{
	"id": "3c792847-53c3-4cc8-8b9b-627e0895c25d",
	"created_at": "2026-04-06T00:12:19.826581Z",
	"updated_at": "2026-04-10T03:21:06.741416Z",
	"deleted_at": null,
	"sha1_hash": "b3072952e520f77664f1ee2c9edce993638d2044",
	"title": "Zloader Strikes Back",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 477330,
	"plain_text": "Zloader Strikes Back\r\nPublished: 2024-02-14 · Archived: 2026-04-05 13:01:37 UTC\r\nRecently, we came across an update from PolySwarm regarding a new Variant of Zloader. Zloader is a malware\r\nbased on Zeus, which has been targeting financial institutions and its customers. This blog gets into the nuances of\r\nthe new techniques used by Zloader.\r\nTechnical Analysis\r\nIt was observed that Zloader had very few Import functions and it was obfuscated and threat actors were making\r\nsure that Zloader only runs with the filename “IonPulse.exe”.\r\nFigure 1: Precheck before running \r\nOnce it checks that the name is IonPulse.exe, it gets the handle of Ntdll.dll using CreateFileA.\r\nhttps://labs.k7computing.com/index.php/zloader-strikes-back/\r\nPage 1 of 6\n\nFigure 2: Mapping API with hashes\r\nIt is making use of the above mentioned Function in Figure 2 to resolve the API.\r\nFigure 3: CreateFileA\r\nhttps://labs.k7computing.com/index.php/zloader-strikes-back/\r\nPage 2 of 6\n\nIt gets the handle of Ntdll.dll using CreateFileA.\r\nFigure 4: Reading ntdll\r\nThen uses ReadFile to copy the contents of Ntdll.dll. Before doing that it allocates memory using VirtualAlloc.\r\nFigure 5: Ntdll.dll copied\r\nAbove figure shows the copied content of Ntdll.dll.\r\nFigure 6: VirtualProtect\r\nAfter copying Ntdll.dll it is using VirtualProtect to change the memory protection accordingly.\r\nhttps://labs.k7computing.com/index.php/zloader-strikes-back/\r\nPage 3 of 6\n\nFigure 7: Creating msiexec.exe\r\nIt is making use of RtlInitUnicodeString, RtlCreateProcessParametersEx to create a structure which can be used\r\nby NtCreateUserProcess later. Then it make use of Associated syscall to NtCreateUserProcess to run msiexec.exe.\r\nFigure 8: Syscall\r\nIt was making use of Syscall to Write into msiexec.exe and had  allocated memory before doing that. This syscall\r\nis related to NtWriteVirtualMemory which is Similar to WriteProcessMemory in WinAPI.\r\nhttps://labs.k7computing.com/index.php/zloader-strikes-back/\r\nPage 4 of 6\n\nFigure 9: Zloader injected in msiexec.exe\r\nThen makes use of another syscall to the adjacent function of NtProtectVirtualMemory, to change its memory\r\nprotection to ‘Execute’. Along with that it will use Syscall associated with NtGetContextThread,\r\nNtSetContextThread and NtResumeThread. Doing this it is hijacking the Thread.\r\nFigure 10: Loading wininet.dll\r\nIt will then load wininet.dll and ws2_32.dll using LoadLibraryA to connect to C2.\r\nFigure 11: Self Copy\r\nhttps://labs.k7computing.com/index.php/zloader-strikes-back/\r\nPage 5 of 6\n\nIt will then make a self Copy in AppData\\Roaming\r\nFigure 12: Run Entry\r\nPersistence is ensured through the Run registry and msiexec.exe starts connecting to C2 and then IonPulse.exe\r\nexits.\r\nBy this we can see that Zloader has started using Syscall for evasion, along with loading new Ntdll.dll.\r\nWe at K7 Labs provide detection for Zloader and all the latest threats. Users are advised to use a reliable security\r\nproduct such as “K7 Total Security” and keep it up-to-date to safeguard their devices.\r\nIndicators of Compromise (IOCs)\r\nFileName Hash Detection Name\r\nIonPulse.exe 71C72AD0DA3AF2FCA53A729EF977F344 Trojan ( 005afb2c1 )\r\nReferences\r\nhttps://www.zscaler.com/blogs/security-research/zloader-no-longer-silent-night\r\nhttps://captmeelo.com/redteam/maldev/2022/05/10/ntcreateuserprocess.html\r\nSource: https://labs.k7computing.com/index.php/zloader-strikes-back/\r\nhttps://labs.k7computing.com/index.php/zloader-strikes-back/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://labs.k7computing.com/index.php/zloader-strikes-back/"
	],
	"report_names": [
		"zloader-strikes-back"
	],
	"threat_actors": [],
	"ts_created_at": 1775434339,
	"ts_updated_at": 1775791266,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b3072952e520f77664f1ee2c9edce993638d2044.pdf",
		"text": "https://archive.orkl.eu/b3072952e520f77664f1ee2c9edce993638d2044.txt",
		"img": "https://archive.orkl.eu/b3072952e520f77664f1ee2c9edce993638d2044.jpg"
	}
}