Multilingua
EXCLUSIVE the hacker chasing pedophiles

Matricedigital is the only newspaper that has been following the mechanism of online paedophilia very closely for a long time. In recent months we have given several exclusives thanks to activists and hackers who every day give their contribution in reporting prohibited content of child abuse. After interviewing the international component linked to Anonymous, we move to Brazil where the hacker Spy_Unknown explains the reason for his actions beyond the limit of legality, but they launch a very ciaro message: report paedophile sites, denounce flesh and blood paedophiles and make hacked entities aware of the fight against child abuse.
How many websites have u hacked?
i dont count, but since i started my “hacking life” i think its over 2k websites hacked, some with specific purposes and others just for fun, BUT, since i started the #OPPedoGate, its over 100 hacked websites just for the operation.
You know its criminal the hacking of websites, is just the message against pedofilia your object or you want test and show your skills in hacking?
I know that it is crime, and i know most of countries deal with that like cybercrime, but from my pov i dont see like that… i think im doing a favor for the respective hacked domains/webservers owners showing by defacing them that their sites arent too safe, and if i can do just a simple deface, others might do some worst.
No, my only goal is to get some attetion for pedophilia on internet, ‘cause its real.. its expanding, and still lots of people neglect childreen abuse for many reasons, and i wanna make them pay, no just de pedophiles himselfs but compannys and people who support this btw. Anyway i dont need to prove my skills for anybody, cause better than anyone i know what im cappable of, and of the first time i doing something useful about social causes and it makes me feel a bit better… i wanna change some of this, conscientize people at least.. makin them pay more attetion on their kids and whats going on, im tryin to change a lil bit of this awful world, well, at least im tryin.
What u have learned from your activity about pedofilia on the web?
i already had an idea, but i have learned a lot. I know a bit better how pedofphiles act; they usually chose their victims by who kids are more neglected by their parents, people who are busy with their lifes in general and dont take seriously what their kids tell. If figured some types of pedophiles;
Pedophiles are commonly “sweet” people (sorry idk how mean it in english), and know how to get attention of kids and conquest their charisma, usually close of victims parents as well. This is what i call the “type 1” of pedophiles; althought besides they can be a charismatic type of people and know exactly what they are doing, them only explore neglected kids so kinda stupid people, is an easy type to perceive if the parents pay a lil bit more attention on their kids behavior and certainly what them speak.
Now, we have the pedophile families, what i think that was just isolated “cases/events”, its more common that type 1.
Most common in European and Asian, African Countries but even on Americas as well i found events like that. Kids who are exploited sexually by their parents and relatives in general… i noticed by some cases i found that parents treat this like a normal convivence, besides them know that is criminal act they dont stop, and some parents dont do this just for “pleasure”, but also for get some profits, selling material produced by them like photos/videos and the sexual act recorded, this is what i call the type 2.
And we have those pedo ones who “become” pedophiles by “living together”, wherever it is… people who have some contact with kids during the day you know? job, school etc, this kinda pedophiles which i call “type 3” is the ones who never done something like this before but already have some “tedence” to do, disturbed minds who eventually like kids on the wrong way, those types are the most difficult to figure out ‘cause they usually dont have any historic of sexual disorder and they really dont appear be like that, but, this kind usually can be perceived looking weird at a kid, talkin nonsense shit or even toching too much.
EXCLUSIVE the hacker chasing pedophiles
https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7032093705562211&output=html&h=280&slotname=4454675944&adk=1545084286&adf=294834495&pi=t.ma~as.4454675944&w=720&fwrn=4&fwrnh=100&lmt=1630064877&rafmt=1&psa=1&format=720×280&url=https%3A%2F%2Fwww.matricedigitale.it%2Fnotizie_192%2Fpost%2Fexclusive-the-hacker-chasing-pedophiles_806.html&flash=0&fwr=0&fwrattr=true&rpe=1&resp_fmts=3&wgl=1&uach=WyJXaW5kb3dzIiwiNi4yIiwieDg2IiwiIiwiOTIuMC40NTE1LjE1OSIsW10sbnVsbCxudWxsLG51bGxd&tt_state=W3siaXNzdWVyT3JpZ2luIjoiaHR0cHM6Ly9hdHRlc3RhdGlvbi5hbmRyb2lkLmNvbSIsInN0YXRlIjo3fV0.&dt=1630064877507&bpp=8&bdt=201&idt=113&shv=r20210824&mjsv=m202108240101&ptt=9&saldr=aa&abxe=1&cookie=ID%3D0e665a2a064ded61-224327b292c80097%3AT%3D1627915024%3ART%3D1627915024%3AS%3DALNI_MbePjEpOe3Ffu_kJlZjDcNseHP6yw&correlator=1409936995487&frm=20&pv=2&ga_vid=408656865.1627915022&ga_sid=1630064878&ga_hid=261240911&ga_fc=1&u_tz=120&u_his=7&u_java=0&u_h=768&u_w=1366&u_ah=728&u_aw=1366&u_cd=24&u_nplug=3&u_nmime=4&adx=75&ady=409&biw=1349&bih=568&scr_x=0&scr_y=0&eid=44747621%2C21067496%2C31062297&oid=3&pvsid=2806833105685593&pem=147&ref=https%3A%2F%2Fwww.matricedigitale.it%2Fnotizie_192.html&eae=0&fc=896&brdim=0%2C0%2C0%2C0%2C1366%2C0%2C1366%2C728%2C1366%2C568&vis=1&rsz=%7C%7CeE%7C&abl=CS&pfx=0&fu=128&bc=31&ifi=1&uci=a!1&fsb=1&xpc=4FMVA9ThIW&p=https%3A//www.matricedigitale.it&dtd=142https://www.facebook.com/v2.6/plugins/like.php?app_id=178265712579444&channel=https%3A%2F%2Fstaticxx.facebook.com%2Fx%2Fconnect%2Fxd_arbiter%2F%3Fversion%3D46%23cb%3Df2f745870aeeb8%26domain%3Dwww.matricedigitale.it%26is_canvas%3Dfalse%26origin%3Dhttps%253A%252F%252Fwww.matricedigitale.it%252Ff22e3fd9bfad868%26relation%3Dparent.parent&container_width=90&href=https%3A%2F%2Fwww.matricedigitale.it%2Fnotizie_192%252Fpost%252Fexclusive-the-hacker-chasing-pedophiles_806.html&layout=box_count&locale=it_IT&sdk=joey&send=true&share=false&width=450https://www.facebook.com/v2.6/plugins/share_button.php?app_id=178265712579444&channel=https%3A%2F%2Fstaticxx.facebook.com%2Fx%2Fconnect%2Fxd_arbiter%2F%3Fversion%3D46%23cb%3Df2a1540b2558d0c%26domain%3Dwww.matricedigitale.it%26is_canvas%3Dfalse%26origin%3Dhttps%253A%252F%252Fwww.matricedigitale.it%252Ff22e3fd9bfad868%26relation%3Dparent.parent&container_width=95&href=https%3A%2F%2Fwww.matricedigitale.it%2Fnotizie_192%252Fpost%252Fexclusive-the-hacker-chasing-pedophiles_806.html&locale=it_IT&sdk=joey&type=box_counthttps://platform.twitter.com/widgets/tweet_button.f88235f49a156f8b4cab34c7bc1a0acc.en.html#dnt=false&id=twitter-widget-0&lang=en&original_referer=https%3A%2F%2Fwww.matricedigitale.it%2Fnotizie_192%2Fpost%2Fexclusive-the-hacker-chasing-pedophiles_806.html&size=m&text=EXCLUSIVE%20the%20hacker%20chasing%20pedophiles&time=1630064877961&type=share&url=https%3A%2F%2Fwww.matricedigitale.it%2Fnotizie_192%2Fpost%2Fexclusive-the-hacker-chasing-pedophiles_806.html&via=julieitaliahttps://apis.google.com/u/0/se/0/_/+1/sharebutton?plusShare=true&usegapi=1&action=share&annotation=vertical-bubble&height=40&hl=it&origin=https%3A%2F%2Fwww.matricedigitale.it&url=https%3A%2F%2Fwww.matricedigitale.it%2Fnotizie_192%252Fpost%252Fexclusive-the-hacker-chasing-pedophiles_806.html&gsrc=3p&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.it.rKzS8dBq0D0.O%2Fam%3DAQ%2Fd%3D1%2Frs%3DAGLTcCPQfsjn1rAL3Q85iDCGQQNwq6JrSQ%2Fm%3D__features__#_methods=onPlusOne%2C_ready%2C_close%2C_open%2C_resizeMe%2C_renderstart%2Concircled%2Cdrefresh%2Cerefresh%2Conload&id=I0_1630064877708&_gfid=I0_1630064877708&parent=https%3A%2F%2Fwww.matricedigitale.it&pfname=&rpctoken=32635195ShareCommenta

Matricedigital is the only newspaper that has been following the mechanism of online paedophilia very closely for a long time. In recent months we have given several exclusives thanks to activists and hackers who every day give their contribution in reporting prohibited content of child abuse. After interviewing the international component linked to Anonymous, we move to Brazil where the hacker Spy_Unknown explains the reason for his actions beyond the limit of legality, but they launch a very ciaro message: report paedophile sites, denounce flesh and blood paedophiles and make hacked entities aware of the fight against child abuse.
How many websites have u hacked?
i dont count, but since i started my “hacking life” i think its over 2k websites hacked, some with specific purposes and others just for fun, BUT, since i started the #OPPedoGate, its over 100 hacked websites just for the operation.
You know its criminal the hacking of websites, is just the message against pedofilia your object or you want test and show your skills in hacking?
I know that it is crime, and i know most of countries deal with that like cybercrime, but from my pov i dont see like that… i think im doing a favor for the respective hacked domains/webservers owners showing by defacing them that their sites arent too safe, and if i can do just a simple deface, others might do some worst.
No, my only goal is to get some attetion for pedophilia on internet, ‘cause its real.. its expanding, and still lots of people neglect childreen abuse for many reasons, and i wanna make them pay, no just de pedophiles himselfs but compannys and people who support this btw. Anyway i dont need to prove my skills for anybody, cause better than anyone i know what im cappable of, and of the first time i doing something useful about social causes and it makes me feel a bit better… i wanna change some of this, conscientize people at least.. makin them pay more attetion on their kids and whats going on, im tryin to change a lil bit of this awful world, well, at least im tryin.https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7032093705562211&output=html&h=280&slotname=4454675944&adk=2688740674&adf=885089981&pi=t.ma~as.4454675944&w=720&fwrn=4&fwrnh=100&lmt=1630064877&rafmt=1&psa=1&format=720×280&url=https%3A%2F%2Fwww.matricedigitale.it%2Fnotizie_192%2Fpost%2Fexclusive-the-hacker-chasing-pedophiles_806.html&flash=0&fwr=0&fwrattr=true&rpe=1&resp_fmts=3&wgl=1&uach=WyJXaW5kb3dzIiwiNi4yIiwieDg2IiwiIiwiOTIuMC40NTE1LjE1OSIsW10sbnVsbCxudWxsLG51bGxd&tt_state=W3siaXNzdWVyT3JpZ2luIjoiaHR0cHM6Ly9hdHRlc3RhdGlvbi5hbmRyb2lkLmNvbSIsInN0YXRlIjo3fV0.&dt=1630064877515&bpp=1&bdt=209&idt=153&shv=r20210824&mjsv=m202108240101&ptt=9&saldr=aa&abxe=1&cookie=ID%3D0e665a2a064ded61-224327b292c80097%3AT%3D1627915024%3ART%3D1627915024%3AS%3DALNI_MbePjEpOe3Ffu_kJlZjDcNseHP6yw&prev_fmts=720×280&correlator=1409936995487&frm=20&pv=1&ga_vid=408656865.1627915022&ga_sid=1630064878&ga_hid=261240911&ga_fc=0&u_tz=120&u_his=7&u_java=0&u_h=768&u_w=1366&u_ah=728&u_aw=1366&u_cd=24&u_nplug=3&u_nmime=4&adx=75&ady=1536&biw=1349&bih=568&scr_x=0&scr_y=0&eid=44747621%2C21067496%2C31062297&oid=3&pvsid=2806833105685593&pem=147&ref=https%3A%2F%2Fwww.matricedigitale.it%2Fnotizie_192.html&eae=0&fc=896&brdim=0%2C0%2C0%2C0%2C1366%2C0%2C1366%2C728%2C1366%2C568&vis=1&rsz=%7C%7CeEbr%7C&abl=CS&pfx=0&fu=128&bc=31&ifi=2&uci=a!2&btvi=1&fsb=1&xpc=Kjgh1yMFlp&p=https%3A//www.matricedigitale.it&dtd=160

What u have learned from your activity about pedofilia on the web?
i already had an idea, but i have learned a lot. I know a bit better how pedofphiles act; they usually chose their victims by who kids are more neglected by their parents, people who are busy with their lifes in general and dont take seriously what their kids tell. If figured some types of pedophiles;
Pedophiles are commonly “sweet” people (sorry idk how mean it in english), and know how to get attention of kids and conquest their charisma, usually close of victims parents as well. This is what i call the “type 1” of pedophiles; althought besides they can be a charismatic type of people and know exactly what they are doing, them only explore neglected kids so kinda stupid people, is an easy type to perceive if the parents pay a lil bit more attention on their kids behavior and certainly what them speak.
Now, we have the pedophile families, what i think that was just isolated “cases/events”, its more common that type 1.
Most common in European and Asian, African Countries but even on Americas as well i found events like that. Kids who are exploited sexually by their parents and relatives in general… i noticed by some cases i found that parents treat this like a normal convivence, besides them know that is criminal act they dont stop, and some parents dont do this just for “pleasure”, but also for get some profits, selling material produced by them like photos/videos and the sexual act recorded, this is what i call the type 2.
And we have those pedo ones who “become” pedophiles by “living together”, wherever it is… people who have some contact with kids during the day you know? job, school etc, this kinda pedophiles which i call “type 3” is the ones who never done something like this before but already have some “tedence” to do, disturbed minds who eventually like kids on the wrong way, those types are the most difficult to figure out ‘cause they usually dont have any historic of sexual disorder and they really dont appear be like that, but, this kind usually can be perceived looking weird at a kid, talkin nonsense shit or even toching too much.
https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7032093705562211&output=html&h=280&slotname=4454675944&adk=2688740674&adf=726488579&pi=t.ma~as.4454675944&w=720&fwrn=4&fwrnh=100&lmt=1630064887&rafmt=1&psa=1&format=720×280&url=https%3A%2F%2Fwww.matricedigitale.it%2Fnotizie_192%2Fpost%2Fexclusive-the-hacker-chasing-pedophiles_806.html&flash=0&fwr=0&fwrattr=true&rpe=1&resp_fmts=3&wgl=1&adsid=ChAI8JqiiQYQ-pCLxN783LMNEj8AkYypeV1IdG_yGBI2iyGkVJaS67wSVNgHM7awbIjj5inN0TBAR0hkGg-E5IvtaH_8ph1Fz4JkX-4nLqTJXxg&uach=WyJXaW5kb3dzIiwiNi4yIiwieDg2IiwiIiwiOTIuMC40NTE1LjE1OSIsW10sbnVsbCxudWxsLG51bGxd&tt_state=W3siaXNzdWVyT3JpZ2luIjoiaHR0cHM6Ly9hdHRlc3RhdGlvbi5hbmRyb2lkLmNvbSIsInN0YXRlIjo3fV0.&dt=1630064877517&bpp=1&bdt=211&idt=218&shv=r20210824&mjsv=m202108240101&ptt=9&saldr=aa&abxe=1&cookie=ID%3D0e665a2a064ded61-224327b292c80097%3AT%3D1627915024%3ART%3D1627915024%3AS%3DALNI_MbePjEpOe3Ffu_kJlZjDcNseHP6yw&prev_fmts=720×280%2C720x280%2C390x280%2C390x280%2C0x0&nras=1&correlator=1409936995487&frm=20&pv=1&ga_vid=408656865.1627915022&ga_sid=1630064878&ga_hid=261240911&ga_fc=0&u_tz=120&u_his=7&u_java=0&u_h=768&u_w=1366&u_ah=728&u_aw=1366&u_cd=24&u_nplug=3&u_nmime=4&adx=75&ady=2515&biw=1349&bih=568&scr_x=0&scr_y=273&eid=44747621%2C21067496%2C31062297&oid=3&psts=AGkb-H_7UOigJZGNLfmHwVQSoj7wDK-t7_kfzPf7P2EOdQLWE7_LeP8xItAsABtwQ9fRnQaMqw-YamjzHQ%2CAGkb-H8gjToyV2DyAQxp7wUSW9FQe7DggKNieyv0IAQJGjAD5sfuo6DJOS0JuTfRHmqrsPIRqgEyIHwLhuE%2CAGkb-H_VkQn2u9KKBXAb6AUo1qqLIUWC__W2uIjMoXUIAa4NtbtKKmPVKj6xz8LNwnk1o9uWbsNYuud4BNH0%2CAGkb-H8gIWIfBvpBuY6LGk2w5z9HnUcV6kGUwtPraWzY5T_jAdLvwvDdjjCECO-GmrezXJD7JP6KfnBK&pvsid=2806833105685593&pem=147&ref=https%3A%2F%2Fwww.matricedigitale.it%2Fnotizie_192.html&eae=0&fc=896&brdim=0%2C0%2C0%2C0%2C1366%2C0%2C1366%2C728%2C1366%2C568&vis=1&rsz=%7C%7CeEbr%7C&abl=CS&pfx=0&fu=128&bc=31&jar=2021-08-27-11&ifi=3&uci=a!3&btvi=3&fsb=1&xpc=zc5pgWhO7p&p=https%3A//www.matricedigitale.it&dtd=9911
Do you think that those websites are reached by users directly or from referral maybe on the dark web?
No, i think no one can found this websites just by accident you know? if you end up there, you are looking for some shit at least with kids involved.
Most of this websites are monetized with adult content and stuff, what leads me to think that webservers in general make some profit with this kinda content, and that is why i think they dont put down this, ‘cause its receive a lots of traffic and consequently increase them profits.
Which are the nations involved in the production of pedopornografic content?
I found business and isolated pedophiles in these countries: Netherlands, Russia, Ukraine, Kazakhstan, Denmark, Germany, Hungary, Italy, Luxembourg, Portugal, Serbia, Turkey, Austria, Australia, Sweden, United Arab Emirates, France, Taiwan, Japan, China, India, Pakistan, Afghanistan, Malaysia, Philippines, Singapore, Indonesia, Thailand, Czech Republic, Belize, USA, Canada, Mexico, Venezuela, Brazil, Chile.
What is your future goal on the web?
Ill keep myself commited with this! im receiving some denunces through the internet and im thinking of make blog for explain this and exp0se more cases in details, with the permission of parents involved sure.
Ill keep hacking webservers and exp0sing this by defacing websites as well.
Multilingua
Cyberpunk 2077 traina i risultati di CD Projekt RED nel 2022
Tempo di lettura: < 1 minuto. Il successo rinnovato di Cyberpunk 2077 ha contribuito a fare del 2022 il secondo miglior anno di sempre per lo studio polacco CD Projekt RED

CD Projekt RED ha visto un aumento significativo delle entrate nel 2022, principalmente grazie alle vendite di Cyberpunk 2077, che hanno contribuito a fare del 2022 il secondo miglior anno di sempre per lo studio di sviluppo.
Le vendite di Cyberpunk 2077 spingono i profitti
Le entrate di CD Projekt RED nel 2022 hanno raggiunto circa 222 milioni di dollari, con un profitto netto di circa 80 milioni di dollari. Questi risultati sono stati principalmente guidati dalle vendite di Cyberpunk 2077, che hanno visto un rinnovato successo grazie all’aggiornamento next-gen e alla popolare serie animata Cyberpunk: Edgerunners.
Fattori che contribuiscono al successo
L’aggiornamento next-gen di Cyberpunk 2077 e il successo di Cyberpunk: Edgerunners su Netflix hanno giocato un ruolo importante nel rilanciare la popolarità del gioco. Il CEO di CD Projekt RED, Adam Kicinski, ha affermato che l’accoglienza positiva dell’update e la popolarità della serie hanno avuto un notevole impatto sulle vendite e sulla percezione del gioco.
Il futuro di Cyberpunk 2077 e CD Projekt RED
CD Projekt RED si sta preparando per il lancio del DLC Phantom Liberty, in programma per giugno, che dovrebbe ulteriormente ampliare il franchise e il coinvolgimento dei fan. Con il rinnovato interesse per Cyberpunk 2077, lo studio polacco si impegna a espandere la portata del franchise e a offrire nuovi contenuti ai giocatori.

Multilingua
Ufficiale: E3 cancellato per scarso interesse dei produttori di videogiochi
Tempo di lettura: < 1 minuto. La fiera del gaming più attesa dell’anno viene cancellata dopo la defezione di Ubisoft e il disinteresse di altri giganti del settore

L’E3 2023, uno degli eventi più importanti del settore dei videogiochi, è stato annullato. L’Entertainment Software Association (ESA) ha confermato la cancellazione dell’evento dopo il ritiro di Ubisoft e una serie di voci poco incoraggianti.
La cancellazione dell’E3 2023
L’ESA ha comunicato ai suoi partner la decisione di annullare l’Electronic Entertainment Expo (E3) di quest’anno a causa della mancanza di interesse da parte dell’industria. Nonostante l’E3 sia un evento molto amato, l’edizione 2023 non ha raccolto abbastanza entusiasmo per poter procedere. L’ESA non ha menzionato la possibilità di organizzare lo show in futuro.
La dichiarazione dell’ESA
In seguito alla diffusione della notizia, l’ESA ha rilasciato una dichiarazione pubblica tramite Kyle Marsden-Kish, Vicepresidente della divisione “Games” di ReedPop. Marsden-Kish ha affermato che la decisione è stata difficile ma necessaria per il bene del settore e dell’E3, e ha espresso comprensione per le difficoltà delle aziende nel presentare demo giocabili e gestire le risorse per partecipare all’evento.
L’E3 nel corso degli anni
L’E3 2023 avrebbe dovuto essere il primo E3 in presenza dal 2019, a causa della pandemia di COVID-19. Nel 2021 si è svolta una versione online, mentre l’edizione 2022 era stata annullata per concentrarsi su nuove formule, eventualmente ibride. La cancellazione dell’edizione 2023 è avvenuta dopo che diversi colossi del settore, tra cui Microsoft, Nintendo, PlayStation e Ubisoft, avevano annunciato la loro assenza dall’evento.
Multilingua
XLoader/FormBook: Encryption Analysis and Malware Decryption
Tempo di lettura: 6 minuti. Xloader is a stealer, the successor of FormBook

Today ANY.RUN’s malware analysts are happy to discuss the encryption algorithms of XLoader, also known as FormBook. And together we’ll decrypt the stealer’s strings and C2 servers.

Xloader is a stealer, the successor of FormBook. However, apart from the basic functionality, the unusual approaches to encryption and obfuscation of internal structures, code, and strings used in XLoader are also of interest. Let’s take a detailed look at the encryption of strings, functions, and C2 decoys.
IceXLoader ha infettato migliaia di vittime in tutto il mondo
Ecco il malware che eluce i blocchi impostati da Microsoft sulle VBA
DotRunpeX diffonde diverse famiglie di malware tramite annunci pubblicitari
Gookit all’attacco di organizzazioni sanitarie e finanziarie
Encryption in XLoader
First, we should research 3 main cryptographic algorithms used in XLoader. These are the modified algorithms: RC4, SHA1, and Xloader’s own algorithm based on a virtual machine.
The modified RC4 algorithm
The modified RC4 algorithm is a usual RC4 with additional layers of sequential subtraction before and after the RC4 call. In the code one layer of subtractions looks like this:
# transform 1 for i in range(len(encbuf) – 1, 0, -1): encbuf[i-1] -= encbuf[i] # transform 2 for i in range(0, len(encbuf) -1): encbuf[i] -= encbuf[i+1] |
The ciphertext bytes are subtracted from each other in sequence from right to left. And then they go from left to right. In the XLoader code it looks like this:

Function performing RC4 encryption
The modified SHA1 algorithm
The SHA1 modification is a regular SHA1, but every 4 bytes are inverted:
def reversed_dword_sha1(self, dat2hash): sha1Inst = SHA1.new() sha1Inst.update(dat2hash) hashed_data = sha1Inst.digest() result = b”” for i in range(5): result += hashed_data[4*i:4*i+4][::-1] return result |
Xloader’s own virtual machine algorithm
The last algorithm is a virtual machine that generates one to four bytes of plaintext, depending on the current byte of the ciphertext. Usually, this algorithm is used as an additional encryption layer, which will be discussed later. The entry of the VM decryption routine looks like this:

An example of transformations in a virtual machine’s decryption routine
Decrypting XLoader Strings
Next, let’s investigate how the string encryption works in XLoader. All byte arrays containing encrypted strings or key information are located in special kinds of blobs.

An example of a blob with encrypted data
As you can see in the screenshot above, this blob is a function that returns a pointer to itself, below this function are the bytes you are looking for.
In order to decrypt strings, first a key is generated. The key is generated from 3 parts, to which the above-described functions are applied.

Key generation function to decrypt strings
Here K1_blob, K2_blob, and K3_blob are functions that return data from the blocks described above, and the string length is an argument for them.
The functions VM_Decrypt, RC4_with_sub_Layer and sha1_* are modified algorithms that we discussed earlier.
Schematically, the key generation algorithm can be represented by the following diagram.
Here E and K are the data and the key that is fed to the input of the RC4 function, respectively, and K1, K2, and K3 are the data obtained from the K1_blob, K2_blob, and K3_blob functions.

Scheme of key generation to decrypt strings
The strings themselves are also stored as a blob and are covered by two layers of encryption:
- VM_decrypt
- RC4 that uses the key obtained above.
At the same time, RC4 is not used for the whole blob at once.
After removing the first layer, the encrypted strings themselves are stored in the format:
encrypted string length – encrypted string
Consequently, to decrypt the strings, we need to loop through this structure and consistently decrypt all the strings.

Function for decrypting strings
Below is an example of the encrypted data after stripping the first layer. Length/string pairs for the first 3 encrypted strings are highlighted in red.

The first 3 encrypted strings
The same strings after decryption:

The first 3 lines after decoding
Along with the encrypted strings, C2 decoys are also stored there. They are always located at the end of all decrypted strings, beginning and ending with the f-start and f-end strings.
Decrypting XLoader’s C2 Servers
Next, let’s see how the main C2 encryption works. The main C2 is located elsewhere in the code, so you can get it separately from the C2 decoys.

Code snippet demonstrating C2 decryption.
To decrypt it, as well as to decrypt the strings, 3 keys are used. The C2 decryption scheme is shown below:
- EC2 is the encrypted C2
- DC2 is the decrypted C2
The algorithm itself is a 3 times sequential application of the RC4 algorithm with 3 different keys.

C2 decoys’ decryption scheme
Also, in newer versions of XLoader C2 decoys, which usually lie along with all the other strings, turn out to be covered by an additional layer of encryption, and, at first glance, it is completely unclear where exactly the decryption of these strings occurs.
Since XLoader has several entry points, each responsible for different non-intersecting functionality, with many functions turning out to be encrypted.
The C2 decoys are decrypted inside the XLoader injected into Explorer.exe. And in this case, it is passed to netsh.exe, which also contains XLoader via APC injection.

The C2 life cycle in different XLoader modules
In order to understand how a C2 decoy is encrypted, first of all, you need to understand how the functions are encrypted.
It’s actually quite simple. RC4 is used as the encryption algorithm. This time, the key is hardcoded and written right in the code and then xored with the 4-byte gamma.
After that, you should find pointers to the start and end of the function. This is how you do it: a unique 4-byte value is placed at the beginning and end of each encrypted function. The XLoader looks for these values and gets the desired pointers.

Code snippet demonstrating the decryption of the function
Then the function is decrypted, control is given to it, and it similarly searches for and decrypts the next function. This happens until the function with the main functionality is decrypted and executed. So, functions should be decrypted recursively.
The key to decrypting C2 decoys consists of 2 parts and is collected separately at two different exit points. One exit point gets the 20-byte protected key, and the second gets the 4-byte gamma to decrypt the key.
Example of extracted XLoader malware configuration
Applying the above algorithms we can extract the configuration from Xloader, including C2, C2 decoys, and strings. For your convenience, we have integrated automatic extraction of the Xloader configuration into ANY.RUN interactive sandbox — just run the sample and get all the IOCs in seconds.


Extracted malware configuration in ANY.RUN
Examples of successfully executed samples:
Sum it up
In this article we discussed the encryption in xLoader stealer. It is based on both add-ons to existing algorithms and self-written algorithms.
The main tricky part of the decryption process is the key generation and the fact that the XLoader functionality is split into modules that can be run in different processes. Because of this, in order to extract strings, we have to decrypt the executable code, among other things.
Fortunately, ANY.RUN is already set up to detect this malware automatically, making the relevant configuration details just a click away.
Appendix
Analyzed files
Sample with new C2 decoys encryption
Title | Description |
Name | MT10320221808-004. pdf.exe |
MD5 | b7127b3281dbd5f1ae76ea500db1ce6a |
SHA1 | 6e7b8bdc554fe91eac7eef5b299158e6b2287c40 |
SHA256 | 726fd095c55cdab5860f8252050ebd2f3c3d8eace480f8422e52b3d4773b0d1c |
Sample without C2 decoys encryption
Title | Description |
Name | Transfer slip.exe |
MD5 | 1b5393505847dcd181ebbc23def363ca |
SHA1 | 830edb007222442aa5c0883b5a2368f8da32acd1 |
SHA256 | 27b2b539c061e496c1baa6ff071e6ce1042ae4d77d398fd954ae1a62f9ad3885 |
-
L'Altra Bolla3 settimane fa
Perchè la “mostruosa” Elly Schlein non “puzza di antisemitismo”
-
Editoriali3 settimane fa
Il CSIRT risolve i problemi o ha bisogno di fare le denunce alla Postale?
-
Inchieste2 settimane fa
Zuckerberg licenzia altri 10.000 dipendenti, abbandona NFT e Metaverso, e copia Telegram
-
Tech3 settimane fa
Telegram introduce la modalità “risparmio batteria”
-
Inchieste2 settimane fa
Sanremo multato per il conflitto di interessi della Ferragni con Meta
-
Inchieste2 settimane fa
ACN finalista su LinkedIn: spegnetegli i social
-
Inchieste1 settimana fa
Killnet assalta gli ospedali e Phoenix colpisce missione EOSDIS della NASA
-
Inchieste1 settimana fa
Meta vuole sottopagare la Musica italiana, ma va difesa perchè la SIAE è il male