Latest Variant of DJVU Ransomware ‘Xaro’ Disguised as Cracked Software

Nov 29, 2023NewsroomRansomware / Cyber ​​Threats


A variant of a ransomware strain known as DJVU has been observed to be distributed in the form of cracked software.

“While this attack pattern is not new, incidents involving a DJVU variant that adds the .xaro extension to affected files and demands a ransom for a decryptor have been observed to infect on systems with a wide variety of commodity loaders and infostealers,” Cybereason security researcher Ralph Villanueva SAYS.

The new variant is codenamed Xaro by the American cybersecurity firm.

DJVU, by itself a variant of STOP ransomware, often come on the scene disguised as legitimate services or applications. It is also sent as the payload of SmokeLoader.


A key aspect of DJVU attacks is the deployment of additional malware, such as information thieves (for example, RedLine Stealer and Vidar), making them more damaging in nature.

In the latest attack chain documented by Cybereason, Xaro was distributed as an archive file from a suspicious source masquerading as a site offering legitimate freeware.

Opening the archive file leads to the execution of a supposed installer binary for PDF writing software called CutePDF which is, in fact, a pay-per-install malware downloader service known as PrivateLoader.

PrivateLoader, for its part, establishes contact with a command-and-control (C2) server to remove a wide range of thieves and loader malware families such as RedLine Stealer, Vidar, Lumma Stealer, Amadey, SmokeLoader, Nymaim, GCleaner, XMRig, and Fabookie, in addition to dropping Xaro.

“This shotgun-approach to downloading and executing commodity malware is commonly observed in PrivateLoader infections originating from suspicious freeware or cracked software sites,” Villanueva explained.

The goal seems to be to gather and exfiltrate sensitive information for double extortion as well as ensure the success of the attack even if one of the payloads is blocked by security software.


Xaro, besides creating an example of Vidar infostealer, is able to encrypt the files of the infected host, before dropping a ransom note, urging the victim to contact the actor with the threat of payment $980 for the private key and the decryptor tool, a price that drops by 50% to $490 when approached within 72 hours.

If anything, the event illustrates the risks associated with downloading freeware from untrusted sources. Last month, Sucuri detailed another campaign called FakeUpdateRU where visitors to compromised websites are served fake browser update notifications to deliver RedLine Stealer.

“Threat actors are known to favor freeware masquerading as a way to covertly install malicious code,” Villanueva said. “The speed and breadth of impact of infected machines should be well understood by business networks looking to protect themselves and their data.”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment