Cisco Talos reports advanced persistent threat actors and commodity malware families are using XLLs as an infection vector and this number continues to grow.
Since Microsoft has started rolling out versions of Office applications which will block execution of any VBA macros by default, attackers have turned to abusing Add-ins.
In terms of the file type, XLL files are just standard Windows dynamic loading libraries (DLLs). The difference between a regular DLL and an XLL file is that XLLs can implement certain exported functions which will be called by the Excel Add-In manager during some events triggered by the Excel application.
Before an XLL file is loaded, Excel displays a warning about the possibility of malicious code being included. This is a similar approach as the message about potentially dangerous code which is displayed after an Office document containing VBA macro code is opened.
XLL files can be sent by email, and even with the usual anti-malware scanning measures, users may be able to open them not knowing that they may contain malicious code.