ChatGPT helped researchers reverse engineer the latest version of XLoader, cutting analysis time from days to hours,
Check Point reported Monday.
The researchers worked directly within the
ChatGPT web interface in addition to a setup using the model context protocol (MCP) to integrate ChatGPT with IDA Pro, x64dbg and a VMware instance, and used detailed prompts and manual interventions to guide the large language model (LLM) through a series of steps from initial triage to extraction of key indicators of compromise (IoCs).
XLoader works as both a loader and
infostealer and is notoriously difficult to analyze due to its multiple layers of encryption and obfuscation, and sandbox evasion techniques, Check Point noted. New versions of the malware are frequently released, sometimes replacing older versions just shortly after researchers manage to decode them.
The Check Point team used ChatGPT 5 in “thinking” mode to help reverse engineer XLoader version 8. They shared several of the prompts they used, walked through their analysis and troubleshooting steps, shared their results and broke down the time ChatGPT spent on each step in the detailed report.
The researchers noted that working directly within the ChatGPT web interface was especially helpful due to features like persistent chat history and file uploads through the Projects feature, an editable Canvas, easily sharable results and the ability to run multiple analyses at once without the need for a persistent internet connection.
However, the analysis still benefited from the MCP agent setup when needed to retrieve decrypted data and cryptographic keys at runtime and perform experiments cycles to verify hypotheses.
The team shared the measures they took to overcome challenges such as hallucinations, as ChatGPT tended to attempt to “invent” missing data, as well as perform “cosmetic transformations” like base64-encoding of corrupted outputs. They also found that it often requested information that was already present in the files it was provided.
Specific prompts shared by the researchers required the model to verify and cite its claims with effective addresses (EAs), avoid transforming outputs to make them “look right” and search uploaded files for information before requesting it from the researchers.
ChatGPT analyzes XLoader in hours, but requires manual help
The ChatGPT-assisted process started by exporting the IDA Pro database for the XLoader sample, including disassembly and decompiler outputs, a list of cross-references, readable strings and the original binary, and uploading it to ChatGPT as a ZIP archive. The researchers used a detailed prompt, which is shared in the report, to set ChatGPT up as a “reverse-engineering copilot.”
Unpacking
The first task prompt simply asked for an initial analysis of the sample starting from the entry point, with ChatGPT identifying that the sample was packed, used RC4 for decryption and was consistent with XLoader without being told that the sample was XLoader.
The XLoader 8 payload was packed with two rounds of RC4 encryption, including one pass encrypting the entire buffer and a second pass, using a different key, in which the payload was encrypted in 256-byte chunks. The researchers asked ChatGPT to identify cryptographic function calls and then used their MCP integrated setup to set breakpoints to capture the cryptographic keys at runtime, as well as capture decrypted data for later decryption verification.
The two cryptographic keys were successfully retrieved and provided back to ChatGPT to further analyze the packing process and generate an unpacking script that could be used on other XLoader samples. While the script worked for the initial sample, the researchers needed to manually fine-tune it to work with other versions of the malware. Overall ChatGPT took about 39 minutes total on these triage and unpacking steps.
Function decryption
The most time-consuming segment of the analysis involved investigating the unpacked sample and decrypting its functions. The malware was found to use three different decryption schemes across its functions, the most common of which uses a global 20-byte base key combined with a 4-byte XOR modifier.
While ChatGPT was able to initially identify 90 encrypted functions and produce scripts to help decrypt these functions, it was only able to consistently locate one of the constants (seed_internal) used to generate the XOR modifier, while the other constant (seed_external) required manual assistance to locate for each function as it was scattered throughout various locations.
After running the manually modified decryption script three times, the researchers decrypted 77 functions. The other two encryption schemes both used two encryption layers and only differed in how they derived the key for the second layer. ChatGPT was able to create decryptors for these two schemes as well and after four iterations using all three decryptors, a total of 101 functions were decrypted.
Deobfusating API calls and strings
Once the decrypted sample was obtained, ChatGPT was then used to assist in the deobfuscation and decryption of API calls, strings and domains. XLoader often includes dozens of domains in its code as decoys to help conceal its real command-and-control (C2) addresses, the researchers noted.
ChatGPT identified and described two different methods used by XLoader for API call obfuscation and first generated an IDAPython script to handle the first path. The researchers tested the initial script in IDA and found that it didn’t work, going through five iterations of testing and sending error reports back to the model before they achieved a working script.
Similarly, when asked to update the script to handle the second API resolution path, ChatGPT required five iterations of updates to complete a working script for both algorithms. The process to obtain the final working script took about 55 minutes.
For string decryption, ChatGPT identified and analyzed an algorithm implemented in one of the previously decrypted functions and was able to create an IDA Python decryption script on the first try, which the researchers used to decrypt 175 strings after about 20 minutes of work.
Obtaining plaintext domain names
Lastly, to decrypt domain names — key indicators of compromise (IoCs) for identifying XLoader — the researchers updated the string decryption script to assign a set prefix for all functions that handle base64-encoded strings, as XLoader is known to encode domain names with base64. This helped them identify a single function that served as the core routine for domain decoding, which they then asked ChatGPT to analyze.
The model identified the decoding steps, which involved multiple encryption layers, including a first layer involving an RC4-with-diff transform using a 20-byte secret that is then byte-XORed with the domain index, and a second layer using a 20-byte key XORed with a value SALT_DWORD. Additionally, the domain is re-encoded with base64 in between these layers.
ChatGPT was unable to retrieve both the 20-byte secret for the first layer and SALT_DWORD for the second layer on its own, requiring the researchers to manually recover these values and relay them back to the model. Ultimately, the AI was able to recreate the decoding process and fully decrypt the domains, the first 16 of which were published in a table in Check Point’s report.
Additionally, XLoader generates a 4-character tag for each domain which is added on to each URL; ChatGPT was used to determine how these 4-character tags are generated and recreate these tags for all of the decrypted domains. In total, the domain deobfuscation process took 47 minutes and 54 seconds.
A balance of human and AI analysis
The Check Point researchers ultimately concluded that generative AI such as ChatGPT can significantly reduce the time it takes to analyze malware samples like XLoader, preventing analysts from needing to spend days rewriting decryption routines by hand. However, these tools cannot yet replace human analysts, as manual assistance was required at several steps throughout the process, showing current barriers to a fully autonomous reverse engineering process.
Ultimately, AI can serve as a “force multiplier” that helps analysts get ahead of the speedy development cycles of XLoader and similar threats, making IoCs available earlier for organizations to defend themselves, the researchers said.