New JinxLoader Targeting Users with Formbook and XLoader Malware

A new Go-based malware loader called JinxLoader is being used by threat actors to deliver next-stage payloads such as Formbook and its successor XLoader.

The disclosure comes from cybersecurity firms Palo Alto Networks Unit 42 and Symantec, both of which highlighted multi-step attack sequences that led to the deployment of JinxLoader through phishing attacks.

“The malware pays homage to League of Legends character Jinx, featuring the character on its ad poster and [command-and-control] login panel,” Symantec said. “JinxLoader’s primary function is straightforward – loading malware.”

Unit 42 revealed in late November 2023 that the malware service was first advertised on hackforums[.]net on April 30, 2023, for $60 a month, $120 a year, or for a lifetime fee of $200.

The attacks begin with phishing emails impersonating Abu Dhabi National Oil Company (ADNOC), urging recipients to open password-protected RAR archive attachments that, upon opening, drop the JinxLoader executable, which subsequently acts as a gateway for Formbook or XLoader.

The development comes as ESET revealed a spike in infections, delivering another novice loader malware family dubbed Rugmi to propagate a wide range of information stealers.

It also comes amid a surge in campaigns distributing DarkGate and PikaBot, along with a threat actor known as TA544 (aka Narwal Spider) leveraging new variants of loader malware called IDAT Loader to deploy Remcos RAT or SystemBC malware.

What’s more, the threat actors behind the Meduza Stealer have released an updated version of the malware (version 2.2) on the dark web with expanded support for browser-based cryptocurrency wallets and an improved credit card (CC) grabber.

In a sign that stealer malware continues to be a lucrative market for cybercriminals, researchers have also discovered a new stealer family known as Vortex Stealer that’s capable of exfiltrating browser data, Discord tokens, Telegram sessions, system information, and files that are less than 2 MB in size.

“Stolen information will be archived and uploaded to Gofile or Anonfiles; the malware will also post it onto the author’s Discord using webhooks,” Symantec said. “It’s also capable of posting to Telegram via a Telegram bot.”