Monday, June 16, 2025
HomeCyber AttackHackers Use XLL Files to Deliver Obfuscated Version of JSSLoader

Hackers Use XLL Files to Deliver Obfuscated Version of JSSLoader

Published on

SIEM as a Service

Follow Us on Google News

Recently it has been observed that Morphisec Labs has witnessed a new wave of JSSLoader infections this year. JSSLoader activity has been tracked by Morphisec Labs since December 2020, and a comprehensive report has been released on the JSS loader used by the Russian hacker group FIN7 (aka Carbanak).

In addition to exfiltrating data, establishing persistence, fetching and loading additional payloads, and auto-updating, JSSLoader is also able to establish persistence for external payloads.

In short, the JSSLoader RAT (remote access trojan) is an extremely capable, but small RAT. And the new version of JSSLoader is delivered by attackers via.XLL files.

- Advertisement - Google News

Infection chain & XLL Excel add-ins

Morphisec Labs threat analysts observed the new campaign that involves a stealthier version of JSSLoader. This infection chain also works similarly to other XLL infections, where the victim has an email with a malicious attachment, either an XLM or an XLL file attached to it.

Upon downloading and executing the attachment, Microsoft Excel executes the malicious code comprised within the “.xll” file, and after that from a remote server downloads the payload.

Excel’s XLL add-ins are commonly misused to import data into a worksheet or extend Excel’s functionality, though they are commonly used for legitimate purposes.

In the early stages of malware infection, an Excel add-in with an XLL extension is used to download JSSLoader to an infected computer. When the user executes the file, a popup appears since the file is not signed.

Excel calls the xlAutoOpen function whenever an XLL file is activated, so every XLL must implement and export this function. The malware executes the mw_download_and_execute function while loading itself, the “.XLL” file, into memory.

Sophisticated Obfuscation

To evade EDRs that consolidate detection information from the entire network, the threat actor regularly updates the User-Agent on the XLL files. 

With the new JSSLoader, the execution flow is the same, but it has been enhanced with string obfuscation, which encloses all the renaming variables and functions.

Here the RATs have split strings into substrings, after which they concatenate them at runtime to evade detection from string-based YARA rules used by defenders.

To evade the static threat scanners the threat actors leave a minimal footprint and reduce the chances of being detected by string decoding mechanism.

However, as a result of this new addition, and the use of XLL file delivery, it will be more complex and difficult for the next-generation antivirus (NGAV) and endpoint detection and response (EDR) solutions to detect.

In short, a majority of NGAV and EDR solutions do not detect day zero.XLL files that hide the JSSLoaders, become next to impossible.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Kali Linux 2025.2 Released: New Tools, Smartwatch and Car Hacking Added

Kali Linux, the preferred distribution for security professionals, has launched its second major release...

Arsen Launches AI-Powered Vishing Simulation to Help Organizations Combat Voice Phishing at Scale

Arsen, the cybersecurity startup known for defending organizations against social engineering threats, has announced...

NIST Releases New Guide – 19 Strategies for Building Zero Trust Architectures

The National Institute of Standards and Technology (NIST) has released groundbreaking guidance to help...

Spring Framework Flaw Enables Remote File Disclosure via “Content‑Disposition” Header

A medium-severity reflected file download (RFD) vulnerability (CVE-2025-41234) in VMware's Spring Framework has been...

Credential Abuse: 15-Min Attack Simulation

Credential Abuse Unmasked

Credential abuse is #1 attack vector in web and API breaches today (Verizon DBIR 2025). Join our live, 15-min attack simulation with Karthik Krishnamoorthy (CTO - Indusface) and Phani Deepak Akella (VP of Marketing - Indusface) to see hackers move from first probe to full account takeover.

Discussion points


Username & email enumeration – how a stray status-code reveals valid accounts.
Password spraying – low-and-slow guesses that evade basic lockouts.
Credential stuffing – lightning-fast reuse of breach combos at scale.
MFA / session-token bypass – sliding past second factors with stolen cookies.

More like this

Fog Ransomware Uses Pentesting Tools to Steal Data and Launch Attacks

Fog ransomware incidents in recent years have exposed a dangerous new trend in cybercrime:...

JSFireTruck Obfuscation Helps Cybercriminals Hijack Trusted Sites with Malicious JavaScript

A sophisticated and extensive cyber attack campaign has been uncovered, in which threat actors...

Cybercriminals Exploiting Expired Discord Invite Links to Deploy Multi-Stage Malware

Recent investigations by Check Point Research have uncovered a sophisticated malware campaign that leverages...