Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

XRed

80
Global rank
41 infographic chevron month
Month rank
46 infographic chevron week
Week rank
0
IOCs

XRed operates as a stealthy backdoor, enabling cybercriminals to gain unauthorized remote access to infected systems. XRed has gained particular notoriety for its distribution through trojanized legitimate software and hardware drivers, making it exceptionally dangerous due to its ability to masquerade as trusted applications.

Backdoor
Type
Unknown
Origin
1 April, 2019
First seen
23 September, 2025
Last seen

How to analyze XRed with ANY.RUN

Type
Unknown
Origin
1 April, 2019
First seen
23 September, 2025
Last seen

IOCs

IP addresses
147.185.221.26
94.154.35.25
185.228.82.21
87.97.126.177
45.141.26.134
Domains
ms-pupils.gl.at.ply.gg
2.tcp.eu.ngrok.io
tnmr.ddns.net
issues-tgp.gl.at.ply.gg
Last Seen at
Last Seen at

Recent blog posts

post image
Efficient SOC: How to Detect and Solve Incide...
watchers 669
comments 0
post image
ANY.RUN & Palo Alto Networks Cortex XSOAR...
watchers 753
comments 0
post image
Lazarus Group Attacks in 2025: Here's Everyth...
watchers 4475
comments 0

What is XRed Malware?

XRed, also known as Synaptics worm, is a sophisticated backdoor malware that has emerged as a significant cybersecurity threat since at least 2019. It is designed for long-term system infiltration and control and stealing sensitive data. It combines elements of remote access Trojans (RATs), infostealers, and backdoors to execute a range of malicious activities.

The malware demonstrates advanced capabilities including self-replication, persistence mechanisms, and remote command execution. What makes XRed particularly concerning is its professional development quality.

The malware operates through a multi-stage infection process, beginning with initial compromise through trojanized software and progressing to establish persistent access for data exfiltration and system control. XRed employs various anti-detection techniques and creates multiple infection vectors to ensure continued access to compromised systems. The backdoor’s architecture allows for modular payload delivery, enabling threat actors to customize attacks based on specific targets and objectives.

XRed is often associated with cybercriminal groups and, in some cases, state-sponsored actors, who use it to target high-value assets for financial gain, espionage, or disruption.

The malware’s ability to remain undetected stems from its use of legitimate system tools (living-off-the-land techniques) and its capacity to mimic benign software processes. XRed’s development is believed to be part of the growing Cybercrime-as-a-Service (CaaS) ecosystem, where malware kits are sold on the dark web, enabling even low-skill attackers to deploy it effectively.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

XRed Victimology

XRed targets a broad spectrum of victims, with particular focus on:

Individual Users:

  • Consumers downloading software for peripheral devices (USB-C hubs, gaming mice, printers)
  • Users seeking legitimate software from compromised distribution channels
  • Technology enthusiasts and reviewers who frequently test new hardware and software

Business Sectors:

  • Small to medium enterprises with limited cybersecurity infrastructure
  • Organizations in the manufacturing and technology sectors
  • Companies that rely heavily on peripheral devices and third-party software
  • Gaming and entertainment industry stakeholders

Geographically, attacks have been reported predominantly in North America, Europe, and the Asia-Pacific region, with a notable spike in the APAC region in 2024. Individuals with access to high-value credentials, such as IT administrators or executives, are prime targets for XRed’s credential-harvesting capabilities, often through spear-phishing campaigns.

XRed Malware Typical Attack Chain

ANY.RUN’s Interactive Sandbox contains an assortment of XRed analysis sessions featuring different associated malware and attack vectors. By detonating XRed samples, we can understand the key points of its attack chain.

View analysis

XRed analysis in Sandbox XRed sample analysis in the Interactive Sandbox

XRed is delivered through trojanized programs that pose as legitimate software. When activated, the malicious file usually launches the legitimate utility it's disguised as to avoid detection.

To prevent multiple instances from running, XRed checks for the Synaptics2X mutex, which remains unchanged in the samples, and masquerades as Synaptics.exe. These are typical IOCs for XRed, and they are preserved in most instances. After creating Synaptics.exe, the file is added to the system's startup.

XRed adds file in autorun XRed adds file in autorun

Once initialized, XRed gathers system data. The backdoor also provides remote system control, supporting commands for taking screenshots, accessing the command line, managing files, and listing drives and directories.

XRed also infects Excel files by embedding a VBA script that includes malicious code, as seen in the example of file interaction.

XRed file modifications XRed file modifications filtered by extension

The embedded VBA can be viewed using the sandbox functionality.

VBA file modified by XRed VBA file modified by XRed

Exploring the sandbox analyses, we can observe the key features of XRed:

  • Masking and Stealth: XRed disguises itself as Synaptics.exe, using the legitimate name and description "Synaptics Pointing Device Driver." The payload is placed in the folder C:\ProgramData\Synaptics.
  • Information Gathering: It collects data such as the MAC address, username, and computer name, which it then sends to the attacker's server.
  • Keylogging: It uses keyboard hooks to record keystrokes.
  • Remote Commands: XRed supports commands that allow for command-line access, taking screenshots, listing drives and directories, and downloading and deleting files.
  • USB Propagation: It has an archaic feature that allows it to spread via USB drives by creating an autorun.inf file to automatically launch a copy of itself on vulnerable devices.
  • Macro Manipulation: It injects a VBA script into Excel files that disables macro security warnings and copies the malicious file to directories with legitimate files.

How Does XRed Malware Function?

XRed operates leverages several sophisticated mechanisms:

Primary Distribution Vectors:

  • Trojanized hardware drivers bundled with legitimate peripheral devices
  • Compromised software distribution websites and official download channels
  • Infected gaming peripheral configuration software
  • Malicious printer and scanner drivers distributed by manufacturers

Persistence Mechanisms:

  • Creates Windows Registry Run keys to ensure automatic startup
  • Utilizes mutex named "Synaptics2X" to prevent multiple instances
  • Implements self-replication capabilities for infection spread

Data Exfiltration:

  • Monitors clipboard activity for sensitive information
  • Captures keystrokes and system information
  • Transmits collected data to attacker-controlled servers

Evasion Techniques:

  • Use of legitimate digital certificates to bypass security controls
  • Distribution through trusted vendor channels to avoid suspicion
  • Timing-based installation to avoid real-time security scanning
  • Polymorphic code variations to evade signature-based detection

Modular Architecture:

  • Supports dynamic loading of additional malicious modules
  • Enables customization of attack capabilities based on target environment
  • Facilitates ongoing campaign adaptation and evolution

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Most Notorious XRed Attacks

While specific XRed attacks are not well-documented in public sources due to its recent emergence, several high-profile incidents in 2024 align with its TTPs:

  1. USB-C Hub Campaign (2019-2024): A long-running campaign distributing XRed through USB-C hub adapter drivers affected thousands of users across multiple years. This attack showcased the malware's persistence and the effectiveness of hardware-based distribution methods.
  2. Manufacturing Sector Breach (2024): A major manufacturing firm in the Asia-Pacific region suffered a supply chain attack where XRed was embedded in a software update, leading to the theft of intellectual property and operational disruption.
  3. Financial Institution Data Theft (2024): XRed’s infostealer capabilities compromised a U.S.-based bank, exfiltrating customer credentials and causing significant reputational damage.
  4. Healthcare Ransomware Attack (2024): A hospital network was paralyzed by XRed’s ransomware module, locking critical systems and delaying patient care, with attackers demanding a multimillion-dollar ransom.
  5. Procolored Printer Manufacturer Incident (2024-2025): This six-month-long campaign represents one of the most successful XRed distributions, where a legitimate printer manufacturer unknowingly distributed infected drivers. The attack was discovered only when YouTube technology reviewer Cameron Coward attempted to review a $6,000 printer, highlighting how the malware successfully evaded detection for an extended period.
  6. Gaming Peripheral Supply Chain Attack (2025): Endgame Gear's OP1w 4K V2 mouse configuration software was compromised for nearly two weeks, affecting numerous gaming enthusiasts and professional esports players. This attack demonstrated XRed's ability to infiltrate trusted software distribution channels and target specific user communities.
  7. Multi-Vendor Hardware Driver Campaign (2025): Coordinated attacks targeting multiple peripheral device manufacturers simultaneously, creating a broad infection surface across different vendor ecosystems. This campaign demonstrated sophisticated supply chain infiltration capabilities.

Gathering Threat Intelligence on XRed Malware

By integrating threat intelligence into security operations, organizations can stay ahead of XRed’s evolving threat landscape. It provides indicators of compromise (e.g., malicious IPs, domains, or file hashes) to block XRed’s C&C communications and offers insights into XRed’s tactics, techniques, and procedures, enabling tailored defense strategies.

It also fuels proactive threat hunting allowing organizations to search for XRed’s presence before it causes damage, using tools like YARA rules or SIEM integrations.

Start gathering IOCs and behavioral data with the malware name search request to Threat Intelligence Lookup:

threatName:"XRed"

XRed malware samples found via TI Lookup XRed malware samples found via TI Lookup

You can also search TI Lookup for the above-mentioned mutex engaged in most of the malware versions being a reliable IOC:

syncObjectName:"Synaptics2X" AND imagePath:"ProgramData\Synaptics\Synaptics.exe"

Malware samples featuring Synaptics mutex XRed malware samples featuring Synaptics mutex

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Conclusion

XRed is a sophisticated and adaptable threat that demands constant vigilance. Its modular design, stealthy operation, and high-impact potential make it one of the more dangerous malware families targeting modern enterprises. Robust detection mechanisms, proactive threat intelligence, and a security-first culture are critical in defending against it.

Gather fresh actionable threat intelligence via ANY.RUN’s TI Lookup: start with 50 trial requests.

HAVE A LOOK AT

GootLoader screenshot
GootLoader
gootloader
GootLoader is an initial-access-as-a-service malware that operates by delivering the GootKit banking trojan and other malicious payloads. It utilizes techniques such as fileless execution and process injection to avoid detection. The malware is often distributed through SEO poisoning and compromised websites, deceiving users into downloading infected files.
Read More
Ransomware screenshot
Ransomware
ransomware
Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.
Read More
RedLine screenshot
RedLine
redline stealer redline stealer malware
RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware.
Read More
Spyware screenshot
Spyware
spyware
Spyware is a stealth form of malware whose primary objective is to gather sensitive information, such as personal data, login credentials, and financial details, by monitoring user activities and exploiting system vulnerabilities. Spyware operates secretly in the background, evading detection while transmitting collected data to cybercriminals, who can then use it for malicious purposes like identity theft, financial fraud, or espionage.
Read More
Spynote screenshot
Spynote
spynote
SpyNote, also known as SpyMax and CypherRat, is a powerful Android malware family designed primarily for surveillance and data theft, often categorized as a Remote Access Trojan (RAT). Originally emerged in 2016, SpyNote has evolved significantly, with new variants continuing to appear as recently as 2023–2025.
Read More
Loader screenshot
Loader
loader downloader
A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.
Read More