{
	"id": "05f1bdc4-39c7-4b40-b549-8e626a9474d9",
	"created_at": "2026-04-06T01:31:27.979012Z",
	"updated_at": "2026-04-10T13:13:01.18708Z",
	"deleted_at": null,
	"sha1_hash": "dd56f9b82190f00069ff0925293882b9991ce066",
	"title": "Modified Zyklon and plugins from India",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 790685,
	"plain_text": "Modified Zyklon and plugins from India\r\nBy Vanja Svajcer\r\nPublished: 2017-05-23 · Archived: 2026-04-06 00:21:33 UTC\r\nIntroduction Streams of malicious emails Talos inspects every day usually consist of active\r\nspamming campaigns for various ransomware families, phishing campaigns and the common\r\nmalware family suspects such as banking Trojans and bots.. It is however often more interesting\r\nto analyze campaigns smaller in volume as they might contain more interesting malware. A few\r\nweeks ago I became interested in just such a campaign with a smaller number of circulating email\r\nmessages. The email, first of them submitted from Middle East, purports to be coming from a\r\nTurkish trading company, which might further indicate the geographic area where the attacks\r\nwere active. Analyzing malware is often like solving a puzzle, you have to do it piece by piece to\r\nreach the final image. In this case I spent more time analyzing the campaign than I initially\r\nplanned. The campaign has many stages of the infection chain and all needed to be unraveled\r\nbefore the final payload level was reached. Furthermore, each of the stages used different\r\ndevelopment platform and was obfuscated in a different way. But let us start from the beginning.\r\nStage 1 - email\r\nThe email message contains two attachments. The first one is a Word document in the Office\r\nOpen XML file format while the second is a ZIP file PurchaseOrders.zip, containing an\r\nexecutable file PurchaseOrders.exe. This is a relatively unusual strategy for email campaigns as it\r\nis much more common for malicious emails to contain a single attachment rather than two or\r\nmore. It seems that the attackers wanted to be double sure that the recipient will open at least one\r\nof the attachments.\r\nhttps://blog.talosintelligence.com/2017/05/modified-zyklon-and-plugins-from-india.html\r\nPage 1 of 12\n\nEmail campaign\r\nStage 2a - Word Document - CVE-2013-3906\r\nThe Word document attachment, “Letter of introduction.doc” contains an exploit for CVE-2013-\r\n3906 tiff image file parsing vulnerability. The document contains multiple TabStrip (classid:\r\n{1EFB6596-857C-11D1-B16A-00C0F0283628}) ActiveX controls also used in CVE-2012-1856.\r\nhttps://blog.talosintelligence.com/2017/05/modified-zyklon-and-plugins-from-india.html\r\nPage 2 of 12\n\nEmbedded ActiveX controls used for heap spray\r\nEmbedded TabStrip ActiveX controls are used for heap spraying and the embedded TIFF file named image1.jpeg\r\ntriggers the CVE-2013-3906 vulnerability. There are 40 embedded ActiveX controls and each is mapped in 2MB\r\nallocated memory space. In this case, exploitation takes time but the exploit eventually crashes the vulnerable\r\nversions of Word and starts the shellcode. The shellcode is immediately visible in the hex dump of the ActiveX\r\nOLE2 file and sprayed in the memory of the exploited Word process.\r\nHeap sprayed shellcode from ActiveXn.bin files\r\nShellcode - hook evasion The shellcode itself is relatively simple and, give or take, 450 bytes long, excluding\r\nthe URL used for downloading the payload. As is often the case, the APIs are found by parsing the Process\r\nEnvironment Block (PEB) and traversing the linked list of loaded modules as well as their respective\r\nexported functions.\r\nNotably, before calling required APIs, the shellcode checks for presence of inline hooks, often installed by\r\nendpoint security products and jumps over the installed hook code in order to avoid being noticed in their\r\nbehavior detection windows.\r\nEvading security hooks  \r\nIf the user was infected by the attached Word document, the shellcode would download and execute an executable\r\nhttps://blog.talosintelligence.com/2017/05/modified-zyklon-and-plugins-from-india.html\r\nPage 3 of 12\n\nfrom a legitimate, compromised server. The C2 server for the final payload is extracted from a configuration blob\r\nstored encrypted within the downloaded payload body.\r\nStage 2b - PurchaseOrders.exe The executable downloaded by the shellcode is identical in its\r\nfunctionality to the executable attached to the email so we are eventually coming to\r\nPurchaseOrder.exe which will eventually get executed whether the user opens the attached\r\ndocument or if they immediately go for launching the PurchaseOrder.exe. The executable has a\r\nPDF document icon and the user can be forgiven for not recognizing it as an executable,\r\nconsidering the fact that Windows by default hides filename extensions of the known file types.\r\nIcon file used by PurchaseOrder.exe. The executable itself is just over 1.4MB in size, which is rather large for\r\nattachments used in email campaigns. The file itself is a self-extractable CAB archive which contains three\r\nrandomly named files.\r\nStage 3 - AutoIt Script The first file is instantly recognisable and it is a legitimate, Autoit script\r\ninterpreter. The second file is a Unicode file encoded as UTF-16 and is over 110MB in size which is\r\nat first almost enough to discourage from analysis. The actual script code starts deep within the\r\nfile, which provides the attacker with the ability to obfuscate the script code in a way that is not\r\nimmediately visible by researchers.\r\nTalos has already written about a similar delivery method in the past and it seems that this campaign uses a similar\r\ngenerator of obfuscated Autoit scripts. Thankfully, It was relatively simple to remove all the junk characters and\r\nreduce the size of the code to analyze to a much more manageable 41KBs.\r\nhttps://blog.talosintelligence.com/2017/05/modified-zyklon-and-plugins-from-india.html\r\nPage 4 of 12\n\nAutoit stage deobfuscated\r\nThe Autoit script itself creates a directory in the user's profile folder and sets its attributes to system and hidden. It\r\nthen creates a copy of RegSvcs.exe .NET services installation tool or copies the existing RegSvcs.exe to a\r\nfilename splwow64.exe to set up the next stage. Regscvcs.exe is used for injecting and launching a remote thread\r\nwithin its process space. The thread uses RC4 to decrypt the third file dropped by the original self-extractable\r\nCAB archive and reads it into the process space of regsvcs.exe. This leads us to the next stage, using an\r\nexecutable developed in C/C++. This stage will only exist in its executable format in memory, while it will be an\r\nRC4 encrypted data blob on the disk.\r\nStage 4 - Zyklon injector The stage injected into RegSvcs.exe is another unobfuscated injector of\r\nthe final payload. The executable decompresses the payload from the resource section of the PE\r\nfile, finds and launches Windows Explorer executable that is found in different folders depending\r\non the Windows platform (32 or 64 bit) and launches a remote thread that loads and runs a .NET\r\nexecutable, which is the final payload of the campaign, in this case a sample of the Zyklon HTTP\r\nbot.\r\nLoading managed code into an unmanaged space is not entirely simple process. Attempting to cheat the infection\r\nchain to launch the Zyklon bot from the command line was apparently anticipated by the campaign author who\r\nmodified the Zyklon class Main function to display a text message for anybody trying to launch it this way.\r\nThe original Zyklon code for the version 1.0.0.0 does not seem to contain this mechanism that ensures that the\r\npayload is run by a specific loader that does not call the Zyklon Class Main function but a different entry point.\r\nhttps://blog.talosintelligence.com/2017/05/modified-zyklon-and-plugins-from-india.html\r\nPage 5 of 12\n\nYou are not supposed to run it this way\r\nThe payload is obfuscated using Crypto Obfuscator and an additional code generator. The code which uses xor\r\noperations to set a value of a variable used in a switch statement to direct the program flow is relatively easy to\r\nfollow once the Crypto Obfuscator code transformations are removed, which can be done using a very useful\r\n.NET deobfuscation utility de4dot. In fact, the Zyklon Builder, found on VirusTotal, uses the same dnlib library,\r\nused also by de4dot and dnspy analysis tools, to add the configuration file to the malicious .NET assembly base\r\nZyklon bot embedded in its resource section.\r\nOnce the obfuscator was removed it did not take too long to realize that for the purpose of the analysis it was\r\npossible to manually modify the Zyklon class Main function to call the EntryPoint function which contains the bot\r\ncode and debug the Zyklon using the dnspy debugger.\r\nC2 communication (encryption)\r\nZyklon's \"official\" name is \"Zyklon H.T.T.P Bot\", which is visible in the links to PDB files\r\nretained as a remainder of the compilation process. The bot is reasonably well written with\r\nprecautions for hiding the traffic from network based detection engines, even from intercepting\r\nproxies by encrypting all its communications.\r\nEstablishing communication with a C2 server\r\nThe bot connects to one of the three possible C2 servers, starting from the first one specified in its configuration.\r\nThe server sends a certificate and the communication is first encrypted with RSA and then with a 256 bit long\r\nAES with the initialization vector and the key generated by the server, sent back to the client after the client\r\nPOSTs a request ending with the query gate.php?getkey=y.\r\nLooking at the DNS requests for one of the C2 servers that remained active throughout the campaign it is possible\r\nto see the time when the campaign was active.\r\nhttps://blog.talosintelligence.com/2017/05/modified-zyklon-and-plugins-from-india.html\r\nPage 6 of 12\n\nC2 DNS domain activity\r\nThe initial configuration for the bot is embedded within the resource section of the file, together with the list of\r\nuser agent strings used by the bot when contacting the C2 server. The malicious .NET assembly also contains an\r\nencrypted blob that becomes its persistence module injector. Once decrypted and loaded in memory its function is\r\nto make sure that the bot is respawned from a remote thread if the main executable is terminated as a process.\r\nThe client then sends a request containing the information about the infected system and receives a configuration\r\nstring from C2, which sets the internal bot parameters. Several threads are also launched in order to download and\r\nexecute required additional plugins.\r\nThe main command loop sleeps for 60 seconds and sends a request for a command to the C2 server. The main\r\npurpose of the bot seems to be conducting DDoS attacks but there are other more or less standard commands\r\navailable such as downloading and executing additional payloads from a user-specified URL or logging the user\r\nkeystrokes and sending them back to the C2 server.\r\nCuriously, Zyklon may also attempt to enumerate the usual automatic startup locations in the Windows registry to\r\nfind potential competitive files and submit them to VirusTotal for scanning. So called cloud malware inspection is\r\nused to terminate processes based on the VirusTotal verdict. The bot also executes rudimentary heuristic checks\r\nfor some of the known competitive bot names and filename extensions and tries to remove them if found on the\r\nsystem. Competition is never welcome by the bad guys.\r\nZyklon website\r\nThe website advertising Zyklon is hosted on a .onion domain which is also accessible from the\r\nclear net through a web to Tor proxy. The owners are advertising two different versions for sale,\r\none that can connect to Tor based C2 servers and the standard one without that capability.\r\nPerhaps the most interesting page of the Zyklon website are its Terms of Service, which the authors seem to\r\nbelieve may free them from potential prosecution. The user, aka the attacker, allegedly has the sole legal\r\nresponsibility for damage caused by it, at least according to Zyklon creators :\r\nYOU UNDERSTAND AND HEREBY ACKNOWLEDGE AND AGREE THAT YOU MAY NOT AND WARRANT THAT YOU WILL NOT:\r\n1. use the Zyklon H.T.T.P Remote Administration Software for any illegal purpose, or in violation of\r\nany laws, including, without limitation, laws governing intellectual property, data protection and\r\nhttps://blog.talosintelligence.com/2017/05/modified-zyklon-and-plugins-from-india.html\r\nPage 7 of 12\n\nprivacy, and import or export control;\r\n2. remove, circumvent, disable, damage or otherwise interfere with security-related features of the\r\nZyklon H.T.T.P Remote Administration Software, features that prevent or restrict use or copying of any\r\ncontent accessible through the Zyklon H.T.T.P Remote Administration Software, or features that enforce\r\nlimitations on use of the Zyklon H.T.T.P Remote Administration Software;\r\n3. intentionally interfere with or damage operation of the Zyklon H.T.T.P Remote Administration\r\nSoftware or any user's enjoyment of them, by any means, including uploading or otherwise disseminating\r\nviruses, worms, or other malicious code;\r\n4. post, store, send, transmit, or disseminate any information or material which infringes any\r\npatents, trademarks, trade secrets, copyrights, or any other proprietary or intellectual property\r\nrights;or\r\n5. Install and/or use Zyklon H.T.T.P Remote Administration Software on any computer which you do not\r\nhave explicit permission to do so on;\r\n6. distribute Zyklon H.T.T.P files over the Internet with the intent of infecting/harming machines of\r\nother people;\r\nDownloaded credential harvesting modules (email, browser, ftp) Zyklon creators also advertise a\r\nnumber of useful plugins for harvesting user credentials and stealing confidential information\r\nsuch as details of wallets of various crypto currencies like Bitcoin, LiteCoin and DodgeCoin. For a\r\npotential customer, the list of features must be quite impressive. However, not everything is as\r\nideal as it seems at first.\r\nIn the analyzed campaign, the Zyklon main executable downloaded only three plugins, as instructed by the C2\r\nserver, all of them with a purpose of stealing user credentials from password caches of the most popular web\r\nbrowsers as well as email and ftp clients.\r\nCI=False|KT=1|UAC=False|S5=False|ER=False|UPNP=False|RP=True|RW=False|\r\nAK=False|BK_CYCLE=|BK_RUN_ONCE=False|SOCKS_PORT=3128|SOCKS_AUTH=False|\r\nSOCKS_USERNAME=Nothing|SOCKS_PASSWORD=Nothing|KLI=1|KLM=500|EKL=True|\r\nWC=False|BA=MyBtc|LA=MyLtc|KLF=False|BR=True|FTR=True|EMR=True|SFR=False| GR=False|AU=False|UF=N/A|\r\nConfiguration command sent to Zyklon from C2 server\r\nThe plugin download URL follows the format of plugin/index.php?plugin=\u003cpluginname\u003e with possible plugins\r\nbeing\r\n/plugin/index.php?plugin=browser\r\n/plugin/index.php?plugin=email\r\n/plugin/index.php?plugin=ftp!\r\n/plugin/index.php?plugin=software\r\n/plugin/index.php?plugin=games\r\nhttps://blog.talosintelligence.com/2017/05/modified-zyklon-and-plugins-from-india.html\r\nPage 8 of 12\n\n/plugin/index.php?plugin=cuda\r\n/plugin/index.php?plugin=minerd\r\n/plugin/index.php?plugin=sgminer\r\n/plugin/index.php?plugin=socks\r\nAvailable Zyklon plugins\r\nDownloaded plugins are injected into a previously launched and hollowed legitimate process name\r\n\"%windir%\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe\" and are in fact just freeware command line\r\ntools written in C/C++ available from the website http://www.securityxploded.com.\r\nIt is likely that Zyklon author realized it would take quite a long time to fully develop all the features within the\r\nmain Zyklon bot and decided to include available free password dumping utilities just to make its RAT more\r\ncompetitive in what is quite a cutthroat underground market for remote administration tools.\r\nConclusion Zyklon is quite a well known botnet kit and it has been fairly active this year. In this\r\nsmaller, possibly more targeted campaign we analyzed, it has shown that its users are employing a\r\nnumber of different technologies and obfuscation techniques to be more successful - from\r\nexploiting a vulnerability in Microsoft Word over Autoit scripts and .NET executables, all the way\r\nto freeware utilities used as plugins for harvesting credentials from browser cache, email and ftp\r\nclients.\r\nhttps://blog.talosintelligence.com/2017/05/modified-zyklon-and-plugins-from-india.html\r\nPage 9 of 12\n\nZyklon campaign execution flow on an endpoint\r\nOverall, this was a well executed campaign which used compromised hosts as C2 servers. Luckily, there are\r\nseveral weaknesses which can be exploited for detecting its footprint either by inspecting IOCs or tracking the\r\nnetwork communications patterns and behavior on endpoints.\r\nCoverage\r\nhttps://blog.talosintelligence.com/2017/05/modified-zyklon-and-plugins-from-india.html\r\nPage 10 of 12\n\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as NGFW, NGIPS, and Meraki MX with Advanced Security can detect\r\nmalicious activity associated with this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella prevents DNS resolution of the domains associated with malicious activity.\r\nStealthwatch detects network scanning activity, network propagation, and connections to CnC infrastructures,\r\ncorrelating this activity to alert administrators.\r\nIocs Document exploits\r\nac944374d5f50ecbdd3b9e7151d5a4b055ec18ea26482c2301ccc439164b25be\r\n996b19658cffedc9395243693c3ca1d12a2c2a2c986e35a877f1ae2a2b595a6d\r\nPE Exes downloaded by the exploit docs\r\n4bce73a29ee1b9840cd82d8c08e107179cd74dc1aed488f6d16772ce12092c69\r\nbcf8dbbc78883b2d84511819123cf39b1c2ffe3cd9763d08fe1544c89084cadf\r\nZIP Attachments\r\ne67db2e2ebd3c540489dd4844b066b45f31b2d879a085eabda1f63926ddc0688\r\nb1906c1d23f62df7f63a06030f27c3249414d027a9deb62d27f65ec6f3a61adb\r\nhttps://blog.talosintelligence.com/2017/05/modified-zyklon-and-plugins-from-india.html\r\nPage 11 of 12\n\nPE exe files within ZIPs\r\nb7101462507a8cf5bf91b62b641ef1ac3d268115d6dfca54a1625efb07fccf0d\r\n4bce73a29ee1b9840cd82d8c08e107179cd74dc1aed488f6d16772ce12092c69\r\nBrowser plugin\r\ne5d2c3a7ddd219ab361af4a709999a492387e3aaf8380187a7699895fc383e40\r\nFTP plugin\r\n6a32a0d83a5c955822502444833283a3fde8e1893f1490fac1ae5b84a00db5c6\r\nEmail plugin\r\nbbcc07baaa00bb30de43a39a04dc66754fe805630f155fde47ab259fdbd03748\r\nZyklon Builder v1.0.0\r\n682d5d60d6fc0e1d5810e9cd9d8b1c6b6fa154d5a790da944177074d28846d66\r\nDownload URLs\r\nhttp://wszystkozmetalu[.]pl/Invoiceq.exe\r\nhttp://www.blcpolychemical[.]com/re/PurchaseOrders.exe\r\nhttp://barkliaytire[.]com\r\nhttp://distriegroupelectric[.]com\r\nhttp://extreime-net[.]com\r\nhttp://distriegroupelectric[.]com:80/plugin/index[.]php?plugin=ftp\r\nhttp://distriegroupelectric[.]com:80/plugin/index[.]php?plugin=email\r\nhttp://distriegroupelectric[.]com:80/plugin/index[.]php?plugin=browser\r\nC2\r\nhttp://distriegroupelectric.com:80/gate[.]php\r\nhttp://distriegroupelectric.com:80/login[.]php - Control Panel\r\nSource: https://blog.talosintelligence.com/2017/05/modified-zyklon-and-plugins-from-india.html\r\nhttps://blog.talosintelligence.com/2017/05/modified-zyklon-and-plugins-from-india.html\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.talosintelligence.com/2017/05/modified-zyklon-and-plugins-from-india.html"
	],
	"report_names": [
		"modified-zyklon-and-plugins-from-india.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775439087,
	"ts_updated_at": 1775826781,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dd56f9b82190f00069ff0925293882b9991ce066.pdf",
		"text": "https://archive.orkl.eu/dd56f9b82190f00069ff0925293882b9991ce066.txt",
		"img": "https://archive.orkl.eu/dd56f9b82190f00069ff0925293882b9991ce066.jpg"
	}
}