{
	"id": "5801510c-80a3-4a71-9b12-e2743af88c60",
	"created_at": "2026-04-06T00:07:08.502763Z",
	"updated_at": "2026-04-10T03:21:41.067041Z",
	"deleted_at": null,
	"sha1_hash": "3a338455f43d7c4bdfbf1ecd8484e78636175c43",
	"title": "Trellix Insights: SmokeLoader Exploits Old Vulnerabilities to Drop zgRAT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47698,
	"plain_text": "Trellix Insights: SmokeLoader Exploits Old Vulnerabilities to Drop\r\nzgRAT\r\nArchived: 2026-04-05 13:14:13 UTC\r\nImportant: This Knowledge Base article discusses a specific threat that is being automatically tracked by Trellix Insights\r\ntechnology. The content is intended for use by Trellix Insights users, but is provided for general knowledge to all customers.\r\nContact us for more information about Trellix Insights.\r\nEnvironment\r\nInsights\r\nSummary\r\nDescription of Campaign\r\nAn attack campaign was discovered using SmokeLoader to deliver zgRAT through phishing emails with malicious\r\nattachments. The operation used two Microsoft Office vulnerabilities, CVE-2017-0199 and CVE-2017-11882, to gain\r\naccess, elevate privileges, and download the malware to the infected device. The attackers used a Gzip archive that\r\npretended to be an image file and a Microsoft .NET executable that described itself as an archive file.\r\nOur Threat Research team gathers and analyzes information from multiple open and closed sources before disseminating\r\nintelligence reports. This campaign was researched by Fortinet and shared publicly.\r\nHow to use this article:\r\n1. If a Threat Hunting table has been created, use the rules contained to search for malware related to this campaign. \r\n2. Review the product detection table and confirm that your environment is at least on the specified content version.\r\nTo download the latest content versions, go to the Security Updates page.\r\n3. Scroll down and review the \"Product Countermeasures\" section of this article. Consider implementing them if they\r\nare not already in place.\r\n4. Review KB91836 - Countermeasures for entry vector threats.\r\n5. Review KB87843 - Dynamic Application Containment rules and best practices.\r\n6. Review KB82925 - Identify what rule corresponds to an Adaptive Threat Protection and Threat Intelligence\r\nExchange event.\r\nThreat Hunting\r\nYARA rule MALWARE_Win_zgRAT {\r\nmeta:\r\nauthor = \"ditekSHen\"\r\ndescription = \"Detects zgRAT\"\r\nstrings:\r\n$s1 = \"file:///\" fullword wide\r\n$s2 = \"{11111-22222-10009-11112}\" fullword wide\r\n$s3 = \"{11111-22222-50001-00000}\" fullword wide\r\n$s4 = \"get_Module\" fullword ascii\r\n$s5 = \"Reverse\" fullword ascii\r\n$s6 = \"BlockCopy\" fullword ascii\r\nhttps://kcm.trellix.com/corporate/index?page=content\u0026id=KB96190\u0026locale=en_US\r\nPage 1 of 4\n\n$s7 = \"ReadByte\" fullword ascii\r\n$s8 = { 4c 00 6f 00 63 00 61 00 74 00 69 00 6f 00 6e 00\r\n00 0b 46 00 69 00 6e 00 64 00 20 00 00 13 52 00\r\n65 00 73 00 6f 00 75 00 72 00 63 00 65 00 41 00\r\n00 11 56 00 69 00 72 00 74 00 75 00 61 00 6c 00\r\n20 00 00 0b 41 00 6c 00 6c 00 6f 00 63 00 00 0d\r\n57 00 72 00 69 00 74 00 65 00 20 00 00 11 50 00\r\n72 00 6f 00 63 00 65 00 73 00 73 00 20 00 00 0d\r\n4d 00 65 00 6d 00 6f 00 72 00 79 00 00 0f 50 00\r\n72 00 6f 00 74 00 65 00 63 00 74 00 00 0b 4f 00\r\n70 00 65 00 6e 00 20 00 00 0f 50 00 72 00 6f 00\r\n63 00 65 00 73 00 73 00 00 0d 43 00 6c 00 6f 00\r\n73 00 65 00 20 00 00 0d 48 00 61 00 6e 00 64 00\r\n6c 00 65 00 00 0f 6b 00 65 00 72 00 6e 00 65 00\r\n6c 00 20 00 00 0d 33 00 32 00 2e 00 64 00 6c 00\r\n6c }\r\ncondition:\r\nuint16(0) == 0x5a4d and all of them\r\n}\r\nThis Knowledge Base article discusses a specific threat that's being tracked. The list of IOCs will change over time; check\r\nTrellix Insights for the latest IOCs.\r\n Campaign IOC\r\nType Value\r\nSHA256 4E4E32F6259B82E6B932AB81172C22560EC2AC46E85543D4851637A63EAACE3E\r\nSHA256 104F88876B4D7C963D47AFA63CFBB516D20E1CF9858D739F9C4023142B223FE2\r\nSHA256 3223AE2C88753CE7268FA02213B76BDAF690AC37EC411EA8B7925C3B31E8822F\r\nSHA256 EEF3295BADA101787AE4F1EBC92E17FC2C6CD8C39389A745C45943A019637CA1\r\nSHA256 A1F59EBE9E8311267D831DA649A8DF44A3D747E9CF75E64A259B2FD917D2F587\r\nDOMAIN sorathlions.com\r\nDOMAIN dhemgldxkv.com\r\nDOMAIN afrocalite.com\r\nURL sorathlions.com/wp-content/Vymxn_Zfbgctbp.jpg\r\nMinimum Content Versions\r\nContent Type Version\r\nV2 DAT (VirusScan Enterprise) 10383\r\nV3 DAT (Endpoint Security) 4835\r\nhttps://kcm.trellix.com/corporate/index?page=content\u0026id=KB96190\u0026locale=en_US\r\nPage 2 of 4\n\nDetection Summary                               \r\nIOC Scanner Detection\r\n4E4E32F6259B82E6B932AB81172C22560EC2AC46E85543D4851637A63EAACE3E\r\nAVEngine\r\nV2\r\nGenericRXTL-CU!5A1BB5D7F55F\r\nAVEngine\r\nV3\r\nGenericRXTL-CU!5A1BB5D7F55F\r\nJTI (ATP\r\nRules)\r\n-\r\nRP Static -\r\nRP\r\nDynamic\r\n-\r\nIOC Scanner Detection\r\n104F88876B4D7C963D47AFA63CFBB516D20E1CF9858D739F9C4023142B223FE2\r\nAVEngine\r\nV2\r\nGenericRXTL-CU!5A1BB5D7F55F\r\nAVEngine\r\nV3\r\nGenericRXTL-CU!5A1BB5D7F55F\r\nJTI (ATP\r\nRules)\r\n-\r\nRP Static -\r\nRP\r\nDynamic\r\n-\r\nIOC Scanner Detection\r\n3223AE2C88753CE7268FA02213B76BDAF690AC37EC411EA8B7925C3B31E8822F\r\nAVEngine\r\nV2\r\nGeneric\r\ndownloader.h\r\nAVEngine\r\nV3\r\nGeneric\r\ndownloader.h\r\nJTI (ATP\r\nRules)\r\n-\r\nRP Static -\r\nRP\r\nDynamic\r\n-\r\nIOC Scanner Detection\r\nEEF3295BADA101787AE4F1EBC92E17FC2C6CD8C39389A745C45943A019637CA1 AVEngine\r\nV2\r\nExploit-GBW!132B8725CDEA\r\nhttps://kcm.trellix.com/corporate/index?page=content\u0026id=KB96190\u0026locale=en_US\r\nPage 3 of 4\n\nAVEngine\r\nV3\r\nExploit-GBW!132B8725CDEA\r\nJTI (ATP\r\nRules)\r\n-\r\nRP Static -\r\nRP\r\nDynamic\r\n-\r\nIOC Scanner Detection\r\nA1F59EBE9E8311267D831DA649A8DF44A3D747E9CF75E64A259B2FD917D2F587\r\nAVEngine\r\nV2\r\nExploit-FYV!80F776694A0B\r\nAVEngine\r\nV3\r\nExploit-FYV!80F776694A0B\r\nJTI (ATP\r\nRules)\r\n-\r\nRP Static -\r\nRP\r\nDynamic\r\n-\r\nSource: https://kcm.trellix.com/corporate/index?page=content\u0026id=KB96190\u0026locale=en_US\r\nhttps://kcm.trellix.com/corporate/index?page=content\u0026id=KB96190\u0026locale=en_US\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://kcm.trellix.com/corporate/index?page=content\u0026id=KB96190\u0026locale=en_US"
	],
	"report_names": [
		"index?page=content\u0026id=KB96190\u0026locale=en_US"
	],
	"threat_actors": [],
	"ts_created_at": 1775434028,
	"ts_updated_at": 1775791301,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3a338455f43d7c4bdfbf1ecd8484e78636175c43.pdf",
		"text": "https://archive.orkl.eu/3a338455f43d7c4bdfbf1ecd8484e78636175c43.txt",
		"img": "https://archive.orkl.eu/3a338455f43d7c4bdfbf1ecd8484e78636175c43.jpg"
	}
}