{
	"id": "c2d84cd5-0c67-40aa-ae4c-59e7df509eb0",
	"created_at": "2026-04-06T00:12:31.733529Z",
	"updated_at": "2026-04-10T13:12:40.823996Z",
	"deleted_at": null,
	"sha1_hash": "041ce0f489ec0b2e2547d0fa825c7563c8493012",
	"title": "Unusual \"ZPAQ\" Archive Format Delivers Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2370834,
	"plain_text": "Unusual \"ZPAQ\" Archive Format Delivers Malware\r\nBy Anna Lvova\r\nPublished: 2023-11-20 · Archived: 2026-04-05 15:18:29 UTC\r\n11/20/2023\r\nNew \"Agent Tesla\" Variant: Unusual \"ZPAQ\" Archive Format Delivers Malware\r\nReading time: 4 min (1143 words)\r\nA new variant of Agent Tesla uses the uncommon compression format ZPAQ to steal information from\r\napproximately 40 web browsers and various email clients. But what exactly is this file compression format? What\r\nadvantage does it provide to threat actors? And why it is assumed that the version of Agent Tesla is “new”?\r\nZPAQ compression format and what it hides\r\nOn November 1, 2023, researcher Xavier Mertens reported a phishing attempt on one of his honeypots. What's\r\nnoteworthy is that a threat actor used the ZPAQ archive and .wav file extension to infect the system with Agent\r\nTesla.\r\nZPAQ is a file compression format that offers a better compression ratio and journaling function compared to\r\nwidely used formats like ZIP and RAR. That means that ZPAQ archives can be smaller, saving storage space and\r\nbandwidth when transferring files. However, ZPAQ has the biggest disadvantage: limited software support. There\r\nare GUI unpackers that support this format, for example, Peazip, but ZPAQ can be extracted primarily with a\r\ncommand-line tool that does not make it easy to work with, especially for users without technical expertise.\r\nhttps://www.gdatasoftware.com/blog/2023/11/37822-agent-tesla-zpaq\r\nPage 1 of 5\n\nExtraction of the .NET executable with ZPAQ cmd tool and comparison of size.\r\nThe initial file was found in an email called \"Purchase Order pdf.zpaq”. As you can see from the file name, the\r\nthreat actor is attempting to deceive us into believing that the archive contains a PDF file with important\r\ninformation. After using the command-line extraction tool ZPAQ it turns out that the 6KB archive suddenly\r\n\"weighed\" 1GB after extraction. After a deep look into the executable, it turned out that the file is a .NET\r\nexecutable with async methods and that is bloated with zero bytes. One of the indicators is 0 entropy in the\r\noverlay section. The analysis of the executable in a hex editor proved that 90% of the sample is filled with zero\r\nbytes.\r\nThreat actors may prefer to use bloated executable files due to their significant advantage: the inability to upload\r\nsuch files to automatic scanning systems, Virus Total, sandboxes, etc. This technique allows them to bypass\r\ntraditional security measures and increase the effectiveness of their attack.\r\nSounds like stolen data\r\nILSpy. Link to download malicious component and the string that is responsible for decryption\r\n(Click to enlarge)\r\nThe main function of the unarchived .NET executable is to download a file with .wav extension and decrypt it\r\n(3DES algorithm).\r\nhttps://www.gdatasoftware.com/blog/2023/11/37822-agent-tesla-zpaq\r\nPage 2 of 5\n\nWaveform Audio File Format (shortened as .wav) is a popular audio file format standard. However, in that case, it\r\nis unrelated to audio, and the threat actor simply used this file extension to hide the presence of malicious content.\r\nOne possible reason is covert communication: using commonly used file extensions disguises the traffic as\r\nnormal, making it more difficult for network security solutions to detect and prevent malicious activity.\r\nAnother Agent Tesla\r\nConfiguration data (click to enlarge)\r\nAgent Tesla is a .NET-based information stealer that emerged around 2014. Over time, it has undergone multiple\r\nupdates, evolving in terms of both capabilities and evasion techniques. In this specific case, Agent Tesla was\r\nobfuscated with the .NET Reactor (my colleague Karsten has done an in depth analysis of this in a video - the link\r\nwill open in a new window), and several rounds of de-obfuscation were necessary to make the code clearer. The\r\nanalysis revealed that it possesses the following functions:\r\ntargetting sensitive data of around 40 different web browsers\r\nstealing credentials from popular email clients\r\nhttps://www.gdatasoftware.com/blog/2023/11/37822-agent-tesla-zpaq\r\nPage 3 of 5\n\nscreen logging\r\nkeylogging\r\ngathering system information\r\ncapturing sensitive data of VPN tools\r\nFrom a capabilities standpoint, it doesn't offer anything significantly new. However, after analysis of similar\r\nsamples, all of them have a similar .NET class with configuration data. The way to submit the stolen data,\r\npersistence variables, keylogger variable and etc. are kept in this class. Other samples had the same structure, but\r\njust different methods to deliver information to the threat actor\r\nCommunication ways in similar samples. (Click to enlarge)\r\nThe way to submit the stolen data, persistence variables, keylogger variable and etc. are kept in this class. Other\r\nsamples had the same structure, but just different methods to deliver information to the threat actor. It was noticed\r\nthat besides Telegram, the threat actor uses FTP and SMTP. And the list can be much bigger, because since\r\n30.09.2023 more than 700 versions of this variant were observed on VirusTotal. As is customary in casses like\r\nthis, the data being used is associated with compromised websites, the accerss credentials to which were likely\r\nacquired through an access broker who specializes in selling those types of accounts..\r\nOne of the TelegramAPIs from the oldest observed sample is still active. Here the information that was found\r\nabout this communication channel:\r\nActive Telegram API from the oldest observed file (as of September 30, 2023)\r\nTakeaways\r\nThe usage of the ZPAQ compression format raises more questions than answers. The assumptions here are that\r\neither threat actors target a specific group of people who have technical knowledge or use less widely known\r\nhttps://www.gdatasoftware.com/blog/2023/11/37822-agent-tesla-zpaq\r\nPage 4 of 5\n\narchive tools, or they are testing other techniques to spread malware faster and bypass security software. However,\r\nit is definitely a good example that even very specific archive formats or widely spread file extensions like .wav\r\ncan be used for malicious purposes.\r\nLike any other stealer, Agent Tesla can harm not only private individuals but also organizations. It has gained\r\npopularity among cybercriminals for many reasons including ease of use, versatility, affordability on the Dark\r\nWeb, and so on. It is worth mentioning that cybersecurity professionals and organizations are constantly working\r\non developing countermeasures and detection techniques to minimize its effects. To protect your devices, it is\r\nessential to have malware protection, maintain a high level of security awareness, and regularly update software.\r\nInformation for fellow researchers\r\nZPAQ archive:\r\n1c33eef0d22dc54bb2a41af485070612cd4579529e31b63be2141c4be9183eb6 - Archive.Trojan-Downloader.AgentTesla.LG5F9Z\r\n.wav file:\r\nc2c466e178b39577912c9ce989cf8a975c574d5febe15ae11a91bbb985ca8d2e - MSIL.Malware.Injector.L8JTF6\r\nAgent Tesla:\r\n45dc4518fbf43bf4611446159f72cdbc37641707bb924bd2a52644a3af5bab76 - MSIL.Trojan-Stealer.AgentTesla.B\r\nShare Article\r\n Content\r\nZPAQ compression format and what it hides\r\nSounds like stolen data\r\nTelegram as C\u0026C\r\nTakeaways\r\nInformation for fellow researchers\r\nSource: https://www.gdatasoftware.com/blog/2023/11/37822-agent-tesla-zpaq\r\nhttps://www.gdatasoftware.com/blog/2023/11/37822-agent-tesla-zpaq\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.gdatasoftware.com/blog/2023/11/37822-agent-tesla-zpaq"
	],
	"report_names": [
		"37822-agent-tesla-zpaq"
	],
	"threat_actors": [],
	"ts_created_at": 1775434351,
	"ts_updated_at": 1775826760,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/041ce0f489ec0b2e2547d0fa825c7563c8493012.pdf",
		"text": "https://archive.orkl.eu/041ce0f489ec0b2e2547d0fa825c7563c8493012.txt",
		"img": "https://archive.orkl.eu/041ce0f489ec0b2e2547d0fa825c7563c8493012.jpg"
	}
}