diff --git a/packs/win_malware.conf b/packs/win_malware.conf
index 83b831b..ca2b0b6 100644
--- a/packs/win_malware.conf
+++ b/packs/win_malware.conf
@@ -1144,6 +1144,15 @@
                 "windows"
             ]
         },
+        "malware_xclient_stealer_file_artifact": {
+            "query": "SELECT f.path, f.directory, f.filename, h.sha256, f.uid, f.gid, f.mode, f.size, DATETIME(f.atime, 'unixepoch', 'UTC') AS last_access_time, DATETIME(f.mtime, 'unixepoch', 'UTC') AS last_modified, DATETIME(f.ctime, 'unixepoch', 'UTC') AS last_status_change_time, DATETIME(f.btime, 'unixepoch', 'UTC') AS creation_time, f.type FROM file f LEFT JOIN hash h ON f.path=h.path WHERE f.directory LIKE '\\Users\\%\\AppData\\Local\\%\\%\\User Data\\%%' AND LOWER(f.filename) IN ('login data_coppy', 'cookies_coppy','web data_coppy')",
+            "interval": 86400,
+            "snapshot": true,
+            "description": "XClient stealer is an information stealer known for stealing victims' credentials, browser data, and social media accounts. It targets Chrome, Microsoft Edge, Opera, Brave, CocCoc, and Firefox and copies browser data files such as cookies, web data, and login data to prepare them for extraction. XClient stealer is known to be used as a final payload by the threat actor CoralRaider.",
+            "platform": [
+                "windows"
+            ]
+        },
         "malware_sidecopy_filebrowser_path": {
             "query": "SELECT f.path, f.filename, h.sha256, f.uid, f.gid, f.mode, f.size, DATETIME(f.atime, 'unixepoch','UTC') AS last_access_time,  DATETIME(f.mtime, 'unixepoch', 'UTC') AS last_modified,  DATETIME(f.ctime, 'unixepoch', 'UTC') AS last_status_change_time,  DATETIME(f.btime, 'unixepoch', 'UTC') AS creation_time, f.type FROM file f LEFT JOIN hash h ON f.path=h.path WHERE (f.path LIKE 'C:\\Users\\%\\AppData\\Local\\Temp\\__\\ulog.txt' OR f.path LIKE 'C:\\Users\\%\\AppData\\Local\\Temp\\__\\%_di_output.txt')\n",
             "interval": 86400,
diff --git a/win_malware/malware_xclient_stealer_file_artifact.yaml b/win_malware/malware_xclient_stealer_file_artifact.yaml
new file mode 100644
index 0000000..aecdbee
--- /dev/null
+++ b/win_malware/malware_xclient_stealer_file_artifact.yaml
@@ -0,0 +1,24 @@
+XClient Stealer File Artifact:
+  query: SELECT f.path, f.directory, f.filename, h.sha256, f.uid, f.gid, f.mode, f.size,
+    DATETIME(f.atime, 'unixepoch', 'UTC') AS last_access_time,
+    DATETIME(f.mtime, 'unixepoch', 'UTC') AS last_modified,
+    DATETIME(f.ctime, 'unixepoch', 'UTC') AS last_status_change_time,
+    DATETIME(f.btime, 'unixepoch', 'UTC') AS creation_time, f.type
+    FROM file f LEFT JOIN hash h ON f.path=h.path
+    WHERE f.directory LIKE '\Users\%\AppData\Local\%\%\User Data\%%'
+    AND LOWER(f.filename) IN ('login data_coppy', 'cookies_coppy','web data_coppy')
+  interval: 86400
+  snapshot: true
+  description: XClient stealer is an information stealer known for stealing victims'
+    credentials, browser data, and social media accounts. It targets Chrome, Microsoft
+    Edge, Opera, Brave, CocCoc, and Firefox and copies browser data files such as
+    cookies, web data, and login data to prepare them for extraction. XClient stealer
+    is known to be used as a final payload by the threat actor CoralRaider.
+  references:
+  - 4dc9fe269cd668894c7ea4dd797cba1d2a8df565e9bdd814e969247c94b39643
+  mitre_tactics:
+  - Collection: TA0009
+  mitre_techniques:
+  - Local Data Staging: T1074.001
+  platform:
+  - windows