xCaon
xCaon is a previously undocumented malware family associated with the IndigoZebra espionage activity. Reporting cited in the content links xCaon to campaigns targeting political entities in Kyrgyzstan and Uzbekistan, and Kaspersky’s 2017 reporting associated the broader operation with malware including Meterpreter, Poison Ivy RAT, xDown, and xCaon. Check Point identified about 30 xCaon samples, with the earliest dating back to 2014.
High-confidence behaviors described in the content indicate that xCaon used HTTP for command-and-control communications and Base64 to encode its C2 traffic. Data sent to the C2 server was also encrypted with an XOR key. The malware can upload files from victim machines. It performs host discovery by retrieving network adapter information via the Windows GetAdapterInfo() API, and it checks for the presence of Kaspersky antivirus software on the infected system.
The content further notes that xCaon was linked by Check Point to the IndigoZebra threat actor based on similarities with BoxCaon, a related backdoor used in espionage operations against the Afghan government. Only the directly stated capabilities for xCaon are included here: HTTP-based C2, Base64-encoded and XOR-protected communications, file upload from victims, network adapter enumeration, and Kaspersky AV presence checks.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Techniques & procedures
13 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
2 techniques
Execution
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
Stealth
1 technique
Stealth
Discovery
2 techniques
Discovery
The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.
Command and Control
5 techniques
Command and Control
The content repeatedly describes threat actors and malware using HTTP and HTTPS for command and control, such as: "Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests."
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware family linked to IndigoZebra; samples dating back to 2014 are described as HTTP-based C2 variants, used in espionage targeting political entities in Central Asia.
Malware that uses Base64 to encode command-and-control traffic.
Malware that uses Base64 to encode command-and-control traffic.
Previously unknown malware mentioned as part of the IndigoZebra campaign toolset.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.