{
	"id": "15d0820b-2306-4f68-adb0-04d38be7c9fd",
	"created_at": "2026-04-06T00:17:14.793904Z",
	"updated_at": "2026-04-10T13:11:51.704602Z",
	"deleted_at": null,
	"sha1_hash": "cba35c7bb0d347f5d2bd5fb62c6b17638e7a4ab3",
	"title": "Java Plug-Ins Delivering Zloader",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 330656,
	"plain_text": "Java Plug-Ins Delivering Zloader\r\nPublished: 2021-06-23 · Archived: 2026-04-05 22:35:26 UTC\r\nFake plug-ins delivering malware are not new to the cyber security community, but modules used to deliver the\r\nmalware and the malware itself varies depending on what is trending. As long as naive users exist, this initial\r\nvector will always be successful in befooling the users. In this blog, we will be seeing how threat actors used a\r\nfake porn site to deliver the Zloader malware through a fake Java plug-in.  Figure 1 shows how a fake porn site\r\nurges users to update their Java plug-in in order to play the requested video. \r\nFigure 1: Fake Java plug-in installer\r\nWhen downloaded and executed, the fake Java plug-in gets installed under the following folder C:\\Program Files\r\n(x86)\\Microsoft Corporation\\Windows Security Update\\j_service.exe as depicted in Figure 2. It also gives\r\nusers the option to uninstall the plug-in from the control panel. In some cases, it also gets installed in\r\nC:\\program files (x86)\\sun technology network\\oracle java se\\j_service.exe.\r\nhttps://labs.k7computing.com/?p=22458\r\nPage 1 of 8\n\nFigure 2: Installation directory\r\nj_service.exe marked in Figure 2 is the downloader module which downloads the Zloader onto the system.\r\nNSudo.exe marked in Figure 2 is a system management toolkit developed by M2team that helps to launch any\r\napplication with full admin privileges. Further information about the tool can be found in\r\nhxxps[:]//nsudo.m2team[.]org/zh-hans/. The setup.bat file contains a sequence of instructions to\r\ndisable/stop/remove Windows components like Windows Defender as depicted in Figure 3.\r\nhttps://labs.k7computing.com/?p=22458\r\nPage 2 of 8\n\nFigure 3: setup.bat\r\nAfter successful installation, the java.msi starts the j_service.exe process. The j_service.exe by itself is not\r\nresponsible for downloading the Zloader, instead it loads another DLL file named AccessibleHandler.dll and\r\ncreates a new thread to execute it.  The AccessibleHandler first checks the region locale to decide whether to\r\ncontinue with further execution or to terminate the execution. It converts the code page language to appropriate\r\nlocale names so that it can be compared later on. The converted locale names are Japan, China, Korea and Taiwan\r\nas depicted in Figure 4 which might be their targeted region.\r\nFigure 4: Locale name\r\nAfter that it performs some basic anti-debugging checks like IsDebuggerPresent(), PEB checks which can be\r\neasily bypassed. Then it proceeds to contact the URL to download the encrypted Zloader. It first concatenates the\r\nparts of the URL to get the full URL as depicted in Figure 5. Later, it contacts the URL to download the encrypted\r\ncontent as depicted in Figure 6 and stores it in a buffer for decrypting later.\r\nhttps://labs.k7computing.com/?p=22458\r\nPage 3 of 8\n\nFigure 5: URL concat\r\nFigure 6: Wireshark capture of encrypted file download\r\nAfter decrypting it gets the %Appdata% path using SHGetFolderPathA() API as depicted in Figure 7. Then it\r\ncreates a file named Microsoft_shared.tmp in the %appdata% folder and writes the decrypted content in the\r\nbuffer to the file Microsoft_shared.tmp as depicted in Figure 8.\r\nhttps://labs.k7computing.com/?p=22458\r\nPage 4 of 8\n\nFigure 7: Get %Appdata% location\r\nFigure 8: Createfile and Writefile\r\nThe Microsoft_shared.tmp is a DLL file and is executed using regsvr32.exe. It first concatenates the string\r\nregsvr32 /s as depicted in Figure 9 using similar routine used to concatenate the URL and executes the\r\nhttps://labs.k7computing.com/?p=22458\r\nPage 5 of 8\n\nMicrosoft_shared.tmp using CreateProcessAsUserW() API as depicted in Figure 10 with command line\r\nargument regsvr32 /s.\r\nFigure 9: Concat regsvr32 /s\r\nFigure 10: CreateProcessAsUserW()\r\nThe Microsoft_shared.tmp is a custom packed file which was uploaded to Intezer to see if the memory module\r\nmatches any genes of the known malware family as depicted in Figure 11. As predicted, it matched with the\r\nZloader variant.\r\nFigure 11: Genes matching (courtesy of Intezer)\r\nThe fake porn site Pornovideos8k[.]com might be taken down by the time this blog gets released. However the\r\nURL on which the encrypted file was hosted vivacemusic[.]site would still be live which even has its own login\r\nhttps://labs.k7computing.com/?p=22458\r\nPage 6 of 8\n\nseeming like a bot panel or repository as depicted in Figure 12 and the whois info of the same is depicted in\r\nFigure 13.\r\nFigure 12: Authentication page\r\nFigure 13: whois info\r\nThis type of attack is not new, however users still fall victim to the same trick. We strongly recommend users to be\r\ncautious when installing such plug-ins from unknown sites and stay away from those showing notifications/pop\r\nups. Install security software from a reputed organization like K7 Computing which will protect you from these\r\nkinds of threats.\r\nIndicators Of Compromise (IOCs)\r\nHash File Name\r\nK7 Detection\r\nName\r\nhttps://labs.k7computing.com/?p=22458\r\nPage 7 of 8\n\n67fc6cca4761bb4913b49d3257dff8a4  Microsoft_shared.tmp \r\nTrojan ( 0057dc291\r\n)\r\n1c0cbc7b9df0831070a0b8074d166644  j_service.exe \r\nTrojan-Downloader\r\n( 0057c2d31 )\r\nDC3B94EAFF84F7E3832E5C91CE044173  AccessibleHandler.dll \r\nTrojan-Downloader\r\n( 0057dac31 )\r\n65455FE14BB0F3BAA9D43C4CF2B421F7  Java.msi \r\nTrojan (  0001140e1\r\n)\r\nSource: https://labs.k7computing.com/?p=22458\r\nhttps://labs.k7computing.com/?p=22458\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://labs.k7computing.com/?p=22458"
	],
	"report_names": [
		"?p=22458"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434634,
	"ts_updated_at": 1775826711,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cba35c7bb0d347f5d2bd5fb62c6b17638e7a4ab3.pdf",
		"text": "https://archive.orkl.eu/cba35c7bb0d347f5d2bd5fb62c6b17638e7a4ab3.txt",
		"img": "https://archive.orkl.eu/cba35c7bb0d347f5d2bd5fb62c6b17638e7a4ab3.jpg"
	}
}