One of the Most Devious Malware Strains Might Have Been Cracked - and It’s All Thanks to Gen AI

TL;DR: Check Point Research used ChatGPT-powered GenAI to semi-automate reverse engineering of the notorious XLoader infostealer. The AI-assisted approach decrypted core code, revealed 64 hidden C2 domains, and discovered a new sandbox evasion mechanism, transforming a tedious manual process into a faster, repeatable workflow.

Cybersecurity researchers from Check Point Research may have just cracked one of the most devious malware families to have ever existed, thanks to Generative Artificial Intelligence (GenAI).

The Challenge of Analysing XLoader

Analysing malware is traditionally a slow, manual process that requires researchers to “unpack binaries, trace functions, and build decryption scripts”. Analysing XLoader—an infamous infostealer that’s been around for roughly half a decade—is even more difficult because it cannot be sandboxed.

That’s when Check Point turned to AI for assistance. Using ChatGPT, the researchers combined two complementary workflows: cloud-based static analysis and MCP-assisted runtime analysis.

The AI-Assisted Approach

The first workflow exports data from IDA Pro and lets the AI analyse it in the cloud. “The model identified encryption algorithms, recognised data structures, and even generated Python scripts to decrypt sections of code,” the researchers explained.

The second connected the AI to a live debugger to extract runtime values such as encryption keys, decrypted buffers, and in-memory C2 data. “This hybrid AI workflow turned tedious manual reverse engineering into a semi-automated process that’s faster, repeatable, and easy to share across teams.”

Significant Results

Check Point was impressed with the results. They claim to have:

  • Decrypted core code
  • Revealed encryption layers
  • Unmasked hidden APIs
  • Recovered 64 hidden C2 domains
  • Discovered a new sandbox evasion mechanism called “secure-call trampoline”

In short, AI helped unpack how XLoader hides, communicates, and protects itself—crucial information in the fight against infections.

AI as a Force Multiplier, Not a Replacement

Still, Check Point stressed that despite the impressive results, AI “doesn’t replace malware analysts” but rather “supercharges” them with speed, reproducibility, insight, and defence capabilities.

Context: XLoader’s Evolution

Earliest records of XLoader date back to 2021, when Check Point Research saw it in the wild stealing data from MacOS users. It evolved from the infamous Formbook malware that, at the time, had been active for over five years.

Whilst Formbook was initially created to be a simple keylogger, it was upgraded and rebranded as XLoader. Formbook was used primarily to target Windows users, whereas XLoader expanded its reach to MacOS systems.

Looking Forward

This breakthrough demonstrates practical applications for GenAI in cybersecurity beyond threat detection. By accelerating the reverse engineering process, security researchers can analyse sophisticated malware strains more quickly, identify evasion techniques faster, and develop defences before threats become widespread.

The hybrid approach—combining AI-powered static analysis with runtime debugging—suggests a model for other complex security research tasks where automation alone isn’t sufficient but human expertise combined with AI assistance can achieve significantly better results.

Source Attribution:

Share this article