Cyber Incident Victim: Metprom Group
Date:
May 2022
Location:
United States of America
Summary
Metprom Group deployed an updated version of the XLoader botnet malware employing probability-based evasion techniques to conceal its command-and-control infrastructure, dynamically overwriting domains in its configuration list to hinder disruption efforts. The malware, an information-stealer targeting Windows and macOS systems, cyclically replaces eight randomly selected domains from a pool of 64 during each communication attempt, significantly reducing the effectiveness of IP blocking and complicating tracking by researchers. This approach enhances operational resilience by preventing infrastructure node loss while obscuring the attackers' footprint.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 8 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In late May 2022, cybersecurity researchers identified a significant evolution in the XLoader botnet malware operated by the Metprom Group. The new variant, versions 2.5 and 2.6, introduced a sophisticated technique leveraging probability theory to obscure its command-and-control (C2) infrastructure. This method involved dynamically overwriting 8 randomly selected domains from a predefined list of 64 in each communication cycle, altering the visible C2 endpoints while maintaining connectivity to the operational servers. The malware, originally derived from the Formbook information-stealer, targeted both Windows and macOS systems, continuing its malicious operations first observed in widespread deployments since January 2021. Check Point researchers confirmed the behavioral shift through analysis of recent samples, noting the algorithm’s design ensured the real C2 domain would only remain persistently accessible if positioned in the latter half of the domain list. If located in the first half, it would be overwritten by a randomly generated domain during subsequent cycles, complicating efforts to map and block the infrastructure.
The operational impact of this update centered on enhanced infrastructure resilience for the Metprom Group. By rotating domain entries every 80-90 seconds, the botnet reduced exposure of critical C2 nodes to takedown efforts or IP-based blocking while maintaining consistent malware communication. This approach minimized the risk of losing operational control over compromised devices and lowered the likelihood of attribution through infrastructure analysis. XLoader’s core functionality as a data-stealer remained intact, enabling credential theft, keystroke logging, and sensitive information exfiltration from infected systems. Check Point’s analysis provided technical confirmation of the mechanism but did not disclose specific victim statistics or geographic impact scope. The adaptation demonstrated the group’s focus on persistence and operational security, though no public disclosures indicated successful infrastructure disruptions or law enforcement actions coinciding with this specific update at the time of reporting.