{ "id": "59bf5179-fcba-49f6-a9c4-61ac5ff8e197", "created_at": "2026-04-06T00:09:48.119132Z", "updated_at": "2026-04-10T13:11:44.429305Z", "deleted_at": null, "sha1_hash": "b308da5af4abc3dfa22ad54f1d2292e111976db8", "title": "ZLoader Loads Again: New ZLoader Variant Returns | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1254327, "plain_text": "ZLoader Loads Again: New ZLoader Variant Returns | Proofpoint US\r\nBy Dennis Schwarz, Matthew Mesa, and the Proofpoint Threat Research Team\r\nPublished: 2020-05-21 · Archived: 2026-04-05 14:07:11 UTC\r\nIn December 2019, Proofpoint researchers observed email campaigns widely distributing a new version of\r\nthe ZLoader banking malware, which appears to be under active development. We have seen over 100 campaigns since\r\nJanuary 1, 2020 with recipients in the United States, Canada, Germany, Poland, and Australia. The fraudulent email lures\r\ninclude a variety of subjects, including COVID-19 scam prevention tips, COVID-19 testing, and invoices.\r\nZLoader, a variant of the infamous Zeus banking malware, has been around since 2006. It is a typical banking malware that\r\nmakes use of webinjects to steal credentials and other private information from users of targeted financial institutions. The\r\nmalware can also steal passwords and cookies stored in victim’s web browsers. With the stolen information in hand, the\r\nmalware can use the VNC (Virtual Network Computing) client it downloads to allow threat actors to connect to the victim’s\r\nsystem and make illicit financial transactions from the banking user’s legitimate device. \r\nAlmost two years after ZLoader’s last activity in 2018, we started observing campaigns using a new banking\r\nmalware that exhibited functionality and network traffic similar to the original 2016-2018 ZLoader. However, during our\r\nanalysis we noticed that it was missing the code obfuscation, string encryption, and a few other advanced features of the\r\noriginal ZLoader. Hence, the new malware does not appear to be a continuation of the 2018 strain, but likely a fork of an\r\nearlier version.\r\nIn this post, we analyze the new malware version and provide several examples of the most\r\ninteresting email campaigns spreading it. We will continue to track this new malware as a “ZLoader variant” which\r\nhas caught on in the wider community.  \r\nBackground \r\nFrom June 2016 to February 2018, a banking malware known as ZLoader (also known as DELoader or Terdot) spread in the\r\nwild. The letter “Z” in its name was given because it is a variant of the Zeus malware. The “loader” part of its name is due to\r\nits distinguishing feature: it was distributed as a downloader component, which would download and run the main banking\r\nmalware component and other modules from its command and control (C\u0026C) server. \r\nWhile there were multiple threat actors using the malware at the time, TA511 (Hancitor) was one of the most prevalent. In\r\napproximately November 2017, TA511 switched from ZLoader to Panda Banker. Other threat actors started following suit\r\nand switched away from ZLoader to other malware. The last email campaign we saw using the original ZLoader was in\r\nFebruary 2018. \r\nMalware Analysis\r\nVersion History \r\nThis ZLoader variant is in active development. We have seen 25 versions released since the first one (1.0.2.0) was spotted in\r\nthe wild in December 2019. As can be seen in Table 1, about 1-2 new versions have been released each week: \r\nMonth  Versions \r\nDecember 2019  1.0.2.0, 1.0.4.0, 1.0.5.0, 1.0.6.0, 1.0.7.0, 1.0.8.0, 1.0.9.0 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/zloader-loads-again-new-zloader-variant-returns\r\nPage 1 of 14\n\nJanuary 2020  1.0.10.0, 1.0.10.1, 1.011.1, 1.0.12.0, 1.0.13.0, 1.0.14.0 \r\nFebruary 2020  1.0.15.0, 1.0.16.0, 1.0.17.0, 1.0.18.0 \r\nMarch 2020  1.1.18.0, 1.1.19.0, 1.1.20.0, 1.1.21.0, 1.1.22.0 \r\nApril 2020  1.2.22.0, 1.2.23.0 \r\nMay 2020 1.2.24.0\r\nTable 1 ZLoader versions in the wild\r\nAt the time of writing, version 1.2.24.0 was the latest release and it was spotted in the wild in May 2020. \r\nAnti-Analysis \r\nZLoader employs several anti-analysis mechanisms to make it more difficult to detect and reverse engineer.\r\nThese include junk code, constant obfuscation, Windows API function hashing, encrypted strings, and C\u0026C blacklisting. An\r\nexample of junk code and constant obfuscation can be seen in Figure 1: \r\nFigure 1 Example of junk code and constant obfuscation\r\nThis function returns the version of the malware as a DWORD (0x1021600) by XORing two hardcoded constants\r\n(0x21F89813 and 0x20FA8E13). The rest of the code is superfluous and is used to distract the analyst. \r\nAnother anti-analysis mechanism is Windows API (Application Programming Interface) function hashing. A Python\r\nimplementation of the hashing algorithm is available on our GitHub. Table 2 lists some example Windows\r\nAPI functions and their hash values: \r\nhttps://www.proofpoint.com/us/blog/threat-insight/zloader-loads-again-new-zloader-variant-returns\r\nPage 2 of 14\n\nWindows API Function  Hash Value \r\nExitProcess  0x7F96C13 \r\nInternetConnectA  0xAE775E1 \r\nInternetReadFile  0x7E90205 \r\nCryptHashData  0x23ED221 \r\nTable 2 Example Windows API functions and their hash value\r\nThe next anti-analysis mechanism is the encryption of strings. Most of ZLoader’s important strings are encrypted using\r\nXOR and a hardcoded string (e.g. “7Gl5et#0GoTI5VV94”). An example IDAPython script to decrypt strings in the sample\r\nwe analyzed is available on our GitHub. \r\nThe last anti-analysis measure we will mention is not built into the malware client but implemented in the C\u0026C\r\nserver instead. While it varies based on the campaign, we noticed aggressive blacklisting of sandboxes and malware analysis\r\nsystems and significant blocking based on geography of the connecting source IP address. \r\nConfiguration \r\nZLoader continues the Zeus tradition of using a data structure known as the “BaseConfig” to store\r\nits initial configuration. Figure 2 shows an example of the BaseConfig decryption function: \r\nFigure 2 Example of a BaseConfig decryption function\r\nIt uses RC4 with a hardcoded key (e.g. “quxrfjxtmedqretawrxg”). An example plaintext config is shown in Figure 3: \r\nhttps://www.proofpoint.com/us/blog/threat-insight/zloader-loads-again-new-zloader-variant-returns\r\nPage 3 of 14\n\nFigure 3 Example of a plaintext BaseConfig\r\nThe plaintext data is interpreted as a binary structure and includes: \r\nDWORD used in C\u0026C communications (e.g. 0x83) \r\nBotnet name (e.g. “1”) \r\nCampaign name (e.g. “07/04”) \r\nUp to 10 C\u0026C URLs (e.g. “hxxps://xyajbocpggsr\\.site/wp-config.php” and “hxxps://ooygvpxrb\\.pw/wp-config.php”) \r\nRC4 key used in C\u0026C communications (e.g. “41997b4a729e1a0175208305170752dd”) \r\nMiscellaneous timeouts and flags \r\nCommand and Control \r\nZLoader uses HTTP(S) POST requests for command and control. The POST data is encrypted in two layers. The\r\nfirst layer is RC4 using the key from the BaseConfig. The second layer is an XOR-based encryption typical in Zeus variants\r\nknown as “Visual Encrypt.” \r\nThe plaintext data is structured using a traditional Zeus data structure known as “BinStorage.” BinStorage consists\r\nof a header and a variable number of data items. The header is 48-bytes in size and contains:\r\nRandom data (20-bytes) \r\nSize of data items (DWORD) \r\nFlags (DWORD) \r\nNumber of data items (DWORD) \r\nMD5 hash of data items (16-bytes) \r\nEach data item starts with a 16-byte header containing: \r\nId (DWORD) -- also known as “CFGID” \r\nFlags (DWORD) \r\nSize of data (compressed) (DWORD) -- ZLoader does not use compression \r\nSize of data (uncompressed) (DWORD) \r\nThe response data is encrypted similarly to requests. Once decrypted, it also typically uses the BinStorage structure. We\r\nwill look at three requests: initial “hello,” main component download, and configuration update. \r\nInitial “hello” Request \r\nThe initial “hello” requests contains a BinStorage with the data items from Table 3: \r\nhttps://www.proofpoint.com/us/blog/threat-insight/zloader-loads-again-new-zloader-variant-returns\r\nPage 4 of 14\n\nCFGID  Data \r\n10029  DWORD value from the BaseConfig \r\n10002  Botnet string from the BaseConfig \r\n10001  Bot ID \r\n10022  Flag from BaseConfig indicating whether this is a debug version \r\n10006  Hardcoded 0x0 (DWORD) \r\nTable 3 Initial “hello” request BinStorage\r\nAn affirmative response from the C\u0026C server to the “hello” request is an empty BinStorage. \r\nModule Request \r\nThe “loader” component of ZLoader downloads the main component using a BinStorage described in Table 4:\r\nCFGID  Data \r\n10029 - 10022  The same as the “hello” request in Table 3 above \r\n11014  Module ID (32-bit main component is ID 1006) \r\n11015  Module Version (typically the same as the malware version) \r\nTable 4 Module request BinStorage\r\nThe main component also uses this request to download additional modules for various pieces of functionality. Modules\r\ninclude OpenSSL, SQLite, Zlib, Certutil, and VNC.\r\nA module response is encrypted and formatted differently than the other responses. It is only RC4 encrypted using the key\r\nfrom the BaseConfig. Once decrypted it contains a 21-byte header followed by a PE file. The header contains: \r\nModule ID (DWORD) \r\nModule Version (DWORD)  \r\nUnknown (DWORD) \r\nModule length (DWORD) \r\nModule CRC32 checksum (DWORD) \r\nUnknown (BYTE) \r\nhttps://www.proofpoint.com/us/blog/threat-insight/zloader-loads-again-new-zloader-variant-returns\r\nPage 5 of 14\n\nConfiguration Update Request \r\nThe last request we’ll look at is the configuration update request—this is generally known as the “DynamicConfig” in Zeus’\r\nparlance. It uses a BinStorage containing the items from Table 5: \r\nCFGID  Data \r\n10029 - 10022  The same as the “hello” request in Table 3 above \r\n10012  Windows version and architecture \r\n10003  Malware version \r\n10023  Process integrity level \r\n10024  Number of monitors \r\n10016  IPv4 address \r\n10025  BaseConfig campaign name \r\n10026  MD5 hash of loader component \r\n10020  Running process list \r\n10027  Time zone \r\nTable 5 Configuration update request\r\nDynamicConfigs include a variety of data including: \r\nAdditional C\u0026C URLs \r\nCommands to execute  \r\nuser_execute – download and execute  \r\nbot_uninstall – remove self \r\nuser_cookies_get – steal cookies from web browsers \r\nuser_cookies_remove – remove cookies from web browsers \r\nuser_passwords_get – steal passwords \r\nuser_files_get – steal files  \r\nuser_url_block – block access to URL \r\nuser_url_unblock – unblock access to URL \r\nWebinjects (see Figure 4) \r\nhttps://www.proofpoint.com/us/blog/threat-insight/zloader-loads-again-new-zloader-variant-returns\r\nPage 6 of 14\n\nUsed in conjunction with Zeus’ person-in-the-browser mechanism to manipulate and steal user credentials and other\r\ndata from financial websites (typically) \r\nFigure 4 Example snippet of a parsed webinject\r\nDomain Generation Algorithm \r\nStarting in version 1.1.22.0 (March 2020) a backup domain generation algorithm (DGA) was added. If ZLoader is unable to\r\nconnect to the C\u0026Cs from the BaseConfig or DynamicConfig it will generate 32 “.com” domains to try. The DGA uses\r\nthe BaseConfig RC4 key to encrypt the current date as a starting seed. This seed is used with a basic hashing algorithm to\r\ngenerate 20 lowercase letters. A Python implementation of the algorithm is available on our GitHub. Table 6 show the first\r\nfew DGA generated domains for the analyzed sample on April 8, 2020: \r\nctmaetpfoecphxxqlgfk\\.com \r\nirtdojdrlgodkgfkyxab\\.com \r\nmtpfmkyxaaceblyjlwxv\\.com \r\nvrwuosfciqjcgvvrliup\\.com \r\nsdauiqukokclpxtpirkh\\.com \r\nTable 6 Example DGA generated domains from April 8, 2020\r\nCampaign Analysis \r\nSince we started observing the new variant in December 2019, it has become popular and widespread. At the time of\r\nwriting, we are documenting at least one ZLoader campaign per day by a variety of actors primarily targeting organizations\r\nin the United States, Canada, Germany, Poland, and Australia. Below are examples of campaigns that delivered ZLoader in\r\nthe past few months.  \r\nOn December 6th, 2019, we observed an email campaign that purported to deliver an invoice (Figure 5).\r\nhttps://www.proofpoint.com/us/blog/threat-insight/zloader-loads-again-new-zloader-variant-returns\r\nPage 7 of 14\n\nFigure 5 Example email used in December 6, 2019 campaign\r\nThe messages contained PDF attachments (Figure 6) that utilized the branding of several invoicing software companies.\r\nFigure 6 Example PDF used in December 6, 2019 campaign\r\nThe PDFs contained URLs linking to a Microsoft Word document (Figure 7). The document utilized macros to download\r\nand execute ZLoader version “1.0.2.0.” Each of the downloads were filtered by Keitaro TDS (Traffic Distribution\r\nSystem) to hinder automated analysis.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/zloader-loads-again-new-zloader-variant-returns\r\nPage 8 of 14\n\nFigure 7 Example document used in December 6th, 2019 campaign\r\nOn March 30, 2020 we observed an email campaign utilized multiple lures (Figure 8) that \"warn” the user of various\r\nCOVID-19 scams. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/zloader-loads-again-new-zloader-variant-returns\r\nPage 9 of 14\n\nFigure 8 Example email used in March 30, 2020 campaign\r\nThese emails contained URLs linking to a landing page that presents a CAPTCHA challenge (Figure 9) before linking to the\r\ndownload of a Microsoft Word Document (Figure 10). The document contained macros that, if enabled, would then\r\ndownload ZLoader version “1.1.21.0.” \r\nFigure 9 Example CAPTCHA used in March 30, 2020 campaign\r\nhttps://www.proofpoint.com/us/blog/threat-insight/zloader-loads-again-new-zloader-variant-returns\r\nPage 10 of 14\n\nFigure 10 Example document used in March 30, 2020 campaign\r\nOn April 4, 2020, we observed an email campaign (Figure 11) that contained a message about a family member, colleague,\r\nor neighbor who contracted COVID-19, and supposedly provided information on where to get tested.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/zloader-loads-again-new-zloader-variant-returns\r\nPage 11 of 14\n\nFigure 11 Example email used in April 4th, 2020 campaign\r\nThe emails contained password-protected Excel sheets (Figure 12). The sheet utilized Excel 4.0 macros to download and\r\nexecute the ZLoader version “1.1.22.0.”\r\nhttps://www.proofpoint.com/us/blog/threat-insight/zloader-loads-again-new-zloader-variant-returns\r\nPage 12 of 14\n\nFigure 12 Example spreadsheet used in April 4, 2020 campaign\r\nConclusion \r\nThis post has analyzed the latest Zeus banking malware variant and some of the campaigns we have seen spreading it. It\r\nuses typical banking malware functionality such as webinjects, password and cookie theft, and access to devices via VNC\r\nto steal credentials, personally identifiable information, and ultimately money from targets. The Zeus banking malware and\r\nits descendants have been a staple in the cybercrime landscape since 2006. From Zeus to Citadel, Ice\r\nIX, Murofet, Gameover, ZLoader, KINS, Flokibot, Chthonic, Panda Banker, and back to ZLoader again.\r\nIndicators of Compromise \r\nIOC \r\nIOC\r\nType \r\nDescription \r\n2b5e50bc3077610128051bc3e657c3f0e331fb8fed2559c6596911890ea866ba  SHA256  Zloader (1.2.22.0) \r\nhxxps://xyajbocpggsr\\.site/wp-config.php  URL  Zloader (1.2.22.0) C\u0026C \r\nhxxps://ooygvpxrb\\.pw/wp-config.php  URL  Zloader (1.2.22.0) C\u0026C \r\n6348bded936831629494c1d820fe8e3dbe3fb4d9f96940bbb4ca0c1872bef0ad  SHA256  Zloader (1.1.21.0) \r\nhxxps://vfgthujbxd\\.xyz/milagrecf.php  URL  Zloader (1.1.21.0) C\u0026C \r\nhxxps://todiks\\.xyz/milagrecf.php  URL  Zloader (1.1.21.0) C\u0026C \r\n4725e0e2e358e06da19de9802b4c345f1a5ab572dd688c78adf317ce8be85be6  SHA256  PDF Attachment from Zloader campa\r\nf1bdd2bcbaf40bb99224fa293edc1581fd124da63c035657918877901d79bed8  SHA256  Zloader (1.0.2.0) \r\nhxxps://brihutyk\\.xyz/abbyupdater.php  URL  Zloader (1.0.2.0) C\u0026C \r\nhxxps://asdmark\\.org/ph4xUMChrXId6.php  URL  Example Landing Page \r\nfe10daf5e3de07d400ca37b6b151eb252b71d013312e2958d1281da6626813d9  SHA256  Example Document Delivering Zload\r\nea190ef11b88e830fa8835ff9d22dcab77a3356d3b1cb7b9f9b56e8cd7deb8c0  SHA256  Zloader (1.1.21.0) \r\nhttps://www.proofpoint.com/us/blog/threat-insight/zloader-loads-again-new-zloader-variant-returns\r\nPage 13 of 14\n\nhxxps://105711\\.com/docs.php  URL  Zloader (1.1.21.0) C\u0026C \r\nhxxps://209711\\.com/process.php  URL  Zloader (1.1.21.0) C\u0026C \r\nhxxps://106311\\.com/comegetsome.php  URL  Zloader (1.1.21.0) C\u0026C \r\nhxxps://124331\\.com/success.php  URL  Zloader (1.1.21.0) C\u0026C \r\nbfe470b390f20e3e189179fc1372d6e66d04d7676fa07d2a356b71362cd03e53  SHA256  Example Excel Sheet Delivering Zloa\r\nb4e0478cf85035852a664984f8639e98bee3b54d6530ef22d46874b14ad0e748  SHA256  Zloader (1.1.22.0) \r\nhxxp://march262020\\.best/post.php  URL  Zloader (1.1.22.0) C\u0026C \r\nhxxp://march262020\\.club/post.php  URL  Zloader (1.1.22.0) C\u0026C \r\nhxxp://march262020\\.com/post.php  URL  Zloader (1.1.22.0) C\u0026C \r\nhxxp://march262020\\.live/post.php  URL  Zloader (1.1.22.0) C\u0026C \r\nhxxp://march262020\\.network/post.php  URL  Zloader (1.1.22.0) C\u0026C \r\nhxxp://march262020\\.online/post.php  URL  Zloader (1.1.22.0) C\u0026C \r\nhxxp://march262020\\.site/post.php  URL  Zloader (1.1.22.0) C\u0026C \r\nhxxp://march262020\\.store/post.php  URL  Zloader (1.1.22.0) C\u0026C \r\nhxxp://march262020\\.tech/post.php  URL  Zloader (1.1.22.0) C\u0026C \r\nIs your organization protected from Malware threats? Learn about Malware Attacks \u0026 Protection.\r\nSource: https://www.proofpoint.com/us/blog/threat-insight/zloader-loads-again-new-zloader-variant-returns\r\nhttps://www.proofpoint.com/us/blog/threat-insight/zloader-loads-again-new-zloader-variant-returns\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/zloader-loads-again-new-zloader-variant-returns" ], "report_names": [ "zloader-loads-again-new-zloader-variant-returns" ], "threat_actors": [ { "id": "1f6ae238-765f-4495-9d54-6a7883d7a319", "created_at": "2022-10-25T16:07:24.573456Z", "updated_at": "2026-04-10T02:00:05.037738Z", "deleted_at": null, "main_name": "TA511", "aliases": [ "MAN1", "Moskalvzapoe" ], "source_name": "ETDA:TA511", "tools": [ "Agentemis", "Chanitor", "Cobalt Strike", "CobaltStrike", "Ficker Stealer", "Hancitor", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "542cf9d0-9c68-428c-aff8-81b6f59dc985", "created_at": "2023-02-15T02:01:49.554105Z", "updated_at": "2026-04-10T02:00:03.347115Z", "deleted_at": null, "main_name": "Moskalvzapoe", "aliases": [ "MAN1", "TA511" ], "source_name": "MISPGALAXY:Moskalvzapoe", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434188, "ts_updated_at": 1775826704, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b308da5af4abc3dfa22ad54f1d2292e111976db8.pdf", "text": "https://archive.orkl.eu/b308da5af4abc3dfa22ad54f1d2292e111976db8.txt", "img": "https://archive.orkl.eu/b308da5af4abc3dfa22ad54f1d2292e111976db8.jpg" } }