XPan, also known as NMoreira, targets servers running Windows OS and is distributed manually via Remote Desktop Protocol (RDP) compromise. It originates in Brazil and has been used by a group of malicious actors identified as “TeamXRat” and “CorporacaoXRat” to target Brazilian companies and hospitals. It uses a combination of RSA and AES-256 to encrypt files and appends ._xratteamLucked, .maktub or ._AiraCropEncrypted! to encrypted file names. XPan disables antivirus software, modifies the registry, and deletes itself after the encryption process is completed. The ransom payment demand is 1 Bitcoin.