{ "id": "c162a8f3-e760-4388-8223-cc8ac06ff3b4", "created_at": "2026-04-06T00:17:15.484985Z", "updated_at": "2026-04-10T03:30:41.488261Z", "deleted_at": null, "sha1_hash": "e0b28712a2b95b07059044653022f8a0b3c65758", "title": "Threat Spotlight: STRRAT, ZLoader, and HoneyGain - Cisco Umbrella", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 169912, "plain_text": "Threat Spotlight: STRRAT, ZLoader, and HoneyGain - Cisco\r\nUmbrella\r\nBy Artsiom Holub\r\nPublished: 2021-10-19 · Archived: 2026-04-05 17:25:54 UTC\r\nCybersecurity Awareness Month may be in full swing, but that doesn’t mean that cybercriminals have been taking\r\na break. In fact, the opposite is true – October has seen threats like ZLoader and HoneyGain have continued to\r\nevolve. Meanwhile, STRRAT has wreaked havoc by enabling bad actors to steal credentials and install additional\r\nmalware.\r\nIn today’s Threat Spotlight blog, we break these threats down for you and walk through which Cisco Secure\r\nproducts can help protect your network. If you want to learn more about these threats, register for our on-demand\r\nwebinar today!\r\nThreat Type: RAT\r\nDelivery and Exfiltration:\r\nSTRRAT Attack Chain\r\nDescription: STRRAT is a Java-based Remote Access Tool (RAT) that does not require a pre-installed Java\r\nRuntime Environment (JRE). It is mainly distributed through malicious spam (malspam) campaigns. The malware\r\ninstalls RDPWrap, steals credentials, logs keystrokes, and remotely controls Windows systems. It also contains a\r\nransomware module.\r\nSTRRAT Spotlight: STRRAT campaigns utilize malspam as a means of initial access. If a victim opens a\r\nweaponized email attachment and enables macros within the document on a vulnerable Windows host, the macro\r\ncode downloads a zip archive containing a JRE, an encrypted and obfuscated .jar file, and a script to run STRRAT\r\nusing the JRE from the zip archive. The RAT focuses on stealing passwords via keylogging, as well as stored web\r\nbrowser and email client credentials. It supports the following browsers and email clients:\r\nFirefox\r\nhttps://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-strrat-zloader-honeygain\r\nPage 1 of 9\n\nInternet Explorer\r\nChrome\r\nFoxmail\r\nOutlook\r\nThunderbird\r\nSTRRAT also installs RDPWrap, an open source tool that enables Remote Desktop support on Windows. What’s\r\nmore, STRRAT contains a ransomware module. Features and commands it supports are similar to other RATs,\r\nincluding the ability to download and execute additional malware.\r\nTarget Geolocations: Austria, Canada, Germany, Spain, UK, USA\r\nTarget Data: User Credentials, Browser Data, Sensitive Information\r\nTarget Businesses: Any\r\nExploits: N/A\r\nMitre Att\u0026ck for STRAAT\r\nInitial Access: Malspam\r\nPersistence: Registry Run Keys / Startup Folder, Scheduled Task/Job\r\nExecution: Scheduled Task/Job\r\nEvasion: Obfuscated Files or Information\r\nCollection: Automated Collection, Keylogging\r\nCommand and Control: Application Layer Protocol: Web Protocol\r\nExfiltration: Exfiltration Over Command and Control Channel\r\nIOCs\r\nDomains:\r\nlauzon-ent[.]com\r\njbfrost[.]liveidgerowner[.]duckdns[.]org\r\nadamridley.co[.]uk\r\nalfredoscafeltd.co[.]uk\r\nbentlyconstbuild.co[.]uk\r\nbuildersworlinc.co[.]uk\r\nfillinaresortsltd.co[.]uk\r\ngossyexperience.co[.]uk\r\njeffersonsandc.co[.]uk\r\njpfletcherconsultancy.co[.]uk\r\nmetroscaffingltg.co[.]uk\r\npg-finacesolutions.co[.]uk\r\nplayerscircleinc.co[.]uk\r\nsivospremiumclub.co[.]uk\r\ntg-cranedinc.co[.]uk\r\ntk-consultancyltd.co[.]uk\r\nwestcoasttrustedtaxis.co[.]uk\r\nhttps://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-strrat-zloader-honeygain\r\nPage 2 of 9\n\nzincocorporation.co[.]uk\r\nwshsoft[.]company\r\nIPs:\r\n54.202.26[.]55\r\n104.248.53[.]108\r\n37.0.8[.]76\r\nAdditional Information:\r\nSTRRAT-Crimson\r\nInfoSec Handlers Diary Blog\r\nWhich Cisco Products Can Block:\r\nAMP\r\nCWS\r\nNetwork Security\r\nSecure Network Analytics\r\nSecure Cloud Analytics\r\nThreat Grid\r\nUmbrella\r\nWSA\r\nThreat Name: ZLoader (Terdot or Zbot)\r\nThreat Type: Loader\r\nDelivery and Exfiltration: The ZLoader attack utilizes three methods of infection.\r\nZLoader Attack Chain no. 1\r\nhttps://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-strrat-zloader-honeygain\r\nPage 3 of 9\n\nZLoader Attack Chain no. 2\r\nZLoader Attack Chain no. 3\r\nDescription: ZLoader (also known as Terdot and Zbot) is a banking trojan that was first observed in 2016. It is\r\nstill under active development and many versions have appeared since December 2019. It acts as a backdoor to\r\ninfected systems and has the ability to download additional malware. It also implements web injection to steal\r\ncookies, passwords, and sensitive information. ZLoader targets users of financial institutions and has been used to\r\ndeliver ransomware from Egregor and Ryuk families.\r\nZLoader Spotlight: Recent Zloader campaigns used multiple initial attack vectors. Among these are the\r\nMalsmoke malvertising campaign, phishing campaigns with malspam, and a malvertising campaign abusing\r\nadvertisements published through Google Adwords. A recent evolution of the infection chain includes dynamic\r\nagent creation to download malicious payloads from a remote server. The malware can disable Windows Defender\r\nand relies on system binaries and scripts (living-off-the-land, or LOLBAS) in order to evade detection. ZLoader\r\nleverages process injection to contact its command and control server using a Domain Generation Algorithm\r\n(DGA). Once it identifies a responding domain, optional modules and a possible update to ZLoader is\r\ndownloaded.\r\nhttps://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-strrat-zloader-honeygain\r\nPage 4 of 9\n\nTarget Geolocations: Austria, Canada, Denmark, Germany, Spain, USA\r\nTarget Data: User Credentials, Browser Data, Sensitive Information\r\nTarget Businesses: Any\r\nExploits: N/A\r\nMitre Att\u0026ck for ZLoader\r\nInitial Access: Malspam, Malvertising, Drive-by Compromise\r\nPersistence: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Compromise Client\r\nSoftware Binary\r\nPrivilege Escalation: Abuse Elevation Control Mechanism\r\nExecution: Command and Scripting Interpreter: PowerShell\r\nEvasion: Process Injection: Thread Execution Hijacking, Signed Binary Proxy Execution, Signed Binary Proxy\r\nExecution: Msiexec, Signed Binary Proxy Execution: Rundll32, Impair Defenses: Disable or Modify Tools,\r\nSubvert Trust Controls: Code Signing\r\nCollection: Man in the Browser\r\nCommand and Control: Application Layer Protocol: Web Protocols\r\nExfiltration: Exfiltration Over Command and Control Channel\r\nIOCs\r\nDomains:\r\nlandingmonster[.]online\r\npornguru[.]online\r\npornislife[.]online\r\nheavenlygem[.]com\r\nmoviehunters[.]site\r\npornofilmspremium[.]com\r\nwebsekir[.]com\r\nteam-viewer[.]site\r\nzoomvideo[.]site\r\niqowijsdakm[.]ru\r\nwiewjdmkfjn[.]ru\r\ndksaoidiakjd[.]su\r\niweuiqjdakjd[.]su\r\nyuidskadjna[.]su\r\nolksmadnbdj[.]su\r\nodsakmdfnbs[.]com\r\nodsakjmdnhsaj[.]com\r\nodjdnhsaj[.]com\r\nodoishsaj[.]com\r\nIPs:\r\n194.58.108[.]89\r\n195.24.66[.]70\r\nhttps://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-strrat-zloader-honeygain\r\nPage 5 of 9\n\nAdditional Information:\r\nMalsmoke Malvertising Campaign\r\nSilent Night Campaign\r\nGoogle Adwords Malvertising Campaign\r\nNew Infection Technique\r\nWhich Cisco Products Can Block:\r\nAMP\r\nCWS\r\nNetwork Security\r\nSecure Network Analytics\r\nThreat Grid\r\nUmbrella\r\nWSA\r\nThreat Name: HoneyGain\r\nThreat Type: Potentially Unwanted Application\r\nDelivery and Exfiltration:\r\nhttps://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-strrat-zloader-honeygain\r\nPage 6 of 9\n\nHoneyGain Attack Chain\r\nDescription: HoneyGain is a is legitimate software that can be used to proxy clients’ connections for money.\r\nHowever, due to increased popularity, malicious actors started to distribute Trojanized versions of this software\r\nbundled with malicious payload. This packed malware contains a complete set of monetization methods, including\r\na Trojanized version of the HoneyGain proxyware client, an XMRig miner, and an information stealer. The\r\ncampaign continues to evolve, with the recent deployment of Nanowire client, another proxyware application with\r\nsimilar functionality.\r\nHoneyGain Spotlight: A variety of different malware families are being distributed under the guise of legitimate\r\ninstallers for applications like HoneyGain. These trojanized installers enable adversaries to distribute threats such\r\nhttps://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-strrat-zloader-honeygain\r\nPage 7 of 9\n\nas RATs, information stealers, and other malware to victims who believe they are installing legitimate\r\napplications. Associated malware was also observed leveraging victims’ CPU resources to mine cryptocurrency,\r\nwhile also monetizing their network bandwidth using proxyware applications. One of the most common\r\ntechniques observed is the use of legitimate installers as decoy programs included alongside other malicious\r\ncomponents. In these attacks, threat actors are distributing malicious executables posing as installers for legitimate\r\nproxyware applications like HoneyGain. When executed, they will typically install the legitimate application\r\nwhile silently installing malware.\r\nTarget Geolocations: World-Wide\r\nTarget Data: Browser Data, Sensitive Data\r\nTarget Businesses: Any\r\nExploits: N/A\r\nMitre Att\u0026ck for HoneyGain\r\nPersistence: Scheduled Task/Job, Registry Run Keys / Startup Folder, Windows Service\r\nExecution: Scheduled Task, Native API\r\nEvasion: N/A\r\nCollection: N/A\r\nCommand and Control: Application Layer Protocol: Web Protocols\r\nExfiltration: Exfiltration Over Command and Control Channel\r\nIOCs\r\nDomains:\r\nariesbee[.]com\r\nbootesbee[.]com\r\naurigabee[.]xyz\r\nanalytics[.]honeygain[.]com\r\napi[.]honeygain[.]com\r\ndownload[.]honeygain[.]com\r\nwww[.]xsvpn[.]cf\r\nterminist-journal[.]000webhostapp[.]com\r\nr[.]honeygain[.]money\r\nURLs:\r\nhxxps://www.dropbox[.]com/s/vhpmmwns1k9wh33/Honeygain.zip?dl=1\r\nhxxps://www.dropbox[.]com/s/rfbrftww47y0edv/nanowire.exe?dl=1\r\nhxxps://www.dropbox[.]com/s/7hy2ausr3rouflp/nanowire.toml?dl=1\r\nhxxps://www.dropbox[.]com/s/gq3tt6iawri6m3w/user.config?dl=1\r\nhxxps://www.dropbox[.]com/s/puz02l0l7a4wjmt/beehive.txt?dl=1\r\nhxxps://www.dropbox[.]com/s/gp7s712krr67kcx/MinerDownloader-1-23-21.txt?dl=1\r\nhxxps://docs.google[.]com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk\u0026export=download\r\nhxxps://www.dropbox[.]com/s/zhp1b06imehwylq/Synaptics.rar?dl=1\r\nhxxps://www.dropbox[.]com/s/ve1i21h0ubslnkr/xmrig2.txt?dl=1\r\nhttps://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-strrat-zloader-honeygain\r\nPage 8 of 9\n\nhxxps://www.dropbox[.]com/s/h5lge8h8rhw93rh/Stealer%201-23-21.txt?dl=1\r\nhxxps://www.dropbox[.]com/s/8jyj3a5vw1bwot9/ChromePass.txt?dl=1\r\nhxxps://www.dropbox[.]com/s/v8x3jnnx15hjz04/WebBrowserPassView.txt?dl=1\r\nhxxps://r.honeygain[.]money/SAMIBDC7\r\nhxxps://iplogger[.]org/2jbNj6\r\nhxxps://iplogger[.]org/2azxA5\r\nhxxp://www.xsvpn[.]cf/ssr-download/readme.md\r\nStealer Exfiltration URL:\r\nhxxps://terminist-journal.000webhostapp[.]com/donkeydick.php\r\nAdditional Information:\r\nHoneyGain\r\nWhich Cisco Products Can Block:\r\nAMP\r\nCWS\r\nNetwork Security\r\nSecure Network Analytics\r\nSecure Cloud Analytics\r\nThreat Grid\r\nUmbrella\r\nWSA\r\nWant to Learn More About This Month’s Leading Cyberattacks?\r\nRegister for our on-demand webinar today to learn more about how these threats operate and what you can do to\r\nprotect your network against them. \r\nSource: https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-strrat-zloader-honeygain\r\nhttps://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-strrat-zloader-honeygain\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-strrat-zloader-honeygain" ], "report_names": [ "cybersecurity-threat-spotlight-strrat-zloader-honeygain" ], "threat_actors": [ { "id": "8143b0d6-bfa0-43cc-b45f-dbcf4728741c", "created_at": "2025-05-29T02:00:03.230052Z", "updated_at": "2026-04-10T02:00:03.880481Z", "deleted_at": null, "main_name": "Malsmoke", "aliases": [], "source_name": "MISPGALAXY:Malsmoke", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434635, "ts_updated_at": 1775791841, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e0b28712a2b95b07059044653022f8a0b3c65758.pdf", "text": "https://archive.orkl.eu/e0b28712a2b95b07059044653022f8a0b3c65758.txt", "img": "https://archive.orkl.eu/e0b28712a2b95b07059044653022f8a0b3c65758.jpg" } }