XenAllPasswordPro
XenAllPasswordPro is a credential-harvesting tool used to extract passwords and authentication data from system storages. In the provided reporting, it is described as a well-known hacking utility used alongside tools such as Mimikatz and BrowserThief. Kaspersky observed its use by multiple threat actors targeting Russian organizations. The hacktivist group Cyber Anarchy Squad (C.A.S) used XenAllPasswordPro in attacks against organizations in Russia and Belarus after exploiting public-facing applications such as Jira, Confluence, and Microsoft SQL Server; C.A.S targeted sectors including government, commercial, entertainment, technology, telecommunications, and industrial organizations. Kaspersky also reported XenAllPasswordPro in the toolkit of the ransomware actor Crypt Ghouls, which targeted Russian businesses and government agencies, including mining, energy, finance, and retail organizations. In Crypt Ghouls intrusions, the tool was used to harvest authentication data after initial access obtained via compromised contractor or subcontractor credentials over VPN. Reporting also notes tooling overlap involving XenAllPasswordPro across Crypt Ghouls, MorLock, BlackJack, and Twelve, indicating shared utilities among Russia-targeting campaigns. High-confidence behavioral detail from the content is limited to password extraction from system storage and harvesting authentication data; no specific standalone indicators of compromise for XenAllPasswordPro itself are provided in the content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"The group’s arsenal includes well-known hacking tools such as Mimikatz, XenAllPasswordPro..."
"The group’s arsenal includes well-known hacking tools such as Mimikatz, XenAllPasswordPro..."
"The group’s arsenal includes well-known hacking tools such as Mimikatz, XenAllPasswordPro..."
"The group’s arsenal includes well-known hacking tools such as Mimikatz, XenAllPasswordPro..."
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
XenAllPasswordPro is a credential stealer used by C.A.S to extract passwords from system storage on compromised hosts.
Credential recovery tool (notably for Xen virtualization environments) used to harvest passwords/credentials to facilitate access and lateral movement.
Password/credential harvesting utility used post-compromise to obtain authentication data, supporting further access and ransomware deployment.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.