Threat Research

Exposing HelloXD Ransomware and x4k

Securonix

HelloXD is a ransomware family performing double extortion on Windows and Linux, with negotiations conducted via TOX chat and onion-based services instead of a leak site. Unit 42’s analysis links HelloXD to x4k and reveals details on its packers, memory-based execution, embedded MicroBackdoor, and an extensive infrastructure footprint across forums, GitHub, and Telegram.

Keypoints

  • HelloXD surfaced in Nov 2021 and targets Windows and Linux with double extortion, using TOX chat and onion-based venues for negotiations rather than a traditional leak site.
  • Unit 42 identified two HelloXD samples (two variants): a basic loader with obfuscation and a second variant that uses a two-layer packer, including a custom UPX-like packer and a second layer that decrypts embedded blobs.
  • The ransomware often appends .hello to encrypted files and drops a ransom note (Hello.txt); newer variants also show a Tox/ onion-based contact method for the attacker.
  • HelloXD v2 drops a secondary payload (userlogin.exe) in System32 and loads a backdoor (MicroBackdoor) to monitor/compromise systems.
  • The threat actor associated with HelloXD is linked to x4k (L4ckyguy, unKn0wn, unk0w, _unkn0wn, x4kme) with an extensive online footprint (GitHub, Telegram, YouTube) and infrastructure that includes Cobalt Strike beacons and PoC exploits.
  • The global infrastructure includes hardcoded IPs, domains (e.g., x4k.us, 1q.is, xn--90a5ai.com), and a network of domains/IPs used for C2 and payload delivery; a known IP (193.242.145.158) hosts associated contact information.
  • Palo Alto Networks technologies (WildFire, Cortex XDR, NGFW) detect and prevent HelloXD activity, and CTA collaboration helps disrupt malicious actors.

MITRE Techniques

  • [T1490] Inhibit System Recovery – “tries to disable shadow copies to inhibit system recovery” – HelloXD disables shadow copies to hinder recovery.
  • [T1486] Data Encrypted for Impact – “encrypting files using the following commands embedded in the sample” – HelloXD encrypts data and appends .hello; ransom note Hello.txt.
  • [T1070.004] File Deletion – “delete the initial payload” – payload cleanup observed as part of the kill chain.
  • [T1059] Command and Scripting Interpreter – “cmd.exe /C ping 1.1.1[.]1 -n 1 -w 3000 > Nul & Del /f /q” – execution via command line.
  • [T1106] Native API – “API calls such as VirtualAlloc and VirtualProtect are clearly visible” – memory and allocation behavior observed.
  • [T1027] Obfuscated/Compressed Files and Information – “two layers of packing; XLAT decryption; custom packer” – reverse-engineering shows obfuscation and decryption routines.
  • [T1055] Process Injection – “decrypting it through the WinCrypt API before injecting it into memory” – in-memory execution and injection.
  • [T1588.002] Acquire Capabilities – “Cobalt Strike Beacon deployment” – actor uses Beacons and related tooling.
  • [T1090] Proxy – “TOX chat and onion domains used for negotiations and C2” – attacker communications rely on proxied channels.

Indicators of Compromise

  • [Hash] – HelloXD sample hashes – 435781ab608ff908123d9f4758132fa45d459956755d27027a52b8c9e61f9589, ebd310cb5f63b364c4ce3ca24db5d654132b87728babae4dc3fb675266148fe9, and 2 more hashes
  • [Domain] – x4k.us, 1q.is, xn--90a5ai.com (фсб.com)
  • [IP] – 164.68.114.29, 167.86.87.27, 193.242.145.158 (C2/IP pivot)
  • [File name] – Hello.txt (ransom note), userlogin.exe (secondary payload), xd.exe (payload path)
  • [Email] – [email protected]
  • [Aliases/Accounts] – x4k, x4kme, L4ckyGuy (and related GitHub/YouTube/Telegram identities)

Read more: https://unit42.paloaltonetworks.com/helloxd-ransomware/