{ "id": "78694fc5-21fe-47d9-8be8-de1712b3fb65", "created_at": "2026-04-06T00:06:19.393784Z", "updated_at": "2026-04-10T13:11:28.469964Z", "deleted_at": null, "sha1_hash": "7c3cf8e515c4647dda07530864f8e1f189586a0d", "title": "Dismantling ZLoader: How malicious ads led to disabled security tools and ransomware | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1294993, "plain_text": "Dismantling ZLoader: How malicious ads led to disabled security tools\r\nand ransomware | Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2022-04-13 · Archived: 2026-04-05 19:27:01 UTC\r\nAs announced today, Microsoft took action against the ZLoader trojan by working with telecommunications providers\r\naround the world to disrupt key ZLoader infrastructure. We used our research into this threat to enrich our protection\r\ntechnologies and ensure this infrastructure could no longer be leveraged by operators to distribute the trojan or activate\r\ndeployed payloads like ransomware. Moreover, we are sharing this intelligence to emphasize the importance of\r\ncollaboration throughout the larger security community. Below, we will detail the various aspects for identifying a ZLoader\r\ncampaign.\r\nDerived from the Zeus banking trojan first discovered in 2007, ZLoader is a malware family notable for its ability to evolve\r\nand change from campaign to campaign, having undergone much development since its inception. ZLoader has remained\r\nrelevant as attackers’ tool of choice by including defense evasion capabilities, like disabling security and antivirus tools, and\r\nselling access-as-a-service to other affiliate groups, such as ransomware operators. Its capabilities include capturing\r\nscreenshots, collecting cookies, stealing credentials and banking data, performing reconnaissance, launching persistence\r\nmechanisms, misusing legitimate security tools, and providing remote access to attackers.\r\nZLoader campaign operators evolved the malware from a basic banking trojan to a more sophisticated piece of malware\r\ncapable of monetizing compromised devices by selling access to other affiliate groups. By leveraging and misusing\r\nlegitimate tools like Cobalt Strike and Splashtop, affiliates gain hands-on-keyboard access to affected devices, which can be\r\nfurther misused for other malicious activities like credential theft or downloading additional payloads, including\r\nransomware. ZLoader has previously been linked to ransomware infections such as Ryuk, DarkSide, and BlackMatter.\r\nZLoader attacks have affected nations around the world, with the majority targeting the US, China, western Europe, and\r\nJapan. Due to the modular nature of some of ZLoader’s capabilities and its constant shifts in techniques, different ZLoader\r\ncampaigns may look nothing alike. Previous campaigns have been fairly simple, with the malware delivered via malicious\r\nOffice macros attached to emails and then used to deploy modules for capabilities. Other, more recent campaigns are notably\r\ncomplex–injecting malicious code into legitimate processes, disabling antivirus solutions, and ultimately culminating in\r\nransomware.\r\nhttps://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/\r\nPage 1 of 15\n\nFigure 1. Heat map of nations affected by ZLoader attacks\r\nZLoader operators have also updated their methodology to frequently deliver the malware through targeted malicious\r\nGoogle Ads. The use of ad fraud is a stealthy way to target end users as it bypasses typical security solutions that can be\r\nfound in email and surfaces itself in normal browser activities instead.\r\nMicrosoft Defender for Endpoint detects malicious behaviors related to this campaign. Enabling cloud protection and\r\nautomatic sample submission for Microsoft Defender Antivirus aids users and organizations in remaining protected on new\r\nand emerging threats. Moreover, standardizing the use of the Microsoft Edge browser across all corporate devices and\r\nenabling Microsoft Defender SmartScreen protection blocks malicious sites, such as those connected to ZLoader\r\ncampaigns. \r\nIn this blog post, we characterize the various methods by which a ZLoader campaign might be identified, along with\r\ndetailing detection and mitigation information that can help users reduce the impact of this threat.\r\nZLoader attack chains\r\nZLoader is a malware variant that has evolved over the years and is used for multiple objectives, meaning that two\r\ncampaigns which both use ZLoader may appear completely different. For example, an individual who has experience\r\nresponding to a ZLoader campaign that originated from email and dropped the payload via a malicious Office macro, may\r\nbe shocked at the complexity of a second ZLoader campaign that uses numerous malicious files for reconnaissance and\r\nantivirus tampering, before finally dropping the actual malware payload.\r\nThe following diagram identifies the most common ways the ZLoader trojan has been observed moving through the\r\ndelivery, installation, payload, malware activity, and follow-on activity phases of an attack. This diagram is high-level and\r\nmay not depict every step or file dropped in some of ZLoader’s more complex campaigns.\r\nhttps://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/\r\nPage 2 of 15\n\nFigure 2. ZLoader attack flow diagram\r\nDelivery\r\nZLoader malware has been observed being delivered in multiple ways. Two of the most prominent methods include\r\nmalicious search engine ads and malicious emails.\r\nMalicious advertisement delivery\r\nIn more recent campaigns, ZLoader has shifted away from using email as a means of delivery and instead used malicious\r\nads on search engines such as Google to trick users into visiting malicious sites.\r\nEach wave of these campaigns impersonated a specific company or product, such as Java, Zoom, TeamViewer, and Discord.\r\nFor the delivery stage of the attack, the actors would purchase Google Ads for key terms associated with those products,\r\nsuch as “zoom videoconference.” Users who performed Google searches for those terms during a specific time would be\r\npresented with an advertisement that led to the form grabbing malicious domains.\r\nIn each instance of this campaign, the actors would compromise legitimate domains that appeared to be owned by\r\nindividuals or small businesses, such as personal blogs. They would then set up subdomains on them that were associated\r\nwith the product they were impersonating during that time. The product-specific subdomain was the second subdomain on\r\nthe domain, while the first subdomain was an extremely long set of words. For example:\r\nzoomdownload[.]linkforbusinessandpersonalusersofourserviceinseptember[.]jumpingonwater[.]com\r\nzoomonline[.]forusersinourservicewithbusinessandpersonalcustomers[.]fineanddandiwithrandi[.]com\r\nzoomdownload[.]onlinestartserviceforyourworkstudymeeting[.]indyflat-tax[.]com\r\nzoomdownloadlink[.]zoomdownload[.]onlinesoftwareforpersonalandbusinessusersinseptember[.]lifeintrainingpodcast[.]co\r\nteamviewerdownload[.]fastserviceworkonlinelinkjoininaugustseptermber[.]greenlinefood[.]net\r\nteamviewerdownload[.]directserviceforonlinepersonalandbusinessusersofourservice[.]wahatalrabeeh[.]co\r\nteamviewerstart[.]linkforpersonalandbusinessusersinourservicestartnow[.]ellisclinic[.]com\r\nIn at least one instance of this activity, the compromised webpage was set up to appear as though it was associated with the\r\ncompany Get VoIP, a legitimate service that provides comparisons between various VoIP providers. The attackers did not\r\nhttps://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/\r\nPage 3 of 15\n\ncompromise the GetVoIP website or service, rather, they designed the webpage to impersonate the real GetVoIP site.\r\nFigure 3. The compromised domain designed to look like the GetVoIP website\r\nFrom these compromised domains, the users will attempt to download the product being impersonated, which redirects them\r\nto an attacker-owned domain. These domains also pretend to be associated with the legitimate product being impersonated,\r\nand frequently use the .site TLD.\r\nOne example of the chain of redirected domains associated with this activity is:\r\n1. https://adservice.google[.]com, redirects to:\r\n2. zoomdownload.linkforbusinessandpersonalusersofourserviceinseptember.jumpingonwater[.]com, redirects to:\r\n3. zoomvideo[.]site\r\nThe ZLoader operators have tended to use REG.RU, LLC as the registrar for these final .site domains. Additionally, many of\r\nthe domains used within a single campaign have the registrant contact email in common with each other, making it easy to\r\npivot and find other potentially related domains.\r\nThe final website in this chain downloads the initial malicious .msi file.\r\nEmail delivery\r\nAs with many other malware variants, prior ZLoader campaigns have also been known to use malicious emails to deliver\r\nOffice documents containing malicious macros that download the payload. The ZLoader operators do not have a preferred\r\nmethod of delivering these Office documents and have been observed using both links and attachments in various\r\ncampaigns. Some observed means by which a ZLoader email was associated with a malicious document include:\r\nAttached macro-enabled Microsoft Office document \r\nAttached Excel 4.0 document that contained Hidden Sheets and Very Hidden Sheets to host macros \r\nAttached PDF with link to a macro-enabled Office document \r\nAttached ZIP file that contained a macro-enabled Office document or executable\r\nLink to a Google Docs page with links to a macro-enabled Office document\r\nThe emails have used a variety of lures, which typically convey a sense of urgency. Some of the campaigns used lures based\r\non currents events at the time of the campaign, such COVID-19, or generic lures, such as overdue invoice payments and\r\nfake resumes or CVs. Additionally, most of these emails have been sent from consumer email services—notably AOL.com.\r\nhttps://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/\r\nPage 4 of 15\n\nThere have also been campaigns that used domains that are associated with the lure theme; for example, some emails were\r\nsent from a COVID-themed sender domain.\r\nFigure 4. A screenshot of a sample email associated with the ZLoader campaign posing as a request for an\r\noverdue invoice.\r\nRegardless of how the operator chooses to deliver the Office document, once the user opens it, they are prompted to enable\r\nmacros to view the content. In various known cases, the malicious macros either directly started to download subsequent\r\npayloads or they dropped a VBS file that in turn performed the download.\r\nIn general, a connection was made to a compromised WordPress instance hosting the PHP code used by the ZLoader kit. At\r\nthis stage, the ZLoader payload was downloaded as a DLL masquerading as an HTML file that is then launched\r\nusing rundll32.exe.  \r\nInstallation\r\nLess complex ZLoader campaigns go straight from the delivery phase to dropping the malicious payload. In more complex\r\nZLoader campaigns, the next phase of the attack shifts to using a legitimate process such as msiexec.exe to download\r\nseveral additional files, including many non-malicious .dll files that are legitimate pieces of whatever software is being\r\nimpersonated at the time. A malicious .bat file is hidden in those .dll files.\r\nIn several instances, these files were added to a folder pretending to be associated with legitimate software, such as Oracle\r\nJava or Brave Browser, using the following pattern as an example: C:Program Files (x86)Sun Technology NetworkOracle\r\nJava SE[malicious file].\r\nThe .bat file launches PowerShell to reach out to a download domain to drop the ZLoader payload. Examples of these\r\ndomains include:\r\nquickbooks[.]pw\r\nsweepcakesoffers[.]com\r\nDatalystoy[.]com\r\nTeamworks455[.]com\r\nClouds222[.]com\r\nhttps://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/\r\nPage 5 of 15\n\nIn some campaigns, the attackers used a script to run various discovery commands prior to downloading the ZLoader\r\npayload, including:\r\nipconfig /all\r\nnet config workstation\r\nnet view /all\r\nnet view /all /domain\r\nnltest /domain_trusts\r\nnltest /domain_trusts /all_trusts\r\nPayload\r\nOnce the ZLoader payload is on the device, it may drop various modules that provide it with additional functionality, such\r\nas: \r\nCapturing screenshots \r\nCollecting cookies \r\nStealing banking passwords \r\nProviding VNC access to attackers \r\nOperators can choose which of these modules to deliver based on how the malware is configured. In most campaigns, the\r\nmodule files are dropped in subfolders in the AppData folder. Although operators are free to give the subfolders and files\r\narbitrary names, the names Microsoft researchers have actually observed exhibit two patterns:\r\nSets of characters that appear random \r\nConcatenated dictionary words \r\nIn several campaigns, attackers opted not to use these modules and instead used the payload to download an additional\r\nmalicious file. This file was launched and then called back out to the same download domain that the ZLoader payload was\r\ndownloaded from, to download a PowerShell script. The downloaded script checked if the device was workgroup- or\r\ndomain-connected. The PowerShell script then reached out to the command and control (C2) domain and downloaded two\r\nmalicious files—typically an .exe and a .dll. The script used regsvr32.exe to launch the DLL and run a command to time out\r\nfor 200 seconds. After this, cmd.exe was used to launch an additional malicious file, which downloads a VBS file that is\r\nloaded by wscript.\r\nhttps://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/\r\nPage 6 of 15\n\nFigure 5. Script used for workgroup-joined devices\r\nFigure 6. Script used for domain-joined devices\r\nThese files were used to tamper with security solutions and to grant attackers hands-on-keyboard access.\r\nhttps://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/\r\nPage 7 of 15\n\nBrowser credential theft\r\nOne of the main functionalities of ZLoader malware is to steal online credentials targeting banks and financial institutions,\r\nas well as other credentials, via client-side web injection and form grabbing attacks. Web injection allows the attacker to\r\nalter content of the websites displayed to the victim, while form grabbing captures credentials from the browser windows.\r\nTo accomplish those actions, the malware implements an Adversary-in-the-browser (AiTB) attack. \r\nZLoader’s main process, msiexec.exe, spawns several threads running at the same time to perform different tasks. Each of\r\nthese threads communicate with one another using shared data stored in the global memory, system registry, and encrypted\r\nfiles. Threads are spawned that execute functions to install a fake certificate and run a local proxy, while another thread is\r\ninjected and executed inside the loaded browser process, which is responsible for redirecting traffic via proxy.\r\nA thread runs to traverse the list of running processes and inject codes to target browser processes discovered. ZLoader\r\ntargets the following browser processes:\r\niexplore.exe\r\nfirefox.exe\r\nchrome.exe\r\nmsedge.exe (Microsoft Edge)\r\nThe hook API TranslateMessage is the key malware functionality that performs the form grabbing, keylogging, and\r\nscreenshotting of users’ desktops. \r\nFor the target browser processes, the following APIs are hooked for tracking, redirecting network activities, and controlling\r\nthe certificate verification. The ZwDeviceIoControlFile hooks allow HTTP/HTTPs responses containing web pages codes\r\nfrom the target to be redirected to the proxy server to be modified. Moreover, any certificate will be tagged as valid. \r\nntdll.dll – ZwDeviceIoControlFile\r\ncrypt32.dll – CertGetCertificateChain, CertVerifyCertificateChainPolicy\r\nAnother thread is responsible for checking instructions and configurations from the C2 servers every 10 minutes. Included in\r\nthe configuration are the list of target banks, financial institutions, and online companies, and the instruction on how to\r\nperform the web injection.\r\nOne of ZLoader’s targets is the Microsoft online sign-in page at https://login.microsoftonline[.]com. Several of Microsoft’s\r\nmain websites, such as office[.]com, redirect users to this Microsoft online page when they try to sign into their Microsoft\r\naccount. When users load their favorite web browser, such as Microsoft Edge, then visit and try to sign into their Microsoft\r\naccount, ZLoader will match the URL to the list of targets. In this case it will match to the first one above and perform the\r\nweb injection by inserting malicious JavaScript codes after the string “\u003c/head\u003e” and then rendering to the browser\r\napplication.\r\nhttps://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/\r\nPage 8 of 15\n\nFigure 7. A screenshot of the fake Microsoft sign-in screen\r\nThe codes injected will insert fake web controls and/or additional JavaScript codes that are responsible for capturing the\r\ncredentials such as usernames, passwords, and others. This captured information is encrypted and sent to the main bot and\r\nthen to the C2 server. With these stolen credentials, the ZLoader operators can potentially gain access to users’ Microsoft\r\nonline account to perform further illicit activities. As the malicious activities occurred in the background, even “tech savvy”\r\nusers may not be aware that their browser was tampered with, and credentials were stolen.\r\nDefense evasion\r\nZLoader has used various methods of defense evasion, focused on attempting to appear more legitimate or by disabling\r\nsecurity tools. In multiple campaigns associated with malicious ads, the ZLoader operators would sign malicious files used\r\nin their attack chain. Signing these files is intended to make them appear to be legitimate, non-malicious files used by real\r\nsoftware, rather than malicious files used by malware.\r\nThe first method ZLoader has used to sign files is by creating fictitious companies. In certain campaigns, the .msi files that\r\nare installed on the device after the user visits a malicious ad are signed by a fictitious company created by the operator for\r\nthe purpose of the campaign. The malware operators created multiple fraudulent companies, such as Flyintellect Inc, and\r\nDatalyst Oy, in several campaigns. Due to the way .msi files are designed, the registry keys that are added by this activity\r\nlater in the attack chain are also published by the same company name.\r\nAnother method operators have used to evade detection is a set of techniques that utilize validly-signed files to hide\r\nmalicious scripts through vulnerabilities like CVE-2020-1599, CVE-2013-3900, and CVE-2012-0151.\r\nZLoader operators have also attempted to perform defense evasion by disabling security tools. In many instances, ZLoader\r\nwill drop a file, frequently a .bat file, that then uses PowerShell to turn off and alter security settings, such as excluding all\r\n.dll and .exe files and regsvr32.exe from being scanned.\r\nhttps://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/\r\nPage 9 of 15\n\nFigure 8. Some examples of PowerShell commands run during this phase of the attack\r\nPersistence\r\nZLoader has used various persistence methods across separate campaigns. The first method observed by Microsoft Security\r\nResearchers involves the ZLoader DLL using rundll32.exe to register itself. In other documented cases, it also creates the\r\nfollowing persistence mechanisms for itself or its modules: \r\nRegistry entries under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun \r\nFiles in the Startup folder \r\nIn more recent campaigns, the attackers maliciously used Atera, a legitimate remote monitoring software. While Atera was\r\nnot compromised, attackers leveraged its built-in Splashtop Remote Access capabilities to achieve persistence on the\r\ncompromised device.\r\nObjectives\r\nApril 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned\r\naround the theme of weather. ELBRUS is now tracked as Sangria Tempest.\r\nTo learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a\r\ncomplete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming\r\ntaxonomy.\r\nAfter establishing persistence, the campaign operators behind ZLoader infections monetize their access to domain-joined\r\ndevices by selling access-as-a-service to other groups, including ransomware affiliates. These groups can then use this\r\naccess for their own goals, including installations of Cobalt Strike, which enables hands-on keyboard activities by the actors.\r\nIn one instance, the VBS downloaded a batch script which connected to a Cobalt Strike C2 via a DLL beacon dropped on\r\nthe device by PowerShell. It was launched via rundll32.exe, with the known Cobalt Strike flag StartW. Reconnaissance\r\nqueries were then run on domain-joined devices, performing actions such as searching for all domain trusts on the network.\r\nWith the use of Cobalt Strike and Splashtop, attackers have hands-on-keyboard access to affected devices that can be\r\nleveraged for subsequent objectives, including credential theft or deployment of additional payloads such as ransomware.\r\nIn the past, ZLoader has been tied to ransomware infections such as Ryuk. We’ve also seen ZLoader operators provide\r\naccess to ELBRUS actors who deployed DarkSide ransomware (earlier in 2021). Those that were more recently observed\r\nhttps://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/\r\nPage 10 of 15\n\nhad been deploying BlackMatter ransomware. Given such history, the Cobalt Strike payloads might indicate pre-ransomware activities that prefigure a real threat of ransomware attacks.\r\nDefending against ZLoader attacks\r\nThe take down effort against ZLoader is just one of the ways in which Microsoft provides real-world protection against\r\nthreats. This action will result in protection for a wide range of organizations around the world from malware, affiliates with\r\nhands-on-keyboard access, and additional payloads delivered via ZLoader’s infrastructure.\r\nLike many modern malware variants, getting ZLoader onto a device is oftentimes just the first step in what ends up being a\r\nlarger attack. The trojan further exemplifies the trend of common malware increasingly harboring more dangerous threats, a\r\npattern also observed in other platforms. ZLoader operators frequently monetize access from infections by selling it to other\r\naffiliate groups, who then use the purchased access to carry out their own malicious objectives. Affiliates may further misuse\r\nlegitimate tools like Cobalt Strike or Splashtop to gain full hands-on-keyboard access to target devices, enabling attackers to\r\nperform additional discovery, find high-value targets on the network, move laterally, and drop additional payloads, such as\r\nransomware variants.\r\nThe best advice for preventing ZLoader infections is to simply avoid downloading attachments contained in emails from\r\nunknown senders as well as clicking on sponsored ads and links in search engine results, instead opting for unsponsored\r\nresults from verified, trusted sources. Good credential hygiene, network segmentation, and similar best practices increase the\r\n“cost” to attackers, helping disrupt their activities before they reach their target.\r\nDefenders can take the following mitigation steps to defend against this threat:\r\nEncourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which\r\nidentifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host\r\nmalware. SmartScreen removes the reputation information for the certificates leveraged during these attacks. Binaries\r\nsigned with those certificates will trigger a warning about an “unrecognized app.”\r\nUse Windows Defender Application Control, AppLocker, or other application control technologies to prevent end\r\nusers from running unapproved software on their computers.\r\nRun the latest version of your operating systems and applications. Deploy the latest security updates as soon as they\r\nbecome available.\r\nUse only official, trustworthy websites and direct download links.\r\nZLoader’s prevalence in the threat landscape demands comprehensive protection capable of detecting and stopping this\r\nmalware, its components, and other similar threats at every stage of the attack chain. Microsoft Defender for Endpoint\r\nprovides next-generation protection that reinforces network security perimeters and incorporates antimalware capabilities to\r\ncatch emerging threats, including ZLoader, Cobalt Strike, additional payloads such as ransomware, and subsequent attacker\r\nbehaviors. Moreover, our endpoint detection and response (EDR) capabilities detect ZLoader’s malicious files, behaviors,\r\ndomain connections, and other related events before and after execution.\r\nDefenders can further apply the following mitigations to reduce the environmental attack surface and mitigate the impact of\r\nthis threat and its payloads:\r\nConfigure Microsoft Defender for Office 365 to recheck links on click. Safe Links provides URL scanning and\r\nrewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email\r\nmessages and other locations. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware\r\nprotection in inbound email messages in Exchange Online Protection (EOP). Safe Links scanning can help protect\r\nyour organization from malicious links that are used in phishing and other attacks.\r\nhttps://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/\r\nPage 11 of 15\n\nConfigure Microsoft Defender for Office 365 to detonate file attachments via Safe Attachments. Safe Attachments\r\nprovides an additional layer of protection for email attachments by verifying a file in a virtual environment prior to\r\ndelivering to the inbox.\r\nCheck your Office 365 antispam policy and your mail flow rules for allowed senders, domains and IP addresses.\r\nApply extra caution when using these settings to bypass antispam filters, even if the allowed sender addresses are\r\nassociated with trusted organizations—Office 365 will honor these settings and can let potentially harmful messages\r\npass through. Review system overrides in threat explorer to determine why attack messages have reached recipient\r\nmailboxes.\r\nConfigure Exchange Online to enable zero-hour auto purge (ZAP) in response to newly acquired threat intelligence.\r\nZAP retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been\r\ndelivered to mailboxes.\r\nTurn on network protection to block connections to malicious domains and IP addresses.\r\nTurn on tamper protection features to prevent attackers from stopping security services.\r\nTurn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These\r\ncapabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.\r\nTurn on the following attack surface reduction rules to block or audit activity associated with this threat:\r\nBlock executable files from running unless they meet a prevalence, age, or trusted list criterion\r\nBlock all Office applications from creating child processes\r\nBlock Office applications from creating executable content\r\nBlock executable content from email client and webmail\r\nBlock Office applications from injecting code into other processes\r\nBlock credential stealing from the Windows local security authority subsystem (lsass.exe)\r\nBlock process creations originating from PsExec and WMI commands\r\nUse advanced protection against ransomware\r\nBlock JavaScript or VBScript from launching downloaded executable content\r\nBlock execution of potentially obfuscated scripts\r\nAppendix\r\nMicrosoft 365 Defender detections\r\nMicrosoft Defender Antivirus\r\nMicrosoft Defender Antivirus detects threat components as the following malware:\r\nTrojan:Win64/ZLoader\r\nTrojan:Win32/ZLoader\r\nShared malware and generic detections\r\nMicrosoft Defender Antivirus incorporates next-generation antivirus capabilities, including machine learning and behavioral\r\ndetection. This can result in overlapping detections, particularly of first-seen components and polymorphic variants. The\r\ndetection names are listed here for reference, but related alerts are not actively monitored.\r\nInstances of Cobalt Strike use can be detected as the following:\r\nBynoco – Cobalt Strike\r\nAtosev – Cobalt Strike\r\nCosipor – Cobalt Strike\r\nhttps://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/\r\nPage 12 of 15\n\nMicrosoft Defender for Endpoint EDR\r\nAlerts with the following titles in the security center can indicate threat activity on your network:\r\nSuspicious behavior associated with ZLoader\r\nFile associated with ZLoader\r\nConnection to a domain associated with ZLoader\r\nThe following alerts might also indicate activity associated with this threat. However, unrelated threat activity can trigger\r\nthese alerts.\r\nMicrosoft Defender Antivirus protection turned off\r\nSuspicious Microsoft Defender Antivirus exclusion\r\nZLoader’ malware was detected\r\nSuspicious behavior by cmd.exe was observed\r\nSuspicious PowerShell command line\r\nSuspicious Remote System Discovery\r\nSuspicious Domain Trust Discovery\r\nMicrosoft Defender for Office 365\r\nSignals from Microsoft Defender for Office 365 inform Microsoft 365 Defender, which correlates cross-domain threat\r\nintelligence to deliver coordinated defense, that ZLoader has been detected when a document is delivered via email when\r\ndetonation is enabled. These alerts, however, can also be triggered by unrelated threat activity.\r\nA potentially malicious URL click was detected\r\nEmail messages containing malicious file removed after delivery\r\nEmail messages containing malicious URL removed after delivery\r\nEmail messages containing malware removed after delivery\r\nEmail messages removed after delivery\r\nMalware campaign detected after delivery\r\nMalware campaign detected and blocked\r\nMalware not zapped because ZAP is disabled\r\nHunting queries\r\nMicrosoft 365 Defender\r\nTo locate possible exploitation activity, run the following queries:\r\nZLoader alert activity\r\nSurface devices with ZLoader alerts and related malicious activity.\r\n/ Get any devices with ZLoader related Alert Activity\r\nlet DeviceAlerts = AlertInfo\r\n| where Title in~('Suspicious behavior associated with ZLoader',\r\n'File associated with ZLoader',\r\nhttps://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/\r\nPage 13 of 15\n\n'Connection to a domain associated with ZLoader')\r\n// Join in evidence information\r\n| join AlertEvidence on AlertId\r\n| where DeviceId != \"\"\r\n| summarize by DeviceId, Title;\r\n// Get additional alert activity for each device\r\nAlertEvidence\r\n| where DeviceId in(DeviceAlerts)\r\n// Add additional info\r\n| join kind=leftouter AlertInfo on AlertId\r\n| summarize DeviceAlerts = make_set(Title), AlertIDs = make_set(AlertId) by DeviceId, bin(Timestamp, 1d)\r\nMSHTA-loading DLLs\r\nLook for instances of MSHTA loading suspicious DLL files.\r\nDeviceProcessEvents\r\n| where not(FileName has_any(\"certutil\", \"certutil32\")) and FileName endswith \".exe\" and\r\nProcessVersionInfoFileDescription =~ \"certutil.exe\"\r\n| where not(FolderPath has_any(\"installer\", \"program files\"))\r\nSuspicious registry keys\r\nLook for registry keys created by the fraudulent, attacker-created companies used in this campaign.\r\nDeviceRegistryEvents\r\n| where RegistryValueData in('Flyintellect Inc.', 'Datalyst ou')\r\nMalicious .bat file created in fake Oracle Java SE folder path\r\nLook for .bat files created in the Oracle Java SE file path associated with this activity.\r\nDeviceFileEvents\r\n| where FileName endswith '.bat'\r\nand FolderPath has @'Program Files (x86)Sun Technology NetworkOracle Java SE'\r\nTim.exe payload delivery\r\nLook for the Tim.exe payload being downloaded onto an affected device.\r\nDeviceNetworkEvents\r\n| where InitiatingProcessFileName =~ 'powershell.exe'\r\nhttps://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/\r\nPage 14 of 15\n\nand InitiatingProcessCommandLine has('Invoke-WebRequest') and InitiatingProcessCommandLine endswith '-\r\nOutFile tim.EXE'\r\nSource: https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/\r\nhttps://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/" ], "report_names": [ "dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware" ], "threat_actors": [ { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775433979, "ts_updated_at": 1775826688, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7c3cf8e515c4647dda07530864f8e1f189586a0d.pdf", "text": "https://archive.orkl.eu/7c3cf8e515c4647dda07530864f8e1f189586a0d.txt", "img": "https://archive.orkl.eu/7c3cf8e515c4647dda07530864f8e1f189586a0d.jpg" } }