Xillen Stealer, a sophisticated Python-based information stealer, has emerged as a significant threat in the cybercriminal landscape.
Originally identified by Cyfirma in September 2025, this cross-platform malware has recently evolved into versions 4 and 5, introducing a dangerous arsenal of features designed to steal sensitive credentials, cryptocurrency wallets, and system information while evading modern security systems.
The malware targets data across more than 100 browsers and over 70 cryptocurrency wallets, positioning itself as a comprehensive credential harvesting tool marketed through Telegram channels.
The malware operates through a professional-looking interface that allows attackers to manage exfiltrated data, monitor infections, and view configuration settings.
Xillen Stealer’s functionality extends far beyond basic information theft.
It captures browser data including history, cookies, and saved passwords, while simultaneously targeting password managers like OnePass, LastPass, BitWarden, and Dashlane.
The stealer also focuses on collecting developer credentials, cloud configurations from AWS, GCP, and Azure, alongside SSH keys and database connection information.
Darktrace security analysts noted that the latest versions introduce an innovative approach to targeting high-value victims.
The malware includes an AITargetDetection class designed to identify valuable targets based on weighted indicators and specific keywords.
It searches for cryptocurrency wallets, banking credentials, premium accounts, and developer access, while prioritizing victims in wealthy countries including the United States, United Kingdom, Germany, and Japan.
Although the implementation currently relies on rule-based pattern matching rather than actual machine learning, it demonstrates how threat actors plan to integrate AI into future campaigns.
Xillen Stealer
The most concerning aspect of Xillen Stealer lies in its advanced evasion capabilities. The AIEvasionEngine module employs multiple techniques to bypass security systems.
.webp "Xillen Stealer With New Advanced Features Evade AI Detection and Steal Sensitive Data from Password Managers 3")
These include behavioral mimicking that simulates legitimate user actions, noise injection to confuse behavioral classifiers, timing randomization with irregular delays, and resource camouflage designed to imitate normal applications.
The malware further employs API call obfuscation and memory access pattern alterations to defeat machine learning-based detection systems.
Additionally, the Polymorphic Engine transforms code through instruction substitution, control flow obfuscation, and dead code injection to ensure each sample appears unique, preventing signature-based detection.
For data exfiltration, Xillen Stealer implements a peer-to-peer command-and-control structure leveraging blockchain transactions, anonymizing networks like Tor and I2P, and distributed file systems.
The malware creates HTML and TXT reports containing stolen data and sends them to attackers’ Telegram accounts.
Security professionals must remain vigilant against this evolving threat, as its combination of credential theft, detection evasion, and adaptive targeting capabilities represents a significant risk to both individual users and enterprise environments.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
