Xillen Stealer v5 AI Evasive InfoStealer

MITRE Techniques

• [T1059.006 ] Python – Xillen Stealer is implemented in Python and uses Python-based components to run stealing routines (‘Python-based information stealer “Xillen Stealer”’)
• [T1555 ] Credentials from Password Stores – The stealer collects credentials from multiple stores and password managers (‘Ability to steal credentials from password managers’)
• [T1555.003 ] Credentials from Web Browsers – The malware harvests browser data including history, cookies and saved passwords from many browsers (‘browser data (history, cookies and passwords) from over 100 browsers’)
• [T1555.005 ] Credentials from Password Managers – Targets specific password managers to extract stored credentials (‘OnePass, LastPass, BitWarden, Dashlane, NordPass and KeePass’)
• [T1649 ] Steal or Forge Authentication Certificates – The enterprise collector targets corporate certificates for credential or identity theft (‘corporate certificates’)
• [T1558 ] Steal or Forge Kerberos Tickets – SSOCollector attempts to obtain Kerberos tickets via system commands for authentication theft (‘Kerberos tickets obtained through the klist command’)
• [T1539 ] Steal Web Session Cookie – The stealer collects web session cookies as part of browser data harvesting (‘browser data (history, cookies and passwords) from over 100 browsers’)
• [T1552.001 ] Unsecured Credentials: Credentials in Files – The tool scans files and config artifacts (e.g., .env) to harvest API keys and other credentials (‘API keys from .env files’)
• [T1552.004 ] Unsecured Credentials: Private Keys – Xillen scans for key material such as SSH keys and private key files (‘SSH keys’)
• [T1552.005 ] Unsecured Credentials: Cloud Instance Metadata API – The malware targets cloud credentials and may abuse cloud metadata/APIs for credential access and exfiltration (‘Cloud credentials and configurations’ / ‘exfiltrating data via Cloud APIs’)
• [T1217 ] Browser Information Discovery – The stealer enumerates installed browsers and harvests stored browser artifacts (‘steal credentials … browser data (history, cookies and passwords) from over 100 browsers’)
• [T1622 ] Debugger Evasion – Code includes modules and placeholders intended to evade debugging and analysis (API obfuscation and behavior mimicry) (‘AIEvasionEngine is a module designed to help malware evade AI-based or behavior-based detection systems, such as EDRs and sandboxes’)
• [T1082 ] System Information Discovery – Xillen collects system and environment information to profile victims and prioritize targets (‘steal cryptocurrency, credentials, system information, and account information’)
• [T1497.001 ] Virtualization/Sandbox Evasion: System Checks – The evasion engine includes system checks and timing/randomization to avoid sandbox detection (‘mimics legitimate user and system behavior…randomizes execution patterns’)
• [T1115 ] Clipboard Data – The listed MITRE mappings include clipboard collection capability as part of the stealer’s data collection set (‘T1115 – Clipboard Data’)
• [T1001.002 ] Data Obfuscation: Steganography – The stealer implements multiple steganography methods to hide data within images and other carriers before exfiltration (‘The SteganographyModule uses steganography (hiding data within an image)’)
• [T1567 ] Exfiltration Over Web Service – CloudProxy routes stolen data through cloud service domains using HTTP POST to blend traffic with legitimate cloud services (‘exfiltrating data by routing it through cloud service domains’)
• [T1657 ] Financial Theft – A central goal is stealing cryptocurrency and other financial assets from wallets and related applications (‘Ability to steal … cryptocurrency from over 70 wallets’)