Pierluigi Paganini January 02, 2024

JinxLoader is a new Go-based loader that was spotted delivering next-stage malware such as Formbook and XLoader.

Researchers from Palo Alto Networks and Symantec warned of a new Go-based malware loader called JinxLoader, which is being used to deliver next-stage payloads such as Formbook and XLoader. The name of the threat comes from a League of Legends character.

Palo Alto Networks’s Unit 42 first observed the malware in November 2023 reporting that it has been advertised on the hacking forum Hackforums since April 30, 2023. The attack spotted by the researchers used phishing messages posing as Abu Dhabi National Oil Company (ADNOC). The content of the messages attempted to trick the recipients into opening a password-protected RAR archive. Once the archive is opened, the infection chain starts leading to the deployment of the JinxLoader payload.

The author of the loader is offering it for $60 a month or $120 a year, while the lifetime license goes for $200.

Unit42 researchers reported that the infection chain is composed of eight steps:

“A new Go-written loader, dubbed JinxLoader, is making rounds in underground forums. Reports indicate its recent usage in malicious emails, loading threats like Formbook.” reads the bulletin published by Symantec. “The malware pays homage to League of Legends character Jinx, featuring the character on its ad poster and C2 login panel. JinxLoader’s primary function is straightforward – loading malware.”

Unit42 published indicators of compromise (IoCs) for this threat.

On Christmas Eve, Resecurity’s HUNTER unit spotted a new version of the infostealer Meduza (2.2). One of the key significant improvements are support of more software clients (including browser-based cryptocurrency wallets), upgraded credit card (CC) grabber, and additional advanced mechanisms for password storage dump on various platforms to extract credentials and tokens. Altogether, Meduza makes a great competitor to Azorult, Redline, Racoon, and Vidar Stealer used by cybercriminals for account takeover (ATO), online-banking theft, and financial fraud.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, JinxLoader)