Common Windows Malware With 1000 Campaigns Can Now Infect macOS

by | August 22, 2021 | Cybersecurity News

A highly popular Windows malware used for stealing information from Windows systems has been tweaked to be able to infect macOS as well. The new malware strain is called XLoader.

Windows Malware Formbook Tweaked Into XLoader

XLoader is now available on an underground forum as a botnet loader service that steals passwords from web browsers and email clients, such as Chrome, Firefox, Opera, Edge, IE, Thunderbird, and Foxmail.

The new malware strain is very similar to the Windows malware but targets macOS systems.
Source: Bleeping Computer

The new malware strain is derived from Formbook info-stealer for Windows. It was first spotted in February and has gained significant popularity, advertised as a cross-platform botnet with no dependencies.

The link between the two malware versions was confirmed after someone from the community reverse-engineered XLoader and discovered that it had the same executable as Formbook.

The advertiser noted that Formbook’s creator also contributed a lot to developing XLoader. They also explained that the two pieces of malware had several functionalities in common: stealing login credentials, capturing screenshots, logging keystrokes, and executing malicious files.

Source: Bleeping Computer

The new macOS malware strain can be rented for $49 per month, and customers get access to a server provided by the seller. In addition, the developers can control how clients use the malware by keeping a centralized command and control infrastructure.

Formbook is more expensive as the seller demands $59 for one month or $129 for three months.

According to the advertisement, XLoader’s makers also offer a Java binder for free, enabling customers to create a standalone JAR file with the Mach-O and EXE binaries used by macOS and Windows.

Source: Bleeping Computer

After observing XLoader’s activity up to June 1st, Check Point researchers saw requests originating from as many as 69 countries, clearly indicating a substantial spread across the world, with more than half of the victims from the United States.

Formbook is still a prevalent threat, despite no longer being advertised on underground forums. It was used in at least 1,000 malware campaigns in the last three years. In addition, Formbook takes fourth place, tailgating Emotet, according to AnyRun’s malware trends.

Judging by the Windows version’s popularity, the new malware strain is expected to be even more prevalent considering that it can infect both Windows and macOS, the two most popular operating systems among consumers.

Spotting XLoader

Check Point noted that the malware strain is quite sneaky and can easily go unnoticed by a regular, non-technical user.

Researchers recommend using macOS’ Autorun to check the username in the OS and to look into the LaunchAgents folder [/Users/[username]/Library/LaunchAgents] and delete entries with suspicious filenames (random-looking names).

Head of Cyber Research at Check Point Software Yaniv Balmas explained that XLoader “is far more mature and sophisticated than its predecessors [i.e. Formbook].”

Due to its growing popularity, macOS is exposed to unwanted attention from threat actors, who can see the huge financial gain potential in targeting the system.

While there might be a gap between Windows and macOS malware, the gap is slowly closing over time. The truth is that MacOS malware is becoming bigger and more dangerous” – Yaniv Balmas

The researcher added that more malware categories will adapt to macOS and add it to their hit list.


Bleeping Computer

Check Point


Feature Image: Coffee photo created by –

by Diana Panduru

Content writer for Attack Simulator. Passionate about all things writing and cybersecurity, and obsessed with driving. I sometimes indulge in pencil drawing, poetry, and cooking for fun.

There’s no reason to postpone training your employees

Get a quote based on your organization’s needs and start building a strong cyber security infrastructure today.