- Check Point used GenAI to semi-automate reverse engineering of the evasive XLoader infostealer
- AI decrypted code, revealed APIs, and uncovered 64 hidden C2 domains and sandbox evasion tricks
- XLoader evolved from Formbook; AI boosts analysis speed but doesn’t replace human malware analysts
Cybersecurity researchers from Check Point Research may have just cracked one of the most devious malware families to have ever existed, thanks to Generative Artificial Intelligence (GenAI).
In a new blog post, the researchers explained how analyzing malware is a slow, manual process that requires researchers to “unpack binaries, trace functions, and build decryption scripts”. Analyzing XLoader – an infamous infostealer that’s been around for roughly half a decade – is even more difficult, because it cannot be sandboxed.
That’s when Check Point turned to AI for assistance. Using ChatGPT, the researchers combined two complementary workflows: cloud-based static analysis, and MCP-assisted runtime analysis. The first exports data from IDA Pro and lets the AI analyze it in the cloud. “The model identified encryption algorithms, recognized data structures, and even generated Python scripts to decrypt sections of code,” the researchers explained.
Unpacking XLoader
The second connected the AI to a live debugger to extract runtime values such as encryption keys, decrypted buffers, and in-memory C2 data. “This hybrid AI workflow turned tedious manual reverse engineering into a semi-automated process that’s faster, repeatable, and easy to share across teams.”
Check Point was impressed with the results. They claim to have decrypted core code, revealed encryption layers, unmasked hidden APIs, recovered 64 hidden C2 domains, and discovered a new sandbox evasion mechanism called “secure-call trampoline”.
In short, AI helped unpack how XLoader hides, communicates, and protects itself, which is crucial information in the fight against infections. Still, Check Point stressed that despite the great work, AI “doesn’t replace malware analysts” but rather “supercharges” them with speed, reproducibility, insight, and defense.
Earliest records of XLoader date back to 2021, when Check Point Research saw it in the wild, stealing data from MacOS users. It evolved from the infamous Formbook malware that, at the time, was active for over five years. While Formbook was initially created to be a simple keylogger, it was upgraded and rebranded as XLoader. Formbook was used to primarily target Windows users.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
