Cyber Security

New JinxLoader Targeting Users with Formbook and XLoader Malware

Jan 01, 2024NewsroomMalware / Dark Web

A new Go-based malware loader called JinxLoader is being used by threat actors to deliver next-stage payloads such as Formbook and its successor XLoader.

The disclosure comes from cybersecurity firms Palo Alto Networks Unit 42 and Symantec, both of which highlighted multi-step attack sequences that led to the deployment of JinxLoader through phishing attacks.

“The malware pays homage to League of Legends character Jinx, featuring the character on its ad poster and [command-and-control] login panel,” Symantec said. “JinxLoader’s primary function is straightforward – loading malware.”

Unit 42 revealed in late November 2023 that the malware service was first advertised on hackforums[.]net on April 30, 2023, for $60 a month, $120 a year, or for a lifetime fee of $200.


The attacks begin with phishing emails impersonating Abu Dhabi National Oil Company (ADNOC), urging recipients to open password-protected RAR archive attachments that, upon opening, drop the JinxLoader executable, which subsequently acts as a gateway for Formbook or XLoader.

The development comes as ESET revealed a spike in infections, delivering another novice loader malware family dubbed Rugmi to propagate a wide range of information stealers.

It also comes amid a surge in campaigns distributing DarkGate and PikaBot, with a threat actor known as TA544 (aka Narwal Spider) leveraging new variants of loader malware called IDAT Loader to deploy Remcos RAT or SystemBC malware.

What’s more, the threat actors behind the Meduza Stealer have released an updated version of the malware (version 2.2) on the dark web with expanded support for browser-based cryptocurrency wallets and an improved credit card (CC) grabber.


In a sign that stealer malware continues to be a lucrative market for cybercriminals, researchers have discovered a new stealer family known as Vortex Stealer that’s capable of exfiltrating browser data, Discord tokens, Telegram sessions, system information, and files that are less than 2 MB in size.

“Stolen information will be archived and uploaded to Gofile or Anonfiles; the malware will also post it onto the author’s Discord using webhooks,” Symantec said. “It’s also capable of posting to Telegram via a Telegram bot.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Articles You May Like

FTC Slams Avast with $16.5 Million Fine for Selling Users’ Browsing Data
Researchers Detail Apple’s Recent Zero-Click Shortcuts Vulnerability
Bitcoin resumes its rally, ripping through $54,000 for the first time since December 2021
From Alert to Action: How to Speed Up Your SOC Investigations
Open-Source Xeno RAT Trojan Emerges as a Potent Threat on GitHub