Thursday, May 1, 2025
HomeCyber Security NewsBeware Of Malicious SharePoint Notifications That Delivers Xloader Malware

Beware Of Malicious SharePoint Notifications That Delivers Xloader Malware

Published on

SIEM as a Service

Follow Us on Google News

Through the use of XLoader and impersonating SharePoint notifications, researchers were able to identify a sophisticated malware delivery campaign. 

A link that was disguised as a legitimate SharePoint notification was included in the emails that were sent out at the beginning of the attack. 

message that looks like a legitimate SharePoint share with an Open files link
message that looks like a legitimate SharePoint share with an Open files link

The engine flagged the message as malicious based on several factors: computer vision detected a spoofed Microsoft logo and fake SharePoint template, the LinkAnalysis service traced suspicious redirects and downloaded the linked files for analysis, and the email sender failed SPF authentication. 

- Advertisement - Google News

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

After clicking on the link, a series of cumbersome steps were presented to the user, and the file that was downloaded was a ZIP archive that contained an AutoIT script. 

bfuscated text stored in a single parameter.
bfuscated text stored in a single parameter.

The script, when executed, downloaded another archive containing shellcode, which was then injected into a legitimate Windows process (likely via reflective DLL injection) using a technique involving double references to system libraries like ntdll.dll. 

The newly injected process likely functioned as the final payload, potentially establishing communication with the attacker’s Command and Control (C2) server for further malicious activity like information theft. 

Svchost.exe properties
Svchost.exe properties

The analysis by Sublime Security highlights the evolving tactics of malware campaigns, employing social engineering with impersonation, multi-stage delivery with obfuscation and scripting, and process injection for payload execution. 

An initial AutoIT and shellcode components of this sample exhibit strong indicators of Trickgate activity, which aligns with documented

Trickgate tactics, including Xloader deployment and the use of techniques highly similar to those observed in the AutoIT component.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Managing Shadow IT Risks – CISO’s Practical Toolkit

Managing Shadow IT risks has become a critical challenge for Chief Information Security Officers...

Application Security in 2025 – CISO’s Priority Guide

Application security in 2025 has become a defining concern for every Chief Information Security...

Preparing for Quantum Cybersecurity Risks – CISO Insights

Quantum cybersecurity risks represent a paradigm shift in cybersecurity, demanding immediate attention from Chief...

Securing Digital Transformation – CISO’s Resource Hub

In today’s hyper-connected world, securing digital transformation is a technological upgrade and a fundamental...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Netgear EX6200 Flaw Enables Remote Access and Data Theft

Security researchers have disclosed three critical vulnerabilities in the Netgear EX6200 Wi-Fi range extender...

Tesla Model 3 VCSEC Vulnerability Lets Hackers Run Arbitrary Code

A high security flaw in Tesla’s Model 3 vehicles, disclosed at the 2025 Pwn2Own...

Apache ActiveMQ Vulnerability Lets Remote Hackers Execute Arbitrary Code

A high vulnerability in Apache ActiveMQ’s .NET Message Service (NMS) library has been uncovered,...