Historically, XLoader spreads via phishing emails with malicious macros or fake software cracks. But recently, a new distribution vector has emerged:
Security researchers (notably from Taszk Security Labs) have identified significant flaws in the xloader and BootROM of various Kirin chipsets (Kirin 980, 990, etc.). CVE-2021-22434 huawei+xloader