BleepingComputer reports that threat actors behind the XFiles info-stealer have updated the malware to include a delivery module exploiting the Follina vulnerability, tracked as CVE-2022-30190, to facilitate payload downloads and execution. Recent XFiles malware campaigns were discovered by Cyberint researchers to involve a malicious document with an OLE object referring to an HTMLM file with Follina-exploiting JavaScript code. Windows startup directory persistence is established through a retrieved base64-encoded string with PowerShell commands, while a hardcoded encrypted shellcode and AES decryption key were observed in the second-stage module, according to researchers. The report also showed that XFiles has been targeting web browser-stored cookies, passwords, and history, as well as cryptocurrency wallets upon the completion of the infection process. Screenshots are being captured, while Discord and Telegram credentials are also being sought by the malware. Cyberint has noted the expansion of the XFiles reborn operation through the recruitment of new members, including the author of the Whisper Project info-stealer.