Check Point Research uses GenAI to crack XLoader encrypted code, accelerating malware analysis and defense response.
Check Point Research has turned to GenAI to tackle one of cybersecurity’s toughest challenges. It analyzes XLoader, a stealthy malware strain evolved from FormBook. XLoader encrypts its code, hides during execution, and detects monitoring tools, making traditional manual analysis slow, error-prone, and often incomplete.
To overcome this, Check Point deployed a GenAI-powered hybrid analysis workflow using GPT-5. The process combines cloud-based static analysis with runtime-assisted debugging to automate reverse engineering tasks. By feeding exported data from disassembly tools like IDA Pro into the AI, the model identified encryption algorithms, generated custom Python scripts for decryption, and mapped hidden data structures. In live debugging, the AI extracted encryption keys and decrypted buffers in memory, revealing insights previously locked behind multiple protection layers.
This approach turned weeks of manual labor into hours. The AI successfully decrypted over 100 hidden functions, uncovered three modified RC4 encryption layers, and exposed 64 command-and-control domains. It also revealed XLoader’s unique sandbox evasion mechanism—an encryption “trampoline” that conceals code sections during execution. These discoveries significantly enhanced Check Point’s threat intelligence and enabled faster security patching across systems.
GenAI’s biggest advantage lies in speed, reproducibility, and insight. Analysts can now re-run workflows, validate outputs, and focus on strategic threat behaviors instead of manual decryption. This creates faster turnaround times for incident response and defense deployment. While attackers may evolve, AI gives defenders the power to decode, understand, and neutralize new threats in near real time. Check Point continues refining its GenAI malware analysis pipeline to integrate automation, runtime validation, and scalable intelligence sharing—reshaping how cybersecurity teams confront advanced, self-protecting malware.
