Key Highlights
- XLoader 8.0 malware is one of the most evasive and persistent information stealers in the wild, using multi-layer encryption, fake domains, and constant updates to avoid detection.
- Check Point Research used AI-assisted malware analysis to understand it faster than ever, turning days of manual reverse engineering into hours.
- Generative AI automatically identified encryption layers, decrypted functions, and uncovered hidden command-and-control (C2) domains.
- The result: faster IoC extraction, better threat intelligence, and improved protection for users worldwide.
The challenge: an analyst’s nightmare
XLoader has been evolving since 2020 as a successor to the FormBook malware family. It specializes in stealing information, hiding its code behind multiple encryption layers, and constantly morphing to evade antivirus tools and sandboxes.
Traditional malware analysis is slow and manual—requiring experts to unpack binaries, trace functions, and build decryption scripts by hand. Even sandboxing (running malware in a controlled environment) doesn’t help much, because XLoader decrypts itself only while running and detects when it’s being monitored, keeping its real code hidden.
This makes XLoader a prime example of modern malware that uses time, complexity, and obfuscation as weapons.
Read Check Point Research’s full report
The turning point: AI-assisted reverse engineering
Check Point Research turned to AI-driven malware analysis to speed up and automate the process. Using ChatGPT (GPT-5), we combined two complementary workflows:
- Cloud-based static analysis: Exported data from IDA Pro (disassembly, decompiled functions, and strings) and let the AI analyze it in the cloud. The model identified encryption algorithms, recognized data structures, and even generated Python scripts to decrypt sections of code.
- MCP-assisted runtime analysis: Connected the AI to a live debugger to extract runtime values such as encryption keys, decrypted buffers, and in-memory C2 data.
This hybrid AI workflow turned tedious manual reverse engineering into a semi-automated process that’s faster, repeatable, and easy to share across teams.
What the AI uncovered
Using the new workflow, we achieved concrete results:
- Decrypted core code: AI-generated scripts unlocked more than 100 previously encrypted functions.
- Revealed encryption layers: Identified three complex decryption schemes using modified RC4 algorithms and XOR markers.
- Unmasked hidden APIs: Automatically deobfuscated Windows API calls hidden behind custom hashing.
- Recovered 64 hidden C2 domains: Decrypted multiple layers of Base64 and RC4 encoding to expose real attacker infrastructure.
- Discovered new sandbox evasion: Found a “secure-call trampoline” that temporarily encrypts parts of the malware during execution to avoid monitoring.
In short, AI helped unpack how XLoader hides, communicates, and protects itself, crucial insights for improving detection and prevention. These findings directly strengthened our threat intelligence feeds, allowing Check Point protections to update faster and more accurately.
Why AI is a game changer in cyber security
AI doesn’t replace malware analysts. Rather, it supercharges them.
- Speed: Tasks that once took days can now be completed in under an hour.
- Reproducibility: Anyone with the exported dataset can re-run the AI workflow and validate results.
- Insight: Automation frees analysts to focus on high-level behaviors—how malware spreads, steals, and evolves.
- Defense: Faster indicators of compromise (IoCs) extraction shortens the time between threat discovery and protection rollout.
Generative AI is now a powerful tool for incident response, reverse engineering, and threat hunting.
The bigger picture
Malware authors will likely adapt to AI-driven analysis, but the defensive advantage is clear: AI allows defenders to respond in near real time to complex, encrypted threats like XLoader.
At Check Point Research, we continue to refine these workflows, combining AI automation, scripting, and runtime validation, to scale malware analysis and threat detection.
Protection and coverage
Check Point Threat Emulation and Harmony Endpoint provide comprehensive coverage of attack tactics, file types, and operating systems and protect against the attacks and threats described in this report.