Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

XRed

81
Global rank
40 infographic chevron month
Month rank
40 infographic chevron week
Week rank
0
IOCs

XRed operates as a stealthy backdoor, enabling cybercriminals to gain unauthorized remote access to infected systems. XRed has gained particular notoriety for its distribution through trojanized legitimate software and hardware drivers, making it exceptionally dangerous due to its ability to masquerade as trusted applications.

Backdoor
Type
Unknown
Origin
1 April, 2019
First seen
1 September, 2025
Last seen

How to analyze XRed with ANY.RUN

Type
Unknown
Origin
1 April, 2019
First seen
1 September, 2025
Last seen

IOCs

IP addresses
94.154.35.25
147.185.221.26
185.228.82.21
70.34.210.80
45.136.51.217
87.97.126.177
45.141.26.134
Domains
argentina1100.ddns.net
2.tcp.eu.ngrok.io
tnmr.ddns.net
issues-tgp.gl.at.ply.gg
Last Seen at
Last Seen at

Recent blog posts

post image
MSSP Growth Guide: Scaling Threat Detection f...
watchers 748
comments 0
post image
Major Cyber Attacks in August 2025: 7-Stage T...
watchers 1864
comments 0
post image
How to Enrich IOCs with Actionable Threat Con...
watchers 1196
comments 0

What is XRed Malware?

XRed, also known as Synaptics worm, is a sophisticated backdoor malware that has emerged as a significant cybersecurity threat since at least 2019. It is designed for long-term system infiltration and control and stealing sensitive data. It combines elements of remote access Trojans (RATs), infostealers, and backdoors to execute a range of malicious activities.

The malware demonstrates advanced capabilities including self-replication, persistence mechanisms, and remote command execution. What makes XRed particularly concerning is its professional development quality.

The malware operates through a multi-stage infection process, beginning with initial compromise through trojanized software and progressing to establish persistent access for data exfiltration and system control. XRed employs various anti-detection techniques and creates multiple infection vectors to ensure continued access to compromised systems. The backdoor’s architecture allows for modular payload delivery, enabling threat actors to customize attacks based on specific targets and objectives.

XRed is often associated with cybercriminal groups and, in some cases, state-sponsored actors, who use it to target high-value assets for financial gain, espionage, or disruption.

The malware’s ability to remain undetected stems from its use of legitimate system tools (living-off-the-land techniques) and its capacity to mimic benign software processes. XRed’s development is believed to be part of the growing Cybercrime-as-a-Service (CaaS) ecosystem, where malware kits are sold on the dark web, enabling even low-skill attackers to deploy it effectively.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

XRed Victimology

XRed targets a broad spectrum of victims, with particular focus on:

Individual Users:

  • Consumers downloading software for peripheral devices (USB-C hubs, gaming mice, printers)
  • Users seeking legitimate software from compromised distribution channels
  • Technology enthusiasts and reviewers who frequently test new hardware and software

Business Sectors:

  • Small to medium enterprises with limited cybersecurity infrastructure
  • Organizations in the manufacturing and technology sectors
  • Companies that rely heavily on peripheral devices and third-party software
  • Gaming and entertainment industry stakeholders

Geographically, attacks have been reported predominantly in North America, Europe, and the Asia-Pacific region, with a notable spike in the APAC region in 2024. Individuals with access to high-value credentials, such as IT administrators or executives, are prime targets for XRed’s credential-harvesting capabilities, often through spear-phishing campaigns.

XRed Malware Typical Attack Chain

ANY.RUN’s Interactive Sandbox contains an assortment of XRed analysis sessions featuring different associated malware and attack vectors. By detonating XRed samples, we can understand the key points of its attack chain.

View analysis

XRed analysis in Sandbox XRed sample analysis in the Interactive Sandbox

XRed is delivered through trojanized programs that pose as legitimate software. When activated, the malicious file usually launches the legitimate utility it's disguised as to avoid detection.

To prevent multiple instances from running, XRed checks for the Synaptics2X mutex, which remains unchanged in the samples, and masquerades as Synaptics.exe. These are typical IOCs for XRed, and they are preserved in most instances. After creating Synaptics.exe, the file is added to the system's startup.

XRed adds file in autorun XRed adds file in autorun

Once initialized, XRed gathers system data. The backdoor also provides remote system control, supporting commands for taking screenshots, accessing the command line, managing files, and listing drives and directories.

XRed also infects Excel files by embedding a VBA script that includes malicious code, as seen in the example of file interaction.

XRed file modifications XRed file modifications filtered by extension

The embedded VBA can be viewed using the sandbox functionality.

VBA file modified by XRed VBA file modified by XRed

Exploring the sandbox analyses, we can observe the key features of XRed:

  • Masking and Stealth: XRed disguises itself as Synaptics.exe, using the legitimate name and description "Synaptics Pointing Device Driver." The payload is placed in the folder C:\ProgramData\Synaptics.
  • Information Gathering: It collects data such as the MAC address, username, and computer name, which it then sends to the attacker's server.
  • Keylogging: It uses keyboard hooks to record keystrokes.
  • Remote Commands: XRed supports commands that allow for command-line access, taking screenshots, listing drives and directories, and downloading and deleting files.
  • USB Propagation: It has an archaic feature that allows it to spread via USB drives by creating an autorun.inf file to automatically launch a copy of itself on vulnerable devices.
  • Macro Manipulation: It injects a VBA script into Excel files that disables macro security warnings and copies the malicious file to directories with legitimate files.

How Does XRed Malware Function?

XRed operates leverages several sophisticated mechanisms:

Primary Distribution Vectors:

  • Trojanized hardware drivers bundled with legitimate peripheral devices
  • Compromised software distribution websites and official download channels
  • Infected gaming peripheral configuration software
  • Malicious printer and scanner drivers distributed by manufacturers

Persistence Mechanisms:

  • Creates Windows Registry Run keys to ensure automatic startup
  • Utilizes mutex named "Synaptics2X" to prevent multiple instances
  • Implements self-replication capabilities for infection spread

Data Exfiltration:

  • Monitors clipboard activity for sensitive information
  • Captures keystrokes and system information
  • Transmits collected data to attacker-controlled servers

Evasion Techniques:

  • Use of legitimate digital certificates to bypass security controls
  • Distribution through trusted vendor channels to avoid suspicion
  • Timing-based installation to avoid real-time security scanning
  • Polymorphic code variations to evade signature-based detection

Modular Architecture:

  • Supports dynamic loading of additional malicious modules
  • Enables customization of attack capabilities based on target environment
  • Facilitates ongoing campaign adaptation and evolution

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Most Notorious XRed Attacks

While specific XRed attacks are not well-documented in public sources due to its recent emergence, several high-profile incidents in 2024 align with its TTPs:

  1. USB-C Hub Campaign (2019-2024): A long-running campaign distributing XRed through USB-C hub adapter drivers affected thousands of users across multiple years. This attack showcased the malware's persistence and the effectiveness of hardware-based distribution methods.
  2. Manufacturing Sector Breach (2024): A major manufacturing firm in the Asia-Pacific region suffered a supply chain attack where XRed was embedded in a software update, leading to the theft of intellectual property and operational disruption.
  3. Financial Institution Data Theft (2024): XRed’s infostealer capabilities compromised a U.S.-based bank, exfiltrating customer credentials and causing significant reputational damage.
  4. Healthcare Ransomware Attack (2024): A hospital network was paralyzed by XRed’s ransomware module, locking critical systems and delaying patient care, with attackers demanding a multimillion-dollar ransom.
  5. Procolored Printer Manufacturer Incident (2024-2025): This six-month-long campaign represents one of the most successful XRed distributions, where a legitimate printer manufacturer unknowingly distributed infected drivers. The attack was discovered only when YouTube technology reviewer Cameron Coward attempted to review a $6,000 printer, highlighting how the malware successfully evaded detection for an extended period.
  6. Gaming Peripheral Supply Chain Attack (2025): Endgame Gear's OP1w 4K V2 mouse configuration software was compromised for nearly two weeks, affecting numerous gaming enthusiasts and professional esports players. This attack demonstrated XRed's ability to infiltrate trusted software distribution channels and target specific user communities.
  7. Multi-Vendor Hardware Driver Campaign (2025): Coordinated attacks targeting multiple peripheral device manufacturers simultaneously, creating a broad infection surface across different vendor ecosystems. This campaign demonstrated sophisticated supply chain infiltration capabilities.

Gathering Threat Intelligence on XRed Malware

By integrating threat intelligence into security operations, organizations can stay ahead of XRed’s evolving threat landscape. It provides indicators of compromise (e.g., malicious IPs, domains, or file hashes) to block XRed’s C&C communications and offers insights into XRed’s tactics, techniques, and procedures, enabling tailored defense strategies.

It also fuels proactive threat hunting allowing organizations to search for XRed’s presence before it causes damage, using tools like YARA rules or SIEM integrations.

Start gathering IOCs and behavioral data with the malware name search request to Threat Intelligence Lookup:

threatName:"XRed"

XRed malware samples found via TI Lookup XRed malware samples found via TI Lookup

You can also search TI Lookup for the above-mentioned mutex engaged in most of the malware versions being a reliable IOC:

syncObjectName:"Synaptics2X" AND imagePath:"ProgramData\Synaptics\Synaptics.exe"

Malware samples featuring Synaptics mutex XRed malware samples featuring Synaptics mutex

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Conclusion

XRed is a sophisticated and adaptable threat that demands constant vigilance. Its modular design, stealthy operation, and high-impact potential make it one of the more dangerous malware families targeting modern enterprises. Robust detection mechanisms, proactive threat intelligence, and a security-first culture are critical in defending against it.

Gather fresh actionable threat intelligence via ANY.RUN’s TI Lookup: start with 50 trial requests.

HAVE A LOOK AT

Prometei screenshot
Prometei
prometei
Prometei is a modular botnet malware family that silently infiltrates systems, hijacking their resources for illicit Monero (XMR) mining. Active since at least 2016, it combines stealth, persistence, and lateral movement capabilities. Notable for its global reach and opportunistic infection strategy, it is also used for credential theft.
Read More
Remote Access Trojan screenshot
Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.
Read More
Rootkit screenshot
Rootkit
rootkit bootkit
A rootkit is a type of malicious software designed to provide unauthorized administrative-level access to a computer or network while concealing its presence. Rootkits are tools used by cybercriminals to hide their activities, including keyloggers, spyware, and other malware, often enabling long-term system exploitation.
Read More
Spynote screenshot
Spynote
spynote
SpyNote, also known as SpyMax and CypherRat, is a powerful Android malware family designed primarily for surveillance and data theft, often categorized as a Remote Access Trojan (RAT). Originally emerged in 2016, SpyNote has evolved significantly, with new variants continuing to appear as recently as 2023–2025.
Read More
Cerber screenshot
Cerber
cerber
Cerber is a Ransomware-as-a-Service (RaaS) that appeared in 2016, spread quickly and has been evolving since. It became well-known for its file encryption, offline capabilities, and sophisticated evasion techniques. It primarily targets enterprises, financial institutions, and government entities, encrypting their data and demanding ransom payments in Bitcoin. It also targets everyday users encrypting personal files (photos, documents) with the risk of their permanent loss.
Read More
Stealc screenshot
Stealc
stealc
Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests.
Read More