(Somewhat confusingly, there’s also an Android malware called XLoader, which isn’t the same thing.) XLoader is derived from an existing Windows malware called Formbook, which is the fourth-most prevalent malware family. Formbook has seen use in broad spam campaigns aimed at larger global organizations.
The attack vector’s simple: Victims are tricked into downloading the malware using maliciously crafted Word documents.
