Cyber Threat Actor: XLoader Botnet

XLoader Botnet is athreat actor known by the alias XLoader Botnet and has been associated with the Metprom Group, which is reported to operate from the United States of America. The actor’s infrastructure and malware have been observed in publicly disclosed incidents, linking the botnet to this specific group. No state sponsorship or broader criminal consortium affiliation has been explicitly stated in the available sources. The actor’s primary identifier remains the XLoader Botnet moniker used across its campaigns.

The malware attributed to XLoader Botnet functions as an information‑stealer that targets both Windows and macOS operating systems, indicating a broad user‑base focus rather than a specific industry sector. Its notable tactics include probability‑based evasion techniques designed to conceal command‑and‑control infrastructure by dynamically overwriting domains in its configuration list. During each communication attempt, the malware cyclically replaces eight randomly selected domains drawn from a pool of sixty‑four, a method that reduces the effectiveness of IP‑based blocking and complicates tracking efforts by researchers. These behaviors reflect a tooling style centered on resilient, adaptive C2 mechanisms rather than reliance on static infrastructure.

A representative operation occurred on May 31 2022, when the Metprom Group deployed an updated version of the XLoader botnet incorporating the aforementioned probability‑based evasion strategy. This campaign highlighted the actor’s ability to refresh its malware version while maintaining the core information‑stealing functionality and domain‑rotation evasion. The incident is frequently cited in security reporting as an example of how the actor adapts its techniques to hinder disruption attempts. No additional campaigns or operational details are publicly documented in the provided context.