{
	"id": "abd3da7d-9e79-4fbe-bcb8-95aa85140a91",
	"created_at": "2026-04-23T02:55:36.890608Z",
	"updated_at": "2026-04-25T02:19:38.792512Z",
	"deleted_at": null,
	"sha1_hash": "d72426bd23650c59ba6f55a0b4adfa5c3b4d3426",
	"title": "Can You Trust a File’s Digital Signature? New Zloader Campaign exploits Microsoft’s Signature Verification putting users at risk",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 97726,
	"plain_text": "Can You Trust a File’s Digital Signature? New Zloader Campaign\r\nexploits Microsoft’s Signature Verification putting users at risk\r\nBy etal\r\nPublished: 2022-01-05 · Archived: 2026-04-23 02:17:28 UTC\r\nResearch by: Golan Cohen\r\nIntroduction\r\nLast seen in August 2021, Zloader, a banking malware designed to steal user credentials and private information,\r\nis back with a simple yet sophisticated infection chain. Previous Zloader campaigns, which were seen in 2020,\r\nused malicious documents, adult sites and Google ads to infect systems.\r\nEvidence of the new campaign was first seen around early November 2021. The techniques incorporated in the\r\ninfection chain include the use of legitimate remote management software (RMM) to gain initial access to the\r\ntarget machine.\r\nFIGURE 1 – SIMPLIFIED INFECTION CHAIN\r\nThe malware then exploits Microsoft’s digital signature verification method to inject its payload into a signed\r\nsystem DLL to further evade the system’s defenses. This evidence shows that the Zloader campaign authors put\r\ngreat effort into defense evasion and are still updating their methods on a weekly basis.\r\nInfection Chain\r\nhttps://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/\r\nPage 1 of 17\n\nThe infection starts with the installation of Atera software on the victim’s machine. Atera is a legitimate, enterprise\r\nremote monitoring and management software, designed for IT use. Atera can install an agent and assign the\r\nendpoint to a specific account using a unique .msi file that includes the owner’s email address. The campaign\r\nauthors created this installer (b9d403d17c1919ee5ac6f1475b645677a4c03fe9) with a temporary email address:\r\n‘Antik.Corp@mailto.plus’. The file imitates a Java installation, just like in previous Zloader campaigns. As of this\r\nmoment, the exact distribution method for this file is not fully understood.\r\nFigure 2 – The malicious installer\r\nOnce the agent is installed on the machine, the attacker has full access to the system and is able to\r\nupload/download files, run scripts, etc. Atera offers a free 30-day trial for new users, which is enough time for the\r\nattacker to stealthily gain initial access. Previously, Atera was used by the Conti ransomware group to gain\r\npersistence and remote access.\r\nFigure 3 – Create custom Atera installer \r\nhttps://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/\r\nPage 2 of 17\n\nFigure 4 – The email used in the malicious installer\r\n                               Figure 5 – Atera Functions\r\nFollowing the agent installation, the attacker then uploads and runs two .bat files onto the device using the “Run\r\nScript” function:\r\ndefenderr.bat is used to modify Windows Defender preferences.\r\nhttps://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/\r\nPage 3 of 17\n\nload.bat is used to load the rest of the malware.\r\nFigure 6 – defenderr.bat\r\nThe rest of the files are hosted on the domain teamworks455[.]com and are downloaded from there.\r\nFigure 7 – load.bat\r\nThe load.bat script downloads and runs new.bat, which checks for admin privileges and requests them using the\r\nBatchGotAdmin script. It then continues to download another bat file (new1.bat). This new script adds more\r\nexclusions to Windows Defender for different folders, disables different tools on the machine that could be used\r\nfor detection and investigation such as cmd.exe and the task manager. It also downloads other files into the\r\n%appdata% folder:\r\n9092.dll – The main payload, Zloader.\r\nhttps://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/\r\nPage 4 of 17\n\nadminpriv.exe – Nsudo.exe. Enables running programs with elevated privileges.\r\nappContast.dll – Used to run 9092.dll and new2.bat.\r\nreboot.dll – Also used to run 9092.dll.\r\nnew2.bat – Disables “Admin Approval Mode” and shuts down the computer.\r\nauto.bat – Placed in the Startup folder for boot persistence.\r\nFigure 8 – New.BAT\r\nFigure 9 – New1.BAT\r\nNext, the script runs mshta.exe with file appContast.dll as the parameter. When we took a closer look at the DLL,\r\nwe noticed that the file is signed by Microsoft with a valid signature (see below for further explanation) and its\r\nhttps://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/\r\nPage 5 of 17\n\noriginal filename is AppResolver.dll. Comparing the two files, we see that in the malicious DLL, the author\r\nappended a script to the file.\r\n Figure 10 – Valid Signature\r\nhttps://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/\r\nPage 6 of 17\n\nFigure 11 – Original Filename\r\nFigure 12 – Comparison of appResolver.dll and appContast.dll\r\nThis script then enters a sleeping phase using the file WScriptSleeper.vbs which is written to the %temp%\r\ndirectory. Next, it runs 9092.dll (the main Zloader payload) using regsvr32.exe.\r\nA full technical analysis of Zloader was published by Malwarebytes in May 2020. Ultimately, the malware calls\r\nmsiexec.exe and injects its payload into the running process. Msiexec then communicates with the C2 server at the\r\nhttps://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/\r\nPage 7 of 17\n\ndomain lkjhgfgsdshja[.]com.\r\nFigure 13 – Communication to the C2 server\r\nFigure 14 – Strings extracted from msiexec memory\r\nhttps://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/\r\nPage 8 of 17\n\nFinally, the new2.bat script edits the registry SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System to\r\ndisable the “administrator in Admin Approval Mode” user type, which runs all applications by default with full\r\nadministrator privileges, and then shuts down the computer for the changes to take effect.\r\nPersistence\r\n When the malware initially runs, it places an auto.bat script under the Startup folder which runs mshta.exe with\r\nreboot.dll as a parameter. Similar to appContast.dll, and then the script deletes itself. In the figure below, we see\r\nthat regsvr32.exe is called with zoom.dll and 9092.dll. The file zoom.dll is missing, which indicates that this\r\ncampaign might still be under development and we will see it in the future.\r\nAfter injecting msiexec.exe with the malicious code, a random registry key value is created under\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run. This runs regsvr32.exe with a copy of 9092.dll, which\r\nis placed in a newly created folder in %appdata%. This is how the malware persists the next time the system\r\nreboots.\r\nFigure 15 – reboot.dll\r\nFile Signature\r\nAs mentioned above, the file appContast.dll has a valid signature by Microsoft but the file has been modified and\r\ninjected with a malicious script. This begs the question – how was it done?\r\nIf we compare the malicious DLL with the original one on a byte level, we can see the file was modified in a few\r\nplaces: File checksum and two places that match the signature size.\r\nFigure 16 – A (benign) is appResolver.dll, B (malicious) is appContast.dll\r\nhttps://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/\r\nPage 9 of 17\n\nFigure 17 – appResolver.dll CheckSum\r\n                                       Figure 18 – appResolver.dll signature size\r\nhttps://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/\r\nPage 10 of 17\n\nfigure 19 – appResolver.dll signature size (2)\r\nThese simple modifications to a signed file maintain the signature’s validity, yet enables us to append data to the\r\nsignature section of a file. As we can’t run compiled code from the signature section of a file, placing a script\r\nwritten in VBscript or JavaScript and running the file using mshta.exe is an easy solution that could evade some\r\nEDRs.\r\nAs a sanity check, we created our own signed PE file with an appended script\r\n(A6ED1667BB4BB9BAC35CE937FF08C7216D63EBB4) that opens the calculator app when run as a parameter\r\nto mshta.exe.\r\nThis gap is apparently a known issue mentioned in the following CVEs: CVE-2020-1599, CVE-2013-3900, and\r\nCVE-2012-0151. Microsoft addressed the issue in 2013 with a Security Bulletin and pushed a fix. However, they\r\nstated after implementing it that they “determined that impact to existing software could be high.” Therefore, in\r\nJuly 2014, they pulled the stricter file verification and changed it to an opt-in update.\r\nIn other words, this fix is disabled by default, which is what enables the malware author to modify the signed file.\r\nFurther explanation about how to enable the strict file verification is available here, which includes modifying the\r\nregistry keys:\r\nFigure 20 – Keys needed to change to mitigate the issue\r\nWe note that reboot.dll is also signed in the same way. After applying the fix, both DLLs have an invalid\r\nsignature.\r\nhttps://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/\r\nPage 11 of 17\n\nCampaign Victims\r\nDuring our analysis, we found an open directory, hosted at teamworks455[.]com, that holds some of the files that\r\nare downloaded and used. Every few days, the author makes changes to the files and the check.php script returns a\r\ndifferent DLL file with the same behavior, but a different hash. In the file `entries’, we can see a list of victims that\r\nare infected with Zloader and their country of origin.\r\nFigure 21 – teamworks455[.]com/_country\r\nAs of January 2, 2022, there are 2170 unique victim IPs that downloaded the malicious DLL file. This graph\r\nshows the number of victims from each country (“Other” category includes countries with less than 15 victims).\r\nAs you can see, most of the victims reside in the United States and Canada\r\nhttps://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/\r\nPage 12 of 17\n\nFigure 22 – Downloads per country\r\nCampaign Authors\r\n Due to a few similarities with previous campaigns by MalSmoke, we believe that they are the cybercriminals\r\nbehind this campaign:\r\nMalware in previous campaigns by MalSmoke are known to masquerade as Java plugins, which is\r\noccurring in this case.\r\nThere is a connection between the registrar information of the domain teamworks455[.]com, where the\r\ncurrent campaign files are hosted, and the domain pornislife[.]online which was linked to a MalSmoke\r\ncampaign in 2020 \r\nhttps://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/\r\nPage 13 of 17\n\nFigure 24 – teamworks455[.]com/racoon\r\nFinally, when looking through the ‘entries’ file, we found two IP addresses that might be related to the attackers.\r\nFigure 25 – Possible addresses related to the campaign\r\nThe first address, 185[.]191[.]34[.]223, was spotted in an IP blacklist that is categorized as “cybercrime.” The\r\nsecond address, 185[.]191[.]34[.]209, can be seen attempting to download the payload multiple times, using\r\ndifferent user-agents. This could indicate that the authors were testing their payload. Both addresses are found in\r\nAbuseIPDB:\r\nhttps://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/\r\nPage 14 of 17\n\nFigure 26 – Abuseipdb 185[.]191[.]34[.]223 \r\n            Figure 27 – Abuseipdb 185[.]191[.]34[.]209             \r\nConclusion\r\n Zloader campaigns have been previously spotted in the wild in multiple forms. In this particular case, we see that\r\nthe authors put a lot of effort into the evasion methods. Two noteworthy ways seen here are using legitimate RMM\r\nsoftware as an initial access to a target machine, and appending code to a file’s signature while still maintaining\r\nthe signature’s validity and running it using mshta.exe.\r\nThe ability to append code to a file’s signature has been known for many years and multiple CVEs were assigned\r\nas mentioned above. To mitigate the issue, all vendors should conform to the new Authenticode specifications to\r\nhave these settings as default, instead of an opt-in update. Until that happens, we can never be sure if we can truly\r\ntrust a file’s signature.\r\nSafety Tips\r\nWe recommend that users apply Microsoft’s update for strict Authenticode verification. To do so, paste these lines\r\ninto Notepad and save the file with .reg extension before running it.\r\nWindows Registry Editor Version 5.00\r\n[HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Wintrust\\Config]\r\n“EnableCertPaddingCheck”=”1”\r\n[HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Cryptography\\Wintrust\\Config]\r\nhttps://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/\r\nPage 15 of 17\n\n“EnableCertPaddingCheck”=”1”\r\nWe should also note that after applying the fix, some signatures of legitimate benign installers will show up with\r\nan invalid signature. In addition, if mshta.exe is not relevant in your environment, you may disable it and mitigate\r\nthe execution of scripts that are inserted into such files.\r\nCheck Point Threat Emulation and Harmony endpoint provides protection against this threat:\r\nExploit.Wins.CVE-2013-3900.A\r\nTrojan-Downloader.Win.Zloader.E\r\nTrojan-Downloader.Win.Zloader.F\r\nMITRE ATT\u0026CK\r\nIOCs\r\nAteraAgent Scripts:\r\nDefenderr.bat – 1CA89010E866FB97047383A7F6C83C00C3F31961\r\nLoad.bat – F3D73BE3F4F5393BE1BC1CF81F3041AAD8BE4F8D\r\nwww.teamworks455[.]com\r\nC2 Servers:\r\nhttps://asdfghdsajkl[.]com/gate.php\r\nhttps://iasudjghnasd[.]com/gate.php\r\nhttps://kdjwhqejqwij[.]com/gate.php\r\nhttps://kjdhsasghjds[.]com/gate.php\r\nhttps://dkisuaggdjhna[.]com/gate.php\r\nhttps://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/\r\nPage 16 of 17\n\nhttps://dquggwjhdmq[.]com/gate.php\r\nhttps://lkjhgfgsdshja[.]com/gate.php\r\nhttps://daksjuggdhwa[.]com/gate.php\r\nhttps://eiqwuggejqw[.]com/gate.php\r\nhttps://djshggadasj[.]com/gate.php\r\nFiles:\r\nJava.msi –  B9D403D17C1919EE5AC6F1475B645677A4C03FE9\r\nnew.bat – 0926F8DF5A40B58C6574189FFB5C170528A6A34D\r\nnew1.bat – 9F1C72D2617B13E591A866196A662FEA590D5677\r\nnew2.bat – DE0FA1529BC652FF3C10FF16871D88F2D39901A0\r\n9092.dll – A25D33F3F8C2DA6DC35A64B16229D5F0692FB5C5,\r\n7A57118EE3122C9BDB45CF7A9B2EFD72FE258771, 2C0BC274BC2FD9DAB82330B837711355170FC606\r\nAdminpriv.exe – 3A80A49EFAAC5D839400E4FB8F803243FB39A513\r\nappContast.dll – 117318262E521A66ABA4605262FA2F8552903217\r\nreboot.dll – F3B3CF03801527C24F9059F475A9D87E5392DAE9\r\nauto.bat – 3EA3B79834C2C2DBCE0D24C73B022A2FF706B4C6\r\nSource: https://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verif\r\nication-putting-users-at-risk/\r\nhttps://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/"
	],
	"report_names": [
		"can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk"
	],
	"threat_actors": [
		{
			"id": "8143b0d6-bfa0-43cc-b45f-dbcf4728741c",
			"created_at": "2025-05-29T02:00:03.230052Z",
			"updated_at": "2026-04-25T02:00:03.697546Z",
			"deleted_at": null,
			"main_name": "Malsmoke",
			"aliases": [],
			"source_name": "MISPGALAXY:Malsmoke",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1776912936,
	"ts_updated_at": 1777083578,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d72426bd23650c59ba6f55a0b4adfa5c3b4d3426.pdf",
		"text": "https://archive.orkl.eu/d72426bd23650c59ba6f55a0b4adfa5c3b4d3426.txt",
		"img": "https://archive.orkl.eu/d72426bd23650c59ba6f55a0b4adfa5c3b4d3426.jpg"
	}
}