XORIndex Loader
XORIndex Loader is a XOR-encoded loader that collects host data, decodes follow-on scripts and acts as a downloader for theBeaverTail malware.XORIndex Loader was first reported in June 2025.XORIndex Loader has been leveraged by North Korea-affiliated threat actors identified asContagious Interview.XORIndex Loader has been delivered to victims through code repository sites utilizing typo squatting naming conventions of various npm packages.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol:Web Protocols | XORIndex Loader has used HTTPS POST to communicate with C2.[1] |
| Enterprise | T1059 | .007 | Command and Scripting Interpreter:JavaScript | XORIndex Loader has executed malicious JavaScript code.[1] |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | XORIndex Loader can decode its payload prior to execution.[1] | |
| Enterprise | T1041 | Exfiltration Over C2 Channel | XORIndex Loader has exfiltrated victim data using HTTPS POST requests to its C2 servers.[1] | |
| Enterprise | T1105 | Ingress Tool Transfer | XORIndex Loader has been used to download a malicious payload to includeBeaverTail.[1] | |
| Enterprise | T1036 | .005 | Masquerading:Match Legitimate Resource Name or Location | XORIndex Loader has leveraged legitimate package names to mimic frequently utilized tools to entice victims to download and execute malicious payloads.[1] |
| Enterprise | T1027 | .010 | Obfuscated Files or Information:Command Obfuscation | XORIndex Loader has obfuscated strings using ASCII buffers and TextDecoder.[1] |
| .013 | Obfuscated Files or Information:Encrypted/Encoded File | XORIndex Loader has encoded module names and C2 URLs as hexadecimal strings in attempts to evade analysis.[1] | ||
| Enterprise | T1082 | System Information Discovery | XORIndex Loader has the ability to collect the hostname, OS Username, Geolocation, and OS version of an infected host.[1] | |
| Enterprise | T1614 | System Location Discovery | XORIndex Loader can identify the geographical location of a victim host.[1] | |
| Enterprise | T1016 | System Network Configuration Discovery | XORIndex Loader has leveraged webservices to identify the public IP of the victim host.[1] | |
| Enterprise | T1033 | System Owner/User Discovery | XORIndex Loader has collected the username from the victim host.[1] | |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1052 | Contagious Interview |