Pen testing
C2
XehookStealer is a .NET malware for Windows systems that steals data. It targets Chromium and Gecko browsers and supports over 110 cryptocurrencies and 2FA extensions.
XehookStealer evolved from Agniane Stealer and the Cinoshi project. This looks like a transition from MaaS to more complex tools like XehookStealer.
Distribution Methods
Malware is distributed via SmokeLoader binaries. SmokeLoader is a downloader that installs XehookStealer on compromised systems.
Command-and-Control Infrastructure
XehookStealer uses C2 servers to control infected systems. Researchers have found multiple C2s, some of which are the same as Agniane Stealer, which means shared infrastructure or author.
No specific named variants of XehookStealer have been found but its code overlaps with Agniane Stealer which means they are related malware families.
Implement endpoint protection solutions to detect and block malware execution.
Educate users about the risks of downloading and executing files from untrusted sources.
Monitor network traffic for unusual activities like unauthorized connections to external servers.
Keep software and security solutions updated to have the latest threat definitions and protection mechanisms.
XehookStealer targets individual users, steals credentials, cryptocurrency wallets and browser data. Its support for multiple cryptocurrency platforms means it’s interested in users who are involved in digital currency transactions.
Development and distribution of XehookStealer is linked to MaaS platforms. Code overlap with Agniane Stealer and shared C2 infrastructure means same author or collaboration.
