{
	"id": "8484ea83-e7c3-4958-8e22-a5c67df431a1",
	"created_at": "2026-04-10T03:20:45.083399Z",
	"updated_at": "2026-04-10T03:22:18.306272Z",
	"deleted_at": null,
	"sha1_hash": "993f3d709b843c1fcca36da3f08f020eba7ae912",
	"title": "New Zardoor backdoor used in long-term cyber espionage operation targeting an Islamic organization",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1183793,
	"plain_text": "New Zardoor backdoor used in long-term cyber espionage\r\noperation targeting an Islamic organization\r\nBy Cisco Talos\r\nPublished: 2024-02-08 · Archived: 2026-04-10 02:11:38 UTC\r\nThursday, February 8, 2024 08:00\r\nBy Jungsoo An, Wayne Lee and Vanja Svajcer.\r\nCisco Talos discovered a new, stealthy espionage campaign that has likely persisted since at least March\r\n2021. The observed activity affects an Islamic non-profit organization using backdoors for a previously\r\nunreported malware family we have named “Zardoor.” \r\nWe believe an advanced threat actor is carrying out this attack, based on the deployment of the custom\r\nbackdoor Zardoor, the use of modified reverse proxy tools, and the ability to evade detection for several\r\nyears. \r\nThroughout the campaign, the adversary used living-off-the-land binaries (LoLBins) to deploy backdoors,\r\nestablish command and control (C2), and maintain persistence. \r\nAt this time, we have only discovered one compromised target, however, the threat actor’s ability to\r\nmaintain long-term access to the victim’s network without discovery suggests there could be others.\r\nBased on Talos’ and third-party research, the use of reverse proxy tools overlaps with TTPs employed by\r\nseveral threat groups originating from China. Still, we can assess the relations of the new threat actor with\r\nthe existing groups only with low confidence, as open-source tools can be used by any threat actor. The\r\nchoice of the compromised target does not align with the known objectives of any known threat actors\r\noriginating from China.  \r\nhttps://blog.talosintelligence.com/new-zardoor-backdoor/\r\nPage 1 of 14\n\nTalos discovered an ongoing espionage campaign in May 2023 targeting an Islamic charitable non-profit\r\norganization in Saudi Arabia that exfiltrates data approximately twice a month. \r\nThe initial access vector is unknown, however, we observed the threat actor executing a malware we are calling\r\nthe “Zardoor” backdoor to gain persistence. Then we observed the threat actor establishing C2 using open-source\r\nreverse proxy tools such as Fast Reverse Proxy (FRP), sSocks and Venom, a reverse proxy socks5 server-client\r\ntool originally developed for penetration testers. \r\nThe threat actor customized sSocks to remove dependencies on Visual C Runtime libraries so these tools would\r\nrely only on WinAPI libraries and therefore could be executed without unexpected runtime errors. \r\nOnce a connection was established, the threat actor used Windows Management Instrumentation (WMI) to move\r\nlaterally and spread the attacker's tools — including Zardoor — by spawning processes on the target system and\r\nexecuting commands received from the C2, as seen in the commands below.\r\nExecution flow of the Zardoor backdoor\r\nTo maintain persistence, the attacker deployed a previously unseen backdoor family we have named Zardoor,\r\nwhich we named based on the file names “zar32.dll” and “zor32.dll”. “Zar32.dll” is the main backdoor component\r\nthat communicates with the attacker’s C2, and “zor32.dll” ensures “zar32.dll” has been properly deployed with\r\nadmin privileges. Talos could not obtain a file sample for the dropper used in this specific campaign. However, we\r\nfound and analyzed other available samples with an execution sequence and filenames identical to the malicious\r\nactivity we observed and possibly related to the attack we observed. \r\nBased on our analysis of these matching samples, the execution sequence has two parts:\r\nThe dropper installs and executes the malicious “oci.dll”\r\nThe main purpose of this dropper is to configure “msdtc.exe” to load the malicious “oci.dll” payload. Depending\r\non the target OS architecture, the dropper locates either a 32- or 64-bit “oci.dll” and drops it in the system file path\r\nC:\\Windows\\System32\\ . Then, the dropper will attempt to stop the MSDTC service and use “msdtc.exe” to help\r\nregister the malicious “oci.dll” with admin privileges, using the command msdtc -install .\r\nhttps://blog.talosintelligence.com/new-zardoor-backdoor/\r\nPage 2 of 14\n\nThe dropper drops a different version of oci.dll based on the OS bitness and deletes itself using a\r\nbatch file.\r\nHowever, if the MSDTC service fails to stop, the dropper patches the binary of the malicious “oci.dll” file to\r\nremove the strings 1ISSYSTEM and 1ISAUTORUN , and save the patched DLL to the file path,\r\n%TEMP%\\win_oci_41aa0d5.dll . Removing the strings will later help determine where to save “zar32.dll” and\r\n“zor32.dll” on the victim’s computer. \r\nThe threat actor then uses Rundll32 to execute the patched “oci.dll” using this command:\r\nC:\\Windows\\System32\\rundll32.exe %TEMP%\\win_oci_41aa0d5.dll MainEntry . This patched “oci.dll” will\r\nextract “zar32.dll” and “zor32.dll” into the Temp Directory, and launch “zar32.dll MainEntry” using\r\n“rundll32.exe”. The MSDTC service will register the malicious “oci.dll” with the msdtc -install command.\r\nIf either of these two actions is successful, the dropper configures the MSDTC service to load “oci.dll” and the\r\nDLL will be executed. Finally, a cleanup batch script is created and saved to the location\r\n%TEMP%\\xz330ksdfg.bat . The batch script deletes the dropper and then deletes itself.\r\nMalicious “oci.dll” payload\r\nhttps://blog.talosintelligence.com/new-zardoor-backdoor/\r\nPage 3 of 14\n\nThe malicious loader “oci.dll” contains the backdoor payloads, “zar32.dll” and “zor32.dll” in the resource section.\r\nOci.dll contains two exported functions: ServiceMain() to launch the backdoor module (“zar32.dll”) and\r\nDllEntryPoint() to drop the backdoor onto the victim’s machine.\r\nThe ServiceMain() export is executed by the MSDTC service and launches the export function MainEntry of\r\n“zar32.dll” using “rundll32.exe.”\r\nThe DllEntryPoint() function calls the DLLMain function, which determines where to dump “zar32.dll” and\r\n“zor32.dll”. This occurs by searching for the strings 1ISSYSTEM and 1ISAUTORUN . If the string 1ISSYSTEM is\r\nfound in “zar32.dll”, DLLMain drops “zar32.dll” and “zor32.dll” into the System32 directory.\r\nIf the string 1ISSYSTEM is not found, then DLLMain will look up the string 1ISAUTORUN , and if it exists,\r\nDLLMain will drop “zar32.dll” and “zor32.dll” into the %userprofile% directory . If neither of the strings are\r\nfound, DLLMain will drop “zar32.dll” and “zor32.dll” into the “%TEMP%” directory. After the payloads are\r\nsaved, the DLLs and their export function 'MainEntry()' are launched by “rundll32.exe”.\r\nThe oci.dll contains two Zardoor components, zar32.dll and zor32.dll as resources.\r\nTo execute “zar32.dll”, the “oci.dll” export “ServiceMain()” is executed by “msdtc.exe” which then loads\r\n“zar32.dll” using the command: rundll32.exe C:\\WINDOWS\\system32\\zar32.dll MainEntry . “Zor32.dll” is\r\nsubsequently loaded from the same exported method with the command rundll32.exe\r\nC:\\WINDOWS\\system32\\zor32.dll MainEntry .\r\nhttps://blog.talosintelligence.com/new-zardoor-backdoor/\r\nPage 4 of 14\n\nZardoor modules.\r\nAnalysis of the “zar32.dll” and “zor32.dll” backdoor files\r\n“Zar32.dll” is an HTTP/SSL remote access tool (RAT) that is capable of sending encrypted data to the attacker’s\r\nC2, executing PE payloads in fileless mode, searching for Session IDs, remote shellcode execution, and updating\r\nthe C2 IP/hostname or port in memory. “Zar32.dll” contains a hardcoded debug symbol path seen below, and has\r\ntwo export functions: MainEntry() and  DllEntryPoint . \r\nPDB file path : 'C:\\\\Users\\\\john\\\\Desktop\\\\RManager\\\\x64\\\\Release\\\\R_Run.pdb'\r\nOnce deployed, “zar32.dll” creates three mutexes with the names, 3e603a07-7b2d-4a15-afef-7e9a0841e4d5 ,\r\nThreadMutex12453 , and rrx_%d , where the value of %d is a random seed that is based on the DLLs’ time of\r\nhttps://blog.talosintelligence.com/new-zardoor-backdoor/\r\nPage 5 of 14\n\nexecution. If the mutex 3e603a07-7b2d-4a15-afef-7e9a0841e4d5 already exists, the DLL will exit because that\r\nindicates “zar32.dll” is successfully running.\r\nTo establish a C2 connection, “zar32.dll” needs a program that allows network applications to operate through a\r\nSOCKS or HTTPS proxy. The DLL connects to the following URLs:\r\n1.0.0[.]1/index.html\r\n1.0.0[.]2/index.html\r\n1.0.0[.]3/index.htm\r\nThe IP addresses are used by Cloudflare DNS services, including the DNS over HTTPS and the communication to\r\nthese IP addresses may indicate the attempt to bypass the DNS-based detections to attacker-controlled C2 servers. \r\n“Zar32.dll'' attempts to connect to its C2 server using SSL with the following HTTP User-Agents:\r\n64-bit application: Mozilla/5.0 (Windows NT \u003cos_majorver\u003e.\u003cos_minorver\u003e; Trident/7.0; rv:11.0)\r\nlike Gecko\r\n32-bit application on 64-bit OS: Mozilla/5.0 (Windows NT \u003cos_majorver\u003e.\u003cos_minorver\u003e; WOW64;\r\nTrident/7.0; rv:11.0) like Gecko\r\nOnce a connection is successfully established, “zar32.dll” supports the following C2 commands:\r\n1. Encrypt and send data to C2.\r\n2. Execute remotely fetched PE payload.\r\n3. Search for session ID.\r\n4. (Plugin exit).\r\n5. Remote shellcode execution.\r\n6. Delete this RAT.\r\n7. Update C2 IP (IP/domain_name:port).\r\n8. Do nothing.\r\nhttps://blog.talosintelligence.com/new-zardoor-backdoor/\r\nPage 6 of 14\n\nZardoor (zar32.dll) C2 routine handles eight different C2 commands.\r\nWe continued to observe several dependencies in the malware’s execution routine. If “zar32.dll” is running when\r\n“zor32.dll” is installed, “zor32.dll” will install the “msdtc.exe” service installer. \r\nIf “zar32.dll” is not running when “zor32.dll” is installed, then “zor32.dll” starts the “msdtc.exe” service and\r\nattempts to create a mutex with the name 6c2711b5-e736-4397-a883-0d181a3f85ae . \r\nNext, “zor32.dll” will check if the “oci.dll” file exists and finish the execution if it does not. If “oci.dll” exists,\r\n“zor32.dll” attempts to create another mutex with the name 3e603a07-7b2d-4a15-afef-7e9a0841e4d5 . The DLL\r\nwill exit if the mutex exists, indicating“zar32.dll” is successfully running.\r\nIf the mutex does not exist, “zor32.dll” will attempt to re-launch “zar32.dll” up to 10 times.\r\nhttps://blog.talosintelligence.com/new-zardoor-backdoor/\r\nPage 7 of 14\n\nWe also identified “zor32.dll” performing checks to maintain persistence if the process has admin privileges using\r\nthe following procedures:\r\n1. If the MSDTC service is not running, “zor32.dll” will configure the MSDTC service with the command\r\nmsdtc -install . If the installation fails, it will keep attempting up to 10 times.\r\n2. “zor32.dll” attempts to query MSDTC service status and if this fails, it will attempt up to 10 times.\r\n3. If the MSDTC service is running, then “zor32.dll” will attempt to stop it. If this fails, it will keep\r\nattempting to install up to 10 times.\r\n4. If the MSDTC service is not running, “zor32.dll” will start the service.\r\nScheduled tasks to maintain persistence\r\nFor persistence, the threat actor registers their reverse proxies as scheduled tasks, causing the reverse proxy to\r\nexecute approximately every 20 minutes to communicate with the attacker’s C2 servers. To achieve this, first, the\r\nthreat actor confirms if the victim already has scheduled tasks running with the names \"KasperskySecurity\" or\r\n\"Microsoft Security Essentialss.\" Then, the attacker deletes the legitimate scheduled task and creates a new one\r\nwith the same name for the proxy “msbuildss.exe”.\r\nTalos observed the threat actor in July 2023 storing the remote server’s public key for future tasks. This helps the\r\nthreat actor to access the remote (Secure Shell) SSH server and set up remote port forwarding, allowing remote\r\nservers and devices on the internet to access devices that are on a private network. \r\nThe attacker downloads the private SSH key and saves it to the file path c:\\users\\[Redacted]\\.ssh\\ with the\r\nfilename “id_rsa.” The threat actor also saves the file “known_hosts”, containing the public keys hosts that can be\r\naccessed using the private key stored in “id_rsa”.\r\nhttps://blog.talosintelligence.com/new-zardoor-backdoor/\r\nPage 8 of 14\n\nAccording to the above commands, the threat actor first downloads and checks the contents of the file “2.vbs” to\r\nensure it is the script they would like to execute. The “2.vbs” file is responsible for setting up the SSH remote port\r\nforwarding from port 443 on the victim’s device to port 22 on the attacker’s server using the user name root. The\r\nfile makes sure it has successfully set up the SSH forwarding server by performing the following steps:\r\n1. netstat -ano | findstr 70.34 is used to find part of the remote IP address 70[.]34[.]208[.]197.\r\n2. The executable “shd.exe” initiates an SSH connection using the username root and the password\r\n\"3My[{BK)Ni8a\".\r\n3. Look for a port 443 connection on the victim’s device and kill “ssh.exe” and “shd.exe” using the\r\ntaskkill utility.\r\nReverse proxy tools used by the threat actor\r\nAs opposed to forward proxies, used to connect devices on the private network to internet services, usually HTTP-based. Reverse proxies allow a computer connected to the internet to create a tunnel and allow remote access to\r\nservices on the local private network.\r\nReverse proxies are often used as legitimate load balancers in complex system and application architectures.\r\nHowever, malicious actors are using them to establish communications with otherwise unreachable systems such\r\nas RDP servers, domain controllers, files or database servers. \r\nFast Reverse Proxy (FRP)\r\nhttps://blog.talosintelligence.com/new-zardoor-backdoor/\r\nPage 9 of 14\n\nFast Reverse Proxy (FRP) is a reverse proxy tool that can be used to make network services, often located behind\r\na NAT or firewall, remotely accessible. FRP consists of two main components: the FRP client and the FRP server.\r\nThe FRP client is responsible for forwarding local requests to the FRP server, which in turn redirects them to the\r\ninternet. This allows applications running on devices behind the NAT or firewall to be accessible from the outside\r\nnetwork.\r\n7000 is the default port used by the FRP server components. However, these ports can be configured per the user's\r\nneeds. A basic setup involves installing the FRP server on a public server with a public IP, and the FRP client on\r\nthe machine you want to expose. The client and server are configured via respective INI configuration files. Once\r\nthe client and server are appropriately configured and started, services on the client's machine will be accessible\r\nvia the server's public IP and the specified ports.\r\nFRP components and the basic usage.\r\nFast Reverse Proxy (FRP) has been reported to be used by several, predominantly Chinese threat actors to bypass\r\nnetwork security measures and maintain persistence within a compromised network. By leveraging FRP, these\r\nthreat actors can create a tunnel from a machine within the compromised network to an external server under their\r\ncontrol. This allows them to exfiltrate data, deploy additional malicious tools, or carry out other activities while\r\nevading detection. \r\nThe usage of FRP, a legitimate and widely-used tool, makes the malicious traffic harder to distinguish from the\r\nnormal network traffic, thereby increasing the stealthiness of the attack. However, the presence of an FRP client in\r\nthe environment may be a good indicator of potential compromise of the network where FRP is not typically\r\nused. \r\nhttps://blog.talosintelligence.com/new-zardoor-backdoor/\r\nPage 10 of 14\n\nVirusTotal uploads for the FRP client executables.\r\nFRP is a popular tool and has been increasingly used by threat actors, based on the increase in VirusTotal\r\nsubmissions of FRP tools over the past few years. \r\nVenom proxy\r\nVenom is a multi-hop proxy designed for red teaming and pentesting written in the Go language. It allows the user\r\nto create a network of proxy nodes that can act as an admin or agent. The agent connects to either another agent or\r\nthe admin node. The user controls the network through the control of the administration node and can easily add\r\nadditional agents to the network. \r\nVenom allows the user, which could also be a malicious actor, to create a botnet of proxies that can be used to\r\nremotely control the nodes, exfiltrate data, install additional payloads, etc. \r\nThe Venom features are:\r\nMulti-hop socks5 proxy.\r\nMulti-hop port forwarding.\r\nSSH tunneling.\r\nInteractive shell.\r\nUploading and downloading files.\r\nNetwork traffic encryption.\r\nSupport of multiple platforms (Linux/Windows/MacOS) and multiple architectures (x86/x64/ARM/MIPS).\r\nhttps://blog.talosintelligence.com/new-zardoor-backdoor/\r\nPage 11 of 14\n\nOther reverse proxy tools and their usage by threat actors\r\nIn addition to FRP and Venom, threat actors, predominantly originating from China, based on the previous Talos\r\nresearch and available open-source threat intelligence use several other tools supporting reverse proxying, most\r\ncommonly:\r\nHTran (lcx)\r\nsSocks\r\nEarthworm (ew)\r\niox\r\nNATBypass\r\nNPS\r\nRsocx\r\nGo socks5\r\nRegeorg\r\nWe have also created a matrix that displays the active threat groups and the proxy tools they are using. Talos\r\nassesses with low confidence that the existence of one or more of the tools on a compromised system may indicate\r\nthe activity of a particular group, as these tools are easily reusable and can be employed by any malicious actor. \r\nProxy tools and the threat actors utilizing them.\r\nZardoor attacks conducted by an advanced threat actor\r\nTalos assesses this campaign was conducted by an unknown and advanced threat actor. We have not been able to\r\nattribute this activity to any known, publicly reported threat actor at this time, as we have not found any overlap\r\nbetween the observed tools or C2 infrastructure used in this campaign. \r\nThe threat actor appears highly skilled based on their ability to create new tooling, such as the Zardoor backdoors,\r\ncustomize open-source proxy tools, and leverage several LoLBins including “msdtc.exe” to evade detection. In\r\nparticular, side-loading backdoors contained in “oci.dll” via MSDTC is a very effective method of remaining\r\nundetected while maintaining long-term access to a victim’s network. \r\nhttps://blog.talosintelligence.com/new-zardoor-backdoor/\r\nPage 12 of 14\n\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.\r\nCisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically\r\nand alerts users of potentially unwanted activity on every connected device.\r\nCisco Secure Malware Analytics (formerly Threat Grid) identifies malicious binaries and builds protection into all\r\nCisco Secure products.\r\nUmbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them. \r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork. \r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org. Snort SIDs for this threat are 61913, 61914 and 62371 - 62380.\r\nThe following ClamAV signatures have been released to detect malware artifacts related to this threat:\r\nWin.Backdoor.Zardoor-10019732-0\r\nWin.Backdoor.ZardoorVMP-10019731-0\r\nWin.Backdoor.sSocksProxy-10019733-0\r\nWin.Backdoor.VenomProxy-10019734-0\r\nhttps://blog.talosintelligence.com/new-zardoor-backdoor/\r\nPage 13 of 14\n\nMITRE ATT\u0026CK Techniques\r\nCommand and Control\r\nT1090.003 Proxy: Multi-hop Proxy\r\nT1105 Ingress Tool Transfer \r\nDiscoveryT1018 Remote System DiscoveryT1033 System Owner/User\r\nDiscoveryT1049 System Network Connections Discovery\r\nT1057 Process Discovery\r\nT1087.002 Account Discovery: Domain Account\r\nPersistence\r\nT1053.005 Scheduled Task/Job: Scheduled Task\r\nT1574.002 Hijack Execution Flow: DLL Side-Loading\r\nExecution\r\nT1047 Windows Management Instrumentation\r\nT1059.003 Command and Scripting Interpreter: Windows Command Shell\r\nT1204.002 User Execution: Malicious File\r\nT1574.002 Hijack Execution Flow: DLL Side-Loading\r\nExfiltration\r\nT1048 Exfiltration Over Alternative Protocol\r\nPrivilege Escalation\r\nT1055 Process InjectionT1574.002 Hijack Execution Flow: DLL Side-Loading\r\nDefense Evasion\r\nT1055.001 Process Injection: Dynamic-link Library Injection\r\nT1070.004 File Deletion\r\nT1574.002 Hijack Execution Flow: DLL Side-Loading\r\nIOCs\r\nIOCs for this research can also be found in our GitHub repository here.\r\nSource: https://blog.talosintelligence.com/new-zardoor-backdoor/\r\nhttps://blog.talosintelligence.com/new-zardoor-backdoor/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/new-zardoor-backdoor/"
	],
	"report_names": [
		"new-zardoor-backdoor"
	],
	"threat_actors": [],
	"ts_created_at": 1775791245,
	"ts_updated_at": 1775791338,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/993f3d709b843c1fcca36da3f08f020eba7ae912.pdf",
		"text": "https://archive.orkl.eu/993f3d709b843c1fcca36da3f08f020eba7ae912.txt",
		"img": "https://archive.orkl.eu/993f3d709b843c1fcca36da3f08f020eba7ae912.jpg"
	}
}