XenAllPasswordPro
XenAllPasswordPro is a credential-harvesting tool used to extract passwords and other authentication data from system storage. In the provided reporting, it was observed in ransomware and hacktivist intrusions as part of post-compromise credential access activity. Kaspersky-linked reporting states that Crypt Ghouls used XenAllPasswordPro to harvest authentication data from victim systems after gaining access, including in attacks against Russian businesses and government agencies in the mining, energy, finance, retail, and public sectors. The tool was also identified in Cyber Anarchy Squad (C.A.S) operations targeting organizations in Russia and Belarus.
Observed deployment details in Crypt Ghouls intrusions include recurring use of the directory name "allinone2023" and execution from paths such as C:\ProgramData\allinone2023\xenallpasswordpro.exe, C:\ProgramData\dbg\allinone2023\xenallpasswordpro.exe, C:\ProgramData\1c\allinone2023\xenallpasswordpro.exe, and user desktop locations. In some cases, the parent process was wmiprvse.exe, indicating remote execution via WMI; researchers also noted that RDP was sometimes used to execute credential-harvesting tools. Reporting further notes overlaps in use of XenAllPasswordPro across Crypt Ghouls, MorLock, BlackJack, Twelve, Shedding Zmiy/(Ex)Cobalt-linked activity, and C.A.S, suggesting shared tooling or collaboration. High-confidence indicators directly mentioned for this tool include the executable name xenallpasswordpro.exe and the recurring path component allinone2023.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The attackers employed the XenAllPasswordPro tool to harvest a range of authentication data from the target system.
The attackers employed the XenAllPasswordPro tool to harvest a range of authentication data from the target system.
The attackers employed the XenAllPasswordPro tool to harvest a range of authentication data from the target system.
The attackers employed the XenAllPasswordPro tool to harvest a range of authentication data from the target system.
Techniques & procedures
1 distinct technique documented for this family, organized by ATT&CK tactic.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Credential harvesting tool used to collect authentication data from victim systems, commonly staged in directories named allinone2023 across multiple related campaigns.
XenAllPasswordPro is a credential stealer used by C.A.S to extract passwords from system storage on compromised hosts.
Credential recovery tool (notably for Xen virtualization environments) used to harvest passwords/credentials to facilitate access and lateral movement.
Password/credential harvesting utility used post-compromise to obtain authentication data, supporting further access and ransomware deployment.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.