XLoader has been plaguing macOS users since it was first discovered in 2021. Back then, though, it only posed a threat to those who opted to install Java on their systems. That’s no longer the case, however, as its latest variant, encased in compromised OfficeNote installation packages (currently in beta mode), can cause damage to any macOS devices.

SentinelOne published 19 indicators of compromise (IoCs)—15 domains (extracted from the reported host names) and four IP addresses—for the latest XLoader variant, which we at WhoisXML API subjected to a DNS deep dive. Our probe led to the discovery of:

• 24 unreported IP resolutions, 19 of which turned out to be malicious based on a bulk malware check
• 53 domains that shared some of the IoCs’ dedicated IP hosts, three of which have been tagged as malicious
• 446 domains that contained text strings found among some of the IoCs

A sample of the additional artifacts obtained from our analysis is available for download from our website.

XLoader Infrastructure Revelations

We began our DNS probe with a bulk WHOIS lookup for the 15 domains identified as XLoader IoCs and found that:

• The domains were distributed among eight registrars topped by GoDaddy.com, Google, and Namecheap, each accounting for three IoCs.
• All of the domains were newly created, between May and August 2023.
• All of the IoCs’ registrant email addresses have been either redacted or privacy protected.
• Only one of the 15 domains—qhsbobfv[.]top—had a publicly viewable registrant name written in Chinese.
• The IoCs were spread across six registrant countries topped by Canada and the U.S. (five domains each) and Iceland (two domains).

A bulk IP geolocation lookup for the four IP addresses tagged as IoCs followed, which led to these discoveries:

• The IP addresses originated in two countries—three in the U.S. and one in Japan.
• Each IoC was administered by a different Internet service provider (ISP), namely, Namecheap, Inc.; Hostinger International Limited; Google LLC; and Rackip Consultancy Pte. Ltd.

Note that a comparison of the domains and IP addresses classified as XLoader IoCs revealed these similarities:

• Only the U.S. was named both domain registrant and IP geolocation country.
• Namecheap, Hostinger, and Google appeared as both registrars and ISPs.

XLoader IoC DNS Probe Findings

Next, we began our list expansion with DNS lookups for the domains identified as IoCs. That led to the discovery of 27 IP resolutions for 11 domains, three of which were already part of SentinelOne’s list. None of the domains with active IP resolutions shared any of the identified hosts.

A bulk IP geolocation lookup for the 24 additional IP addresses revealed that:

• Twenty-one of the unreported IP resolutions shared the IoCs’ geolocation countries—20 from the U.S. and one from Japan.
• The remaining three unpublished IP resolutions were spread across two countries—two from Canada and one from India.
• Six of the additional IP resolutions shared the three of the IoCs’ ISPs—Google, Hostinger, and Rackip Consultancy.

A bulk malware check for the unreported IP resolutions showed that 19 were malicious.

Our DNS lookups also revealed that six of the now 27 IP addresses in total—the three identified as IoCs and 24 additional resolutions—were seemingly dedicated. They hosted a total of 53 unique domains, three of which turned out to be malicious according to a bulk malware check.

Screenshot lookups for the three malicious IP-connected domains showed they continued to host or lead to live pages. Artkit[.]top led to an e-commerce shop while both e6796[.]com and e9579[.]com led to an app store.

Next, we used text strings found among the 15 domains identified as IoCs to look for similar-looking XLoader artifacts via Domains & Subdomains Discovery. Specifically, we looked for domains containing, or in certain cases starting, with the strings:

• spv88.
• raveready.
• qq9122.
• qhsbobfv.
• pinksugarpopmontana.
• nationalrecoveryllc.
• mommachic.
• lushespets.
• kiavisa.
• hatch.
• growind.
• corkagenexus.
• brioche-amsterdam.
• akrsnamchi.
• activ-ketodietakjsy620.

Our DNS foray uncovered 446 string-connected domains.

Finally, we know from the SentinelOne post that XLoader targets macOS and soon-to-launch app OfficeNote. We thus used the brands as Domains & Subdomains Discovery search terms (exactly matched macos and contained officenote) to look for subdomains that could figure in future campaigns, possibly phishing attacks against the brands or their users. We found 492 brand-containing subdomains in total.

Bulk WHOIS lookups for the macos and officenote subdomains revealed that:

• The 469 macos subdomains all fell under different domains, only one of which—macOS’s official domain macos[.]apple[.]com, was publicly attributable to Apple, Inc.
• The 23 officenote subdomains fell under 10 domains, none of which could be publicly attributed to the app’s developer—Jiransoft Co. Ltd.

Our XLoader DNS deep dive led to the discovery of more than 500 possibly connected artifacts. It also allowed us to uncover close to 500 subdomains containing the two brands the threat actors trailed their sights on—macOS and OfficeNote.

If you wish to perform a similar investigation or learn more about the products used in this research, please don’t hesitate to contact us.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.