THREAT ALERT: DJvu Variant Delivered by Loader Masquerading as Freeware

Cybereason issues Threat Alerts to inform customers of emerging threats, including a recently observed DJvu variant delivered via a loader masquerading as freeware. Cybereason Threat Alerts summarize these threats and provide practical recommendations for protecting against them.


The Cybereason Security Services Team is investigating incidents that involve variants of the DJvu ransomware delivered via loader payloads masquerading as freeware or cracked software. 

While this attack pattern is not new, incidents involving a DJvu variant that appends the .xaro extension to affected files and demanding ransom for a decryptor have been observed infecting systems alongside a host of various commodity loaders and infostealers. This Threat Alert will provide an overview of an attack involving this variant of DJvu, which we will call Xaro for ease of reference.


The adversary’s goal is data exfiltration, information stealing, and the encryption of files in order to garner a ransom from the victim.

Attack-flow-diagramAttack flow diagram of the Xaro infection- threat actors host malicious payloads as freeware online. When the user downloads and runs the payload, a variety of malware (including the DJvu variant Xaro) is executed.


  • .xaro extension: The DJvu variant observed in this attack appends the .xaro extension to affected files and drops its ransom note as the file _readme.txt. Other DJvu variants appending different extensions to affected files have been observed.
  • Shotgun infection: Xaro was observed deployed along with a variety of other malicious files, indicating a ‘shotgun’ approach undertaken by the threat actor. Other malware strains include various infostealers, loaders, and downloaders, suggesting that on top of ransomware execution the attacker may be interested in double extortion and further compromise of affected machines.
  • Leveraging freeware: This attack illustrates the risks involved with downloading freeware from untrusted sources.


The Cybereason Defense Platform can detect and prevent post-exploitation observed in attacks using DJvu variants. Cybereason recommends the following actions:

  • Enable Cybereason Anti-Ransomware and set it to Prevent to ensure maximum protection against ransomware.
  • In the Cybereason Defense Platform, enable Application Control to block the execution of malicious files.
  • To hunt proactively, use the Investigation screen in the Cybereason Defense Platform and the queries in the Hunting Queries section to search for assets that have potentially been exploited. Based on the search results, take further remediation actions, such as isolating and re-imaging the affected machines.
  • Ensure that users are educated on the risks of downloading freeware from untrusted sources or cracked software.
  • Add relevant Indicators of compromise (IoCs) to your environment’s custom reputation list with the “Block & Prevent” flags.


This blog post is the summary of a full 16-page Threat Alert, which can be downloaded here


Ralph Villanueva, Senior Security Analyst, Cybereason Global SOCRalph-Villanueva

Ralph Villanueva is a Security Analyst with the Cybereason Global SOC team. He works hunting and combating emerging threats in the cybersecurity space. His interests include malware reverse engineering, digital forensics, and studying APTs. He earned his Masters in Network Security from Florida International University.  

About the Author

Cybereason Security Research Team

The Security Security Research Team creates and manages the core security content of Cybereason, including the detection and preventions logic of its products. The Team is leading the innovation of security defense features to detect and disrupt advanced cyberattacks. The Team is led by top-tier security researchers working with major enterprises, governments, and the military.