APT / THREAT GROUP🕵️ ESPIONAGEADVANCED

XRed

2
aliases
Last seen:Mar 17, 2026

Intelligence Profile

According to eSentire, XRed, also known as Synaptics worm, is a backdoor that has been circulating since at least 2019. This malware was initially spread through drivers bundled with USB-C hub adapters, which served as its primary distribution vector. Once executed, the backdoor self-replicates and to maintain persistence, it creates a Windows Registry Run key. Additionally, it uses a mutex named Synaptics2X to ensure that only one instance of the malware runs at a time. XRed includes several advanced features that enable remote control and data exfiltration. It can download additional payloads from hardcoded URLs embedded within its binary. The malware exfiltrates sensitive system information—such as the MAC address, username, and computer name—which is sent via SMTP to hardcoded email addresses. It also incorporates keylogging functionality through keyboard hooking techniques. Furthermore, XRed supports a variety of remote commands that allow the attacker to gain command prompt access, capture screenshots, list available disks and directories, download files from remote sources, and delete files from the infected system. XRed also exhibits worm-like behavior: It spreads through USB drives by creating an autorun.inf file. Additionally, the malware infects Excel files with macros (.xlsm) by injecting a malicious VBA macro into them. The malware uses a hardcoded dynamic DNS domain (xred.mooo.com) to communicate with its command and control server. This domain serves as an identifying feature of the malware. According to researchers at eSentire, linguistic evidence found in the malware's code suggests that the developer is a native Turkish speaker.

Threat Analysis

XRed is a advanced-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of espionage.

The group's espionage-oriented operations suggest a state-sponsored or state-aligned mandate, typically focused on stealing intellectual property, government secrets, or military intelligence. Targets are usually selected for strategic value rather than financial gain.

Classified as an advanced threat actor, XRed likely develops or acquires zero-day exploits, employs custom malware toolchains, and demonstrates long-term persistence capabilities — hallmarks of a well-resourced operation consistent with nation-state backing.

External References

Quick Facts

TypeAPT / Threat Group
Motivation🕵️ espionage
Sophisticationadvanced
Aliases2

Also Known As

win.xredXRed

External Intelligence

Malpedia: win.xred

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
XRed — APT / Threat Group | Threat Intelligence | CTIWATCH.COM