{
	"id": "8273d12b-645e-4e12-ab33-5c30cc3352e1",
	"created_at": "2026-04-06T00:19:25.709378Z",
	"updated_at": "2026-04-10T03:20:47.826635Z",
	"deleted_at": null,
	"sha1_hash": "eb0afe48f86a452e863489626321658c87d30914",
	"title": "Hide and Seek | New Zloader Infection Chain Comes With Improved Stealth and Evasion Mechanisms",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1468311,
	"plain_text": "Hide and Seek | New Zloader Infection Chain Comes With\r\nImproved Stealth and Evasion Mechanisms\r\nBy Antonio Pirozzi\r\nPublished: 2021-09-13 · Archived: 2026-04-05 13:25:57 UTC\r\nBy Antonio Pirozzi and Antonio Cocomazzi\r\nExecutive Summary\r\nNew ZLoader campaign has a stealthier distribution mechanism which deploys a signed dropper with\r\nlower rates of detection.\r\nThe campaign primarily targets users of Australian and German banking institutions.\r\nThe new infection chain implements a stager which disables all Windows Defender modules.\r\nThe threat actor uses a backdoored version of the Windows utility wextract.exe to embed the ZLoader\r\npayload and lower the chance of detection.\r\nSentinelLabs identified the entire infrastructure of the ‘Tim’ botnet, composed of more than 350 recently-registered C2 domains.\r\nRead the Full Report\r\nIntroduction\r\nZLoader (also known as Terdot) was first discovered in 2016 and is a fork of the infamous Zeus banking trojan. It\r\nis still under active development. A multitude of different versions have appeared since December 2019, with an\r\naverage frequency of 1-2 new versions released each week.\r\nZLoader is a typical banking trojan which implements web injection to steal cookies, passwords and any sensitive\r\ninformation. It attacks users of financial institutions all over the world and has also been used to deliver\r\nransomware families like Egregor and Ryuk. It also provides backdoor capabilities and acts as a generic loader to\r\ndeliver other forms of malware. Newer versions implement a VNC module which permits users to open a hidden\r\nchannel that gives the operators remote access to victim systems. ZLoader relies primarily on dynamic data\r\nexchange (DDE) and macro obfuscation to deliver the final payload through crafted documents.\r\nA recent evolution of the infection chain included the dynamic creation of agents, which download the payload\r\nfrom a remote server. The new infection chain observed by SentinelLabs demonstrates a higher level of stealth by\r\ndisabling Windows Defender and relying on living-off-the-land binaries and scripts (LOLBAS) in order to evade\r\ndetection. During our investigation, we were also able to map all the new ZLoader C2 infrastructure related to the\r\n‘Tim’ botnet and identify the scope of the campaign and its objectives, which primarily involved stealing bank\r\ncredentials from customers of European banks.\r\nhttps://www.sentinelone.com/labs/hide-and-seek-new-zloader-infection-chain-comes-with-improved-stealth-and-evasion-mechanisms/\r\nPage 1 of 8\n\nOverview of the ZLoader infection chain\r\nTechnical Analysis\r\nThe malware is downloaded from a Google advertisement published through Google Adwords. In this campaign,\r\nthe attackers use an indirect way to compromise victims instead of using the classic approach of compromising the\r\nvictims directly, such as by phishing.\r\nWe observed the following pattern of activity that leads to infection:\r\nThe user performs a search on www.google.com to find a website to download the required software from;\r\nin our case, we observed a search for “team viewer download”.\r\nThe user clicks on an advertisement shown by Google and is redirected to the fake TeamViewer site under\r\nthe attacker’s control.\r\nThe user is tricked into downloading the fake software in a signed MSI format.\r\nOnce the user clicks on the advertisement, it will redirect through the aclk page. This redirect demonstrates the\r\nattackers usage of Google Adwords to gain traffic:\r\nhxxps:\r\nAfter further navigation (and redirects), the malicious Team-Viewer.msi is downloaded from the final URL\r\nhxxps://team-viewer.site/download/Team-Viewer.msi .\r\nThe downloaded file is a fake TeamViewer installer signed on 2021-08-23 10:07:00. It appears that the\r\ncybercriminals managed to obtain a valid certificate issued by Flyintellect Inc, a Software company in Brampton,\r\nhttps://www.sentinelone.com/labs/hide-and-seek-new-zloader-infection-chain-comes-with-improved-stealth-and-evasion-mechanisms/\r\nPage 2 of 8\n\nCanada. The company was registered on 29th June 2021, suggesting that the threat actor possibly registered the\r\ncompany for the purpose of obtaining those certificates.\r\nPivoting from this certificate, we were able to spot other samples signed with the same certificate. These other\r\nsamples suggest that the attackers had multiple campaigns ongoing beyond TeamViewer and which included fakes\r\nsuch as JavaPlug-in.mis , Zoom.mis , and discord.msi .\r\nAt the time of writing, these four samples have no detections on VirusTotal (a complete list of IoCs can be found\r\nin the full report).\r\nNew Zloader Infection Chain Bypass Defences\r\nThe .msi file is the first stage dropper which runs an installation wizard. It creates random legitimate files in the\r\ndirectory C:\\Program Files (x86)\\Sun Technology Network\\Oracle Java SE . Once the folder has been created,\r\nit will drop the setup.bat file, triggering the initial infection chain by executing cmd.exe /c setup.bat .\r\nThis initiates the second stage of the infection chain, downloading the dropper updatescript.bat through the\r\nPowerShell cmdlet Invoke-WebRequest , from\r\nhxxps://websekir.com/g00glbat/index/processingSetRequestBat/?servername=msi . The dropper then executes\r\nthe third stage with the command cmd /c updatescript.bat .\r\nThe third stage dropper contains most of the logic to impair the defenses of the machine. It also drops the fourth\r\nstage using a stealthy execution technique. At first, it disables all the Windows Defender modules through the\r\nPowerShell cmdlet Set-MpPreference . It then adds exclusions, such as regsvr32 , *.exe , *.dll , with the\r\ncmdlet Add-MpPreference to hide all the components of the malware from Windows Defender.\r\nAt this point the fourth stage dropper is downloaded from the URL hxxps://pornofilmspremium.com/tim.EXE\r\nand saved as tim.exe . The execution of tim.exe is done through the LOLBAS command explorer.exe\r\ntim.exe . This allows the attacker to break the parent/child correlation often used by EDRs for detection.\r\nThe first part of the attack chain\r\nThe tim.exe binary is a backdoored version of the Windows utility wextract.exe. This backdoored version\r\ncontains extra embedded resources with names like “RUNPROGRAM”, “REBOOT”, and\r\n“POSTRUNPROGRAM”, among others.\r\nhttps://www.sentinelone.com/labs/hide-and-seek-new-zloader-infection-chain-comes-with-improved-stealth-and-evasion-mechanisms/\r\nPage 3 of 8\n\nResources embedded in the tim.exe binary (left) and legit wextract.exe (right)\r\nThis backdoored version contains additional code for creating a new malicious batch file with the name tim.bat .\r\nIt is placed in a temporary directory retrieved with the Win32 function GetTempPath() . It retrieves the content of\r\nthe resource “RUNPROGRAM” (containing the string value cmd /c tim.bat ) and uses it as the command line\r\nparameter for the CreateProcess() Win32 function.\r\nThe tim.bat file is a very short script that downloads the final ZLoader DLL payload with the name tim.dll\r\nfrom the URL hxxps://pornofilmspremium.com/tim.dll and executes it through the LOLBAS command\r\nregsvr32 tim.dll . This allows the attackers to proxy the execution of the DLL through a signed binary by\r\nMicrosoft.\r\nThis dropper downloads the script nsudo.bat from hxxps://pornofilmspremium.com/nsudo.bat and runs\r\nasynchronously in parallel with the execution of tim.dll . The script aims to further impair defenses of the\r\nmachine.\r\nPrivilege Escalation and Defense Evasion\r\nThe nsudo.bat script performs multiple operations with the goal of elevating privileges on the system and\r\nimpairing defenses.\r\nAt first, it checks if the current context of execution is privileged by verifying the access to the SYSTEM hive.\r\nThis is done through %SYSTEMROOT%\\system32\\cacls.exe %SYSTEMROOT%\\system32\\config\\system . If the process\r\nin which it runs has no access on that hive it will jump to the label :UACPrompt .\r\nhttps://www.sentinelone.com/labs/hide-and-seek-new-zloader-infection-chain-comes-with-improved-stealth-and-evasion-mechanisms/\r\nPage 4 of 8\n\nThis part of the script implements an auto elevation VBScript that aims to run an elevated process in order to\r\nmake system changes. The snippet of the script in charge of the UACPrompt feature is as follows:\r\n:UACPrompt\r\n echo Set UAC = CreateObject^(\"Shell.Application\"^) \u003e \"%temp%\\getadmin.vbs\"\r\n set params = %*:\"=\"\r\n echo UAC.ShellExecute \"cmd.exe\", \"/c %~s0 %params%\", \"\", \"runas\", 1 \u003e\u003e \"%temp%\\getadmin.vbs\"\r\n\"%temp%\\getadmin.vbs\"\r\n del \"%temp%\\getadmin.vbs\"\r\n exit /B\r\nThis snippet creates the VBScript getadmin.vbs , runs it and deletes it. Using a VBScript eases the interaction\r\nwith COM objects. In this case, it instantiates a Shell.Application object and calls the function\r\nShellExecute() to trigger the UAC elevation and the interaction with the AppInfo service.\r\nOnce the elevation occurs the script is run with elevated privileges. At this point, the script performs the steps to\r\ndisable Windows Defender. It does this through a software utility called NSudo renamed as javase.exe , which\r\nis downloaded from the URL hxxps://pornofilmspremium.com/javase.exe . The attacker leverages this utility in\r\norder to spawn a process with “TrustedInstaller” privileges. This can be abused by the attacker to disable the\r\nWindows Defender service even if it runs as a Protected Process Light.\r\nThe script downloads the file autorun100.bat from and places it in the startup folder\r\n%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup . This script ensures that the\r\nWinDefend service is deleted at the next boot through the utility NSudo .\r\nThe nsudo.bat script also completely disables UAC by setting the following registry key to 0:\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA\r\nIn order to have these changes take effect, the computer is forced to restart. The nsudo.bat script does this with\r\nshutdown.exe /r /f /t 00 . At this point, the attack chain of the script nsudo.bat is complete.\r\nZLoader Payload Execution Chain\r\nThe tim.dll is the main ZLoader payload that encapsulates the unpacking logic and adds persistence. It is\r\nexecuted through the system signed binary regsvr32.exe .\r\nIt first creates a directory with a random name inside %APPDATA% and then creates a copy of itself in the newly\r\ncreated directory. It then adds a new registry key in\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run . The registry key value contains the\r\ncommand line of the malicious process to spawn on user logon. This ensures that the attacker’s implant survives\r\nmachine reboots. The DLL execution also relies on the regsvr32 binary. This is an example of the registry key\r\ncreated on a single run of the sample:\r\nhttps://www.sentinelone.com/labs/hide-and-seek-new-zloader-infection-chain-comes-with-improved-stealth-and-evasion-mechanisms/\r\nPage 5 of 8\n\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Iwalcacvalue: regsvr32.exe /s C:\\Use\r\nThen it starts the unpacking by leveraging a process injection technique known as Thread Hijacking. It contains a\r\nsmall variation but essentially uses the same pattern of Win32 API calls used for Thread Hijacking:\r\nVirtualAllocEx() -\u003e WriteProcessMemory() -\u003e GetThreadContext() -\u003e SetThreadContext() -\u003e ResumeThread\r\nIt first creates a new process as a host for the unpacked DLL, and for this sample it uses a new instance of\r\nmsiexec.exe . Then it allocates and writes 2 RWX memory regions inside the target process. One contains the\r\nunpacked version of the DLL XOR’ed with a key; the second, contains some shellcode to decrypt the DLL and\r\njump to the entry point.\r\nThe unpacking routine\r\nOnce the memory is written in the remote process it sets the new thread context EIP to point to the unpacking\r\nroutine shellcode and resumes the main thread of msiexec . This is how the hijacking of the main thread occurs.\r\nThe unpacked DLL is extracted from the memory of msiexec.exe process by dumping the memory address used\r\nin the first WriteProcessMemory() call.\r\nWe have compared the unpacked DLL with the recent ZLoader payloads and found a similarity score of 92.62%.\r\nFinal part of the attack chain\r\nAnalyzing The New Zloader C2 Infrastructure\r\nThe analyzed sample belongs to the ‘Tim’ Botnet as defined in the malware configuration. Some of the embedded\r\nC2s (the full list can be found in the IoC section of the full report) are also shared by the googleaktualizacija\r\nZLoader botnet.\r\nhttps://www.sentinelone.com/labs/hide-and-seek-new-zloader-infection-chain-comes-with-improved-stealth-and-evasion-mechanisms/\r\nPage 6 of 8\n\nOne of the C2s dumped from the infected machine, mjwougyhwlgewbajxbnn[.]com , used to resolve to\r\n194.58.108[.]89 until the 25th of August 2021. As of the 26th of August, however, it points to\r\n195.24.66[.]70 .\r\nThe IP 194.58.108[.]89 belongs to ASN 48287 – RU-CENTER and seems to deploy many different domains –\r\n350 at the time of writing – forming the new ZLoader infrastructure. Some domains implement the gate.php\r\ncomponent, which is a fingerprint of the ZLoader botnet. We noticed during our investigation that all the domains\r\nwere registered from April to Aug 2021, and they switched to the new IP ( 195.24.66[.]70 ) on the 26th of\r\nAugust.\r\nA Targeted Campaign: AU And DE Financial Institutions\r\nThe new ZLoader campaign is targeted. The final payload has a list of embedded AU and DE domains, and\r\ncontains some strings with wildcards used by the malware to intercept specific users’ web requests to bank portals.\r\n@https:\r\n@https:\r\n@https:\r\n@https:\r\n@https:\r\n@https:\r\n@https:\r\n@https:\r\n@https:\r\n@https:\r\n@https:\r\n@https:\r\n@https:\r\n@https:\r\n@https:\r\n@https:\r\n@https:\r\n@https:\r\n@https:\r\n@https:\r\n@https:\r\n@https:\r\n@https:\r\n@https:\r\n@https:\r\n@https:\r\n@https:\r\n@https:\r\n@https:\r\n@https:\r\n@https:\r\nhttps://www.sentinelone.com/labs/hide-and-seek-new-zloader-infection-chain-comes-with-improved-stealth-and-evasion-mechanisms/\r\nPage 7 of 8\n\n@www.independentreserve.com*\r\n@www.coinspot.com.au*\r\n@https:\r\nFrom our analysis of the communication patterns related to mjwougyhwlgewbajxbn[.]com , we were able to map\r\nmost of the source traffic used by the operators of the botnet.\r\nThe pornofilmspremium[.]com domain delivers the tim.exe component. The domain was registered on 2021-\r\n07-19 (Location RU, ASN: REG RU 197695) and is associated by the community with ZLoader [1, 2]. The email\r\naddress neo@kosai-city[.]com was used to register this domain and a number of others, as detailed in the full\r\nreport.\r\nConclusion\r\nThe attack chain analyzed in this research shows how the complexity of the attack has grown in order to reach a\r\nhigher level of stealthiness. The first stage dropper has been changed from the classic malicious document to a\r\nstealthy, signed MSI payload. It uses backdoored binaries and a series of LOLBAS to impair defenses and proxy\r\nthe execution of their payloads.\r\nThis is the first time we have observed this attack chain in a ZLoader campaign. At the time of writing, we have\r\nno evidence that the delivery chain has been implemented by a specific affiliate or if it was provided by the main\r\noperator. SentinelLabs continues to monitor this threat in order to track further activity.\r\nIndicators of Compromise\r\nFor a full list of IoCS see the full report.\r\nRead the Full Report\r\nRead the Full Report\r\nWe thank Awais Munir for his assistance in the technical analysis of the Zloader campaign.\r\nSource: https://www.sentinelone.com/labs/hide-and-seek-new-zloader-infection-chain-comes-with-improved-stealth-and-evasion-mechanisms/\r\nhttps://www.sentinelone.com/labs/hide-and-seek-new-zloader-infection-chain-comes-with-improved-stealth-and-evasion-mechanisms/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.sentinelone.com/labs/hide-and-seek-new-zloader-infection-chain-comes-with-improved-stealth-and-evasion-mechanisms/"
	],
	"report_names": [
		"hide-and-seek-new-zloader-infection-chain-comes-with-improved-stealth-and-evasion-mechanisms"
	],
	"threat_actors": [],
	"ts_created_at": 1775434765,
	"ts_updated_at": 1775791247,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/eb0afe48f86a452e863489626321658c87d30914.pdf",
		"text": "https://archive.orkl.eu/eb0afe48f86a452e863489626321658c87d30914.txt",
		"img": "https://archive.orkl.eu/eb0afe48f86a452e863489626321658c87d30914.jpg"
	}
}