APT / THREAT GROUP
XehookStealer
2
aliases
Last seen:Mar 17, 2026
Intelligence Profile
Xehook is a .NET-based malware targeting Windows systems. It collects data from Chromium and Gecko browsers, supporting over 110 cryptocurrencies and 2FA extensions. CRIL found a potential link between Xehook Stealer, Agniane, and the Cinoshi project, suggesting a progression from a free MaaS model to the development of Xehook Stealer. SmokeLoader binaries were identified as a common vector for distributing Xehook Stealer. Xehook Stealer shares code overlaps with Agniane Stealer, indicating an evolutionary relationship.
Threat Analysis
XehookStealer is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.
External References
Quick Facts
TypeAPT / Threat Group
Aliases2
Also Known As
win.xehookXehookStealer
External Intelligence
Malpedia: win.xehookResearch Links
Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.