- Check Point used GenAI to semi-automate reverse engineering of the elusive information thief XLoader
- AI cracked code, revealed APIs and discovered 64 hidden C2 domains and sandbox evasion tricks
- XLoader evolved from Formbook; AI increases analysis speed but does not replace human malware analysts
Cybersecurity researchers at Check Point Research may have cracked one of the most devious malware families to ever exist, thanks to Generative Artificial Intelligence (GenAI).
In a new blog post, the researchers explained how analyzing the malware is a time-consuming manual process that requires researchers to “unpack binaries, trace functions, and create decryption scripts.” Analyzing XLoader, an infamous information thief that has been around for about half a decade, is even more difficult, because it cannot be isolated.
That’s when Check Point turned to AI for help. Using ChatGPT, the researchers combined two complementary workflows: cloud-based static analysis and MCP-assisted runtime analysis. The first exports data from IDA Pro and allows AI to analyze it in the cloud. “The model identified encryption algorithms, recognized data structures, and even generated Python scripts to decrypt sections of code,” the researchers explained.
Unpacking XLoader
The second connected the AI to a live debugger to extract runtime values such as encryption keys, decrypted buffers, and in-memory C2 data. “This hybrid AI workflow turned tedious manual reverse engineering into a semi-automated process that is faster, repeatable, and easier to share across teams.”
Check Point was impressed with the results. They claim to have cracked the core code, revealed layers of encryption, unmasked hidden APIs, recovered 64 hidden C2 domains, and discovered a new sandbox evasion mechanism called “safe calling springboard.”
In short, AI helped discover how XLoader hides, communicates and protects itself, which is crucial information in the fight against infections. Still, Check Point emphasized that despite the great work, AI “does not replace malware analysts” but rather “supercharges” them with speed, reproducibility, insight and defense.
The first records of XLoader date back to 2021, when Check Point Research spotted it in the wild, stealing data from MacOS users. It evolved from the infamous Formbook malware which, at the time, was active for over five years. While Formbook was initially created to be a simple keylogger, it has been updated and renamed XLoader. Formbook was mainly used for Windows users.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
