eBook

Modern Threat Hunting

Modern Threat Hunting

10 Practical Steps to Outsmart Adversaries

10 Practical Steps to Outsmart Adversaries

A Hands-On Guide Using Hunt.io’s Threat Intelligence Platform

Get the Free eBook

Get the Free eBook

XehookStealer

XehookStealer

XehookStealer

XehookStealer is a .NET malware for Windows systems that steals data. It targets Chromium and Gecko browsers and supports over 110 cryptocurrencies and 2FA extensions.

Key Insights

Key Insights

XehookStealer evolved from Agniane Stealer and the Cinoshi project. This looks like a transition from MaaS to more complex tools like XehookStealer.

Distribution Methods

Malware is distributed via SmokeLoader binaries. SmokeLoader is a downloader that installs XehookStealer on compromised systems.

Command-and-Control Infrastructure

XehookStealer uses C2 servers to control infected systems. Researchers have found multiple C2s, some of which are the same as Agniane Stealer, which means shared infrastructure or author.

Known Variants

Known Variants

No specific named variants of XehookStealer have been found but its code overlaps with Agniane Stealer which means they are related malware families.

No specific named variants of XehookStealer have been found but its code overlaps with Agniane Stealer which means they are related malware families.

Mitigation Strategies

Mitigation Strategies

  • Implement endpoint protection solutions to detect and block malware execution.

  • Educate users about the risks of downloading and executing files from untrusted sources.

  • Monitor network traffic for unusual activities like unauthorized connections to external servers.

  • Keep software and security solutions updated to have the latest threat definitions and protection mechanisms.

Targeted Industries or Sectors

Targeted Industries or Sectors

XehookStealer targets individual users, steals credentials, cryptocurrency wallets and browser data. Its support for multiple cryptocurrency platforms means it’s interested in users who are involved in digital currency transactions.

XehookStealer targets individual users, steals credentials, cryptocurrency wallets and browser data. Its support for multiple cryptocurrency platforms means it’s interested in users who are involved in digital currency transactions.

Associated Threat Actors

Associated Threat Actors

Development and distribution of XehookStealer is linked to MaaS platforms. Code overlap with Agniane Stealer and shared C2 infrastructure means same author or collaboration.

Development and distribution of XehookStealer is linked to MaaS platforms. Code overlap with Agniane Stealer and shared C2 infrastructure means same author or collaboration.

References

    Related Posts:

    Clickfix on macOS: AppleScript Stealer, Terminal Phishing, and C2 Infrastructure
    Jul 22, 2025

    Clickfix on macOS: AppleScript Malware Campaign Uses Terminal Prompts to Steal Data

    Clickfix on macOS: AppleScript Stealer, Terminal Phishing, and C2 Infrastructure
    Jul 22, 2025

    Clickfix on macOS: AppleScript Malware Campaign Uses Terminal Prompts to Steal Data

    Clickfix on macOS: AppleScript Stealer, Terminal Phishing, and C2 Infrastructure
    Jul 22, 2025

    Clickfix on macOS: AppleScript Malware Campaign Uses Terminal Prompts to Steal Data

    Exposing the Deception: Russian EFF Impersonators Behind Stealc & Pyramid C2
    Mar 4, 2025

    Exposing Russian EFF Impersonators: The Inside Story on Stealc & Pyramid C2

    Exposing the Deception: Russian EFF Impersonators Behind Stealc & Pyramid C2
    Mar 4, 2025

    Exposing Russian EFF Impersonators: The Inside Story on Stealc & Pyramid C2

    Exposing the Deception: Russian EFF Impersonators Behind Stealc & Pyramid C2
    Mar 4, 2025

    Exposing Russian EFF Impersonators: The Inside Story on Stealc & Pyramid C2

    macOS Malware Impersonates The Unarchiver App to Steal User Data | Hunt.io
    Jul 30, 2024

    MacOS Malware Impersonates The Unarchiver App to Steal User Data

    macOS Malware Impersonates The Unarchiver App to Steal User Data | Hunt.io
    Jul 30, 2024

    MacOS Malware Impersonates The Unarchiver App to Steal User Data

    macOS Malware Impersonates The Unarchiver App to Steal User Data | Hunt.io
    Jul 30, 2024

    MacOS Malware Impersonates The Unarchiver App to Steal User Data