Hardware Driver Campaign (2025): Coordinated attacks targeting multiple peripheral device manufacturers simultaneously, creating a broad infection surface across different vendor ecosystems. This campaign demonstrated sophisticated supply chain infiltration capabilities.

Gathering Threat Intelligence on XRed Malware

By integrating threat intelligence into security operations, organizations can stay ahead of XRed’s evolving threat landscape. It provides indicators of compromise (e.g., malicious IPs, domains, or file hashes) to block XRed’s C&C communications and offers insights into XRed’s tactics, techniques, and procedures, enabling tailored defense strategies.

It also fuels proactive threat hunting allowing organizations to search for XRed’s presence before it causes damage, using tools like YARA rules or SIEM integrations.

Start gathering IOCs and behavioral data with the malware name search request to Threat Intelligence Lookup:

threatName:"XRed"

XRed malware samples found via TI Lookup

You can also search TI Lookup for the above-mentioned mutex engaged in most of the malware versions being a reliable IOC:

syncObjectName:"Synaptics2X" AND imagePath:"ProgramData\Synaptics\Synaptics.exe"

XRed malware samples featuring Synaptics mutex

Conclusion

XRed is a sophisticated and adaptable threat that demands constant vigilance. Its modular design, stealthy operation, and high-impact potential make it one of the more dangerous malware families targeting modern enterprises. Robust detection mechanisms, proactive threat intelligence, and a security-first culture are critical in defending against it.

Gather fresh actionable threat intelligence via ANY.RUN’s TI Lookup: start with 50 trial requests.