{
	"id": "faf9c001-dfe0-4aad-a37c-b674f2ae5b58",
	"created_at": "2026-04-06T01:29:22.117776Z",
	"updated_at": "2026-04-10T13:11:57.272799Z",
	"deleted_at": null,
	"sha1_hash": "eddd42fc421adce3ca1615c7ef88a6dbf3aaea9b",
	"title": "ESET takes part in global operation to disrupt Zloader botnets",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2837421,
	"plain_text": "ESET takes part in global operation to disrupt Zloader botnets\r\nBy Jean-Ian BoutinTomáš Procházka\r\nArchived: 2026-04-06 00:26:56 UTC\r\nESET has collaborated with partners Microsoft’s Digital Crimes Unit, Lumen’s Black Lotus Labs, Palo Alto Networks Unit\r\n42, and others in an attempt to disrupt known Zloader botnets. ESET contributed to the project by providing technical\r\nanalysis, statistical information, and known command and control server domain names and IP addresses.\r\nZloader started life as a banking trojan, but lately evolved to become a distributor of several malware families, including\r\nvarious ransomware families.\r\nThe coordinated disruption operation targeted three specific botnets, each one using a different version of the Zloader\r\nmalware. ESET researchers helped with identification of 65 domains that had been used by these botnet operators recently\r\nand that had been taken over for this disruption operation to be effective. On top of that, Zloader bots rely on a backup\r\ncommunication channel that automatically generates unique domain names that can be used to receive commands from their\r\nbotmasters. This technique, known as a domain generation algorithm (DGA), is used to generate 32 different domains per\r\nday, per botnet. To make sure that the botnet operators cannot use this side channel to regain control of their botnets, an\r\nadditional 319 already registered domains generated by this algorithm were taken over and the working group is also taking\r\nmeasures to block registration of DGA domains possibly generated in the future. Microsoft’s investigation also identified\r\nDenis Malikov as a co-author of a malicious component used by the operators of one of the botnets.\r\nBackground\r\nZloader is one of the many banking trojan malware families heavily inspired by the famous Zeus banking trojan, whose\r\nsource code was leaked in 2011. Many research papers have been published about this malware already, with the latest one\r\nfrom Malwarebytes and HYAS being the most detailed from the technical point of view.\r\nThis blogpost won’t focus on deep technical aspects of the trojan, but rather will cover the details of its operation and\r\ninfrastructure.\r\nThe first version (1.0.0.0) of Zloader that we were able to find was compiled on November 9th 2019, the same day it was\r\nannounced and advertised in underground forums under the name “Silent Night”. ESET researchers have been closely\r\nmonitoring its activity and evolution ever since then, giving us great insight into Zloader’s mode of operation and its\r\ninfrastructure.\r\nThroughout Zloader’s existence, we have analyzed about 14,000 unique samples via our automatic tracking system, which\r\nhelped us to discover more than 1,300 unique C\u0026C servers. In March 2020, Zloader implemented a domain generation\r\nalgorithm (DGA) that allowed us to discover about 300 additional active domains registered by Zloader operators and used\r\nas C\u0026C servers.\r\nWe have seen a couple of peaks in Zloader’s popularity among threat actors, mainly during its first year of existence, but its\r\nuse began declining during 2021 with only a couple of actors left using it for their malicious intents. This may, however,\r\nchange in the future as we have already seen version 2.0 samples in the wild (compiled in July 2021). Our findings show\r\nthat these were just test builds, but we will be closely monitoring this new activity and its evolution. Due to low prevalence\r\nand the nature of this new version, all the following information applies to Zloader version 1.x.\r\nAs already mentioned, Zloader, similar to other commodity malware, is being advertised and sold on underground forums.\r\nWhen purchased, affiliates are given all they need to set up their own servers with administration panels and to start building\r\ntheir bots. Affiliates are then responsible for bot distribution and maintaining their botnets.\r\nAs you can see in Figure 1, we have observed Zloader infestations and campaigns in many countries with North America\r\nbeing the most targeted.\r\nhttps://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/\r\nPage 1 of 11\n\nFigure 1. Worldwide Zloader campaign detection rate (based on data since February 2020)\r\nZloader has been used by various affiliate groups and each of them has used a different approach for the malware’s\r\ndistribution, including:\r\nRIG exploit kit\r\nCOVID-19-themed spam emails with malicious Microsoft Word documents attached\r\nVariants of a fake invoice spam emails with malicious XLS macros\r\nMisuse of Google Ads\r\nThe development of the latest distribution methods will be covered in the next sections.\r\nZloader internals\r\nZloader has a modular architecture, downloading and utilizing its modules as needed. Supported Zloader modules are\r\ndisplayed in Table 1 and Table 2.\r\nTable 1. Overview of malicious modules used by Zloader\r\nMalicious modules Functionality\r\nLoader module Loading the core module\r\nCore module (x86) Main functionality for x86 processes\r\nCore module (x64) Main functionality for x64 processes\r\nhvnc32 module Hidden VNC (x86) for remote PC control\r\nhvnc64 module Hidden VNC (x64) for remote PC control\r\nTable 2. Legitimate tools abused by Zloader to support its malicious tasks\r\nHelper modules Functionality\r\nzlib1.dll Used to support AitB (Adversary in the Browser) attacks\r\nlibssl.dll Used to support AitB attacks\r\ncertutil.exe (+necessary DLL files) Used to support AitB attacks\r\nsqlite3.dll Used for processing browser data\r\nZloader’s first component is a loader that is used to download or load (if already downloaded) the core module. This core\r\nmodule is then responsible for downloading and loading additional modules and performing its own malicious tasks.\r\nZloader’s notable features are:\r\nAbility to steal various data from browsers and Microsoft Outlook, steal cryptocurrency wallets\r\nKeystroke logging\r\nHiddenVNC support to allow the operator to remotely control compromised systems\r\nSupport for Zeus-like webinjects, form grabbing, and form screenshotting\r\nhttps://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/\r\nPage 2 of 11\n\nArbitrary command execution (e.g., download and execute other malware)\r\nAll communication between bots and their C\u0026C servers is performed over HTTP/HTTPS, and regardless of which is used\r\nthe data is encrypted using RC4. Some of the data is additionally encrypted using an XOR-based algorithm known as\r\n“Visual Encrypt”. The RC4 key is unique for each affiliate as described in the next section. Figure 2 shows a bot’s static\r\nconfiguration. It contains a list of up to ten hardcoded C\u0026C URLs along with other important data for communication –\r\nsuch as the botnetID to help the operator easily filter data from different campaigns, the signature for communications\r\nverification, etc. A bot’s C\u0026C list can be easily updated by issuing a command from the operator’s administration panel if\r\nneeded.\r\nFigure 2. Zloader’s static configuration\r\nIf none of the hardcoded servers responds, a Zloader bot can use its DGA as a fallback mechanism. Every day, a list of 32\r\nnew domains unique for every affiliate is generated based on the current day retrieved by GetLocalTime function. Generated\r\nURLs have the format https://\u003c20_random_lowercase_ASCII_letters\u003e.com/post.php\r\nBotnet infrastructure and affiliates\r\nThe RC4 encryption key used in botnet communication is unique for every affiliate and tied to the affiliate’s administration\r\npanel installation. This uniqueness gives us the opportunity to cluster Zloader samples and track affiliates’ distribution\r\nmethods and the evolution of their campaigns.\r\nSince the beginning of our tracking, we have observed more than 25 different RC4 keys. It is worth noting that some of\r\nthese affiliates were active for a very short period — some of them were probably just testing Zloader’s features. It is also\r\npossible that some operators just redeployed their administration panel installation at some point and continued their\r\noperation with a new RC4 key. A timeline of notable affiliate activity, as well as various Zloader version release dates, can\r\nbe seen in Figure 3.\r\nhttps://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/\r\nPage 3 of 11\n\nFigure 3. Activity of some of the notable affiliates\r\nAs can be seen in Figure 5, from October 2020, most Zloader activity was due to only two affiliates. We can distinguish\r\nthem by their RC4 keys – 03d5ae30a0bd934a23b6a7f0756aa504 and dh8f3@3hdf#hsf23\r\nWe cover these two affiliates’ activities in the next two sections.\r\ndh8f3@3hdf#hsf23\r\nThis affiliate was active under this particular RC4 key starting in June 2020. The first Zloader version it used was 1.3.27.0\r\nand then closely followed the newest version available up until the latest available Zloader version to this date – 1.8.30.0.\r\nHowever, its activity started to decline in the second half of 2021 and we haven’t seen any new activity of this botnet since\r\nlate November 2021.\r\nOne of the most interesting activities of this affiliate is that it used Zloader’s ability to deploy arbitrary payloads to distribute\r\nmalicious payloads to its bots. Most notably, it spread various ransomware families such as DarkSide, as highlighted by this\r\nresearch from Guidepoint Security. However, the botmasters did not deploy ransomware to all of their bots; they deployed\r\nthis type of malware mostly on systems belonging to corporate networks. When installed on a system, Zloader gathers\r\nvarious information about the network its compromised host belongs to. This allows botnet operators to pick specific\r\npayloads depending on the victim’s network.\r\nThis affiliate was spreading their malicious Zloader samples mostly through spam emails with malicious documents attached\r\nto them. The Zloader static configuration contains a botnetID, allowing the botmaster to cluster different bots in different\r\nsub-botnets. The most prevalent botnetIDs for this affiliate in the last year of its operation were nut and kev.\r\nThis operator was also a bit more security aware compared to other Zloader customers and used a tiered architecture for\r\ntheir C\u0026C servers. Typically, a simple proxy script was planted on an often legitimate but compromised website and it was\r\nused for tier1 C\u0026C URLs in their bots. This script simply forwards all HTTP/HTTPS traffic from the bot onto the tier2\r\nserver, keeping the location of the real administration panel installation secret.\r\nBesides using Zloader as an entry point for ransomware attacks, this affiliate also used Zloader’s AitB capabilities to steal\r\nvictim information and alter the content of various financial institutions and e-commerce websites based in the USA and\r\nCanada.\r\n03d5ae30a0bd934a23b6a7f0756aa504\r\nThis affiliate has been using Zloader since its early versions and is still active as of today. Despite the latest available version\r\nof Zloader being 1.8.30.0, this affiliate has stuck with version 1.6.28.0 since its release in October 2020. We can only\r\nspeculate as to the reasons behind this. One hypothesis is that this affiliate did not pay to extend their support coverage for\r\nZloader and thus does not have access to later versions.\r\nThe operator of this botnet used to depend solely on C\u0026C domains generated by Zloader’s DGA and did not update their\r\nbots with a new C\u0026C list for more than a year, meaning that all hardcoded C\u0026C servers in their bots were inactive for a\r\nlong time. This changed in November 2021 when this affiliate updated their bots with a list of new C\u0026C servers and also\r\nupdated the static configuration of newly distributed binaries to reflect this change. This effort was probably motivated by\r\nthe fear of losing access to their botnet should anyone register and sinkhole all future DGA-generated domains for this actor.\r\nFigure 4 shows the administration panel login page that was installed directly on the C\u0026C server, hardcoded in the bot’s\r\nstatic configuration.\r\nhttps://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/\r\nPage 4 of 11\n\nFigure 4. Administration panel login page\r\nSome notable botnetIDs used by this operator were: personal, googleaktualizacija and more recently return, 909222, 9092ti\r\nand 9092us.\r\nThrough analysis of the webinjects downloaded by the bots in this affiliate botnet, the operator’s interests are very broad.\r\nThey are apparently interested in gathering victims’ login credentials and other personal data from various financial\r\ninstitution websites (banks, stock trading platforms, etc.), e-commerce sites (such as Amazon, Best Buy, Walmart),\r\ncryptocurrency exchanges, and even various online platforms such as Google and Microsoft. Particular focus was put on\r\ncustomers of financial institutions from the USA, Canada, Japan, Australia, and Germany.\r\nIn addition to the login credential harvesting, this affiliate also used Zloader to distribute various malware families such as\r\nthe Raccoon infostealer .\r\nDistribution\r\nThis threat actor uses various means to spread Zloader with misusing Google Ads and bogus adult sites being their latest\r\ndistribution methods of choice.\r\nStarting in October 2020, fake adult sites started to push to their visitors malicious payloads posing as a Java update in an\r\nMSI package (with filename JavaPlug-in.msi), supposedly required to watch the requested video. This fake Java update\r\npackage typically contained a downloader that downloaded Zloader itself as the final payload. Since April 2021, this scheme\r\nhas been enhanced by adding a script to disable Microsoft Defender to further increase the chances of successfully\r\ncompromising the system.\r\nIn June 2021, this affiliate also started to promote packages typically used in corporate environments. When internet users\r\nsearched for a popular application to download, such as Zoom or TeamViewer, they might have been presented with a fake\r\ndownload site promoted via a Google Ad that tried to trick them into downloading a malicious package posing as the app\r\nthey were searching for. This distribution method not only installed Zloader but could also install other potentially malicious\r\ntools, notably if the compromised system was part of an Active Directory domain. Atera Agent and the notorious Cobalt\r\nStrike Beacon were seen to be installed in such cases. These tools could grant the attacker complete control of the\r\ncompromised system and result in stealing of sensitive company data, installation of other malware such as ransomware and\r\nother malicious activity incurring significant losses for the company.\r\nFigure 5 shows the logic to check whether a system belongs to a domain. As seen below, Cobalt Strike Beacon is installed if\r\nthe list of the system’s trusted domains is non-empty.\r\nFigure 5. PowerShell script responsible for Cobalt Strike Beacon installation\r\nThe latest iteration of this distribution method relied heavily on the aforementioned Atera Agent, which was usually\r\ndownloaded from bogus adult sites. An example of what a visitor would see is shown in Figure 6.\r\nhttps://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/\r\nPage 5 of 11\n\nFigure 6. Fake adult site luring users into downloading Atera remote management tool\r\nAtera Agent is a legitimate “remote monitoring and management” solution used by IT companies to administer their\r\ncustomers’ systems. One of its features – remote script execution – was used in this campaign to deliver Zloader payloads\r\nand other malicious helper files. The purpose of these helper files was to support the installation process by executing\r\nspecific tasks such as privilege escalation, execution of further samples, disabling of Windows Defender, etc.\r\nThese tasks were usually achieved via simple BAT files, but it is worth mentioning that attackers also exploited a known\r\ndigital signature verification vulnerability to use legitimate, signed Windows executable files with malicious VBScripts\r\nappended to the end of those files, where the signature section is located (see Figure 7). For the PE file to remain valid,\r\nattackers also need to alter the PE header to alter the signature section length and checksum. This alteration of the file’s\r\ncontent does not revoke the validity of its digital signature during the verification process because the modified content is\r\nexempted from the verification process. Thus, the file’s new malicious content may therefore stay off the radar. This\r\nvulnerability is described, for example, in CVE-2012-0151 or CVE-2013-3900, and also in this blogpost by Check Point\r\nResearch. Its fix is unfortunately disabled by default in Windows, and therefore, it still can be misused by attackers in a large\r\nnumber of systems.\r\nFigure 7. Example of a script appended to the PE file signature section\r\nIn the recent campaign, a Ursnif trojan was sometimes installed instead of Zloader, showing that this affiliate group does not\r\nrely on a single malware family but has more tricks up its sleeve. A typical scenario of this distribution method is displayed\r\nin Figure 8.\r\nhttps://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/\r\nPage 6 of 11\n\nFigure 8. Typical distribution method using Atera Agent\r\nWe  relentlessly continue to track threats that are used to spread ransomware, which is an ongoing threat to internet security.\r\nAs Zloader is available in underground forums, ESET Researchers will monitor any new activity tied to this malware family,\r\nfollowing this disruption operation against its existing botnets.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.\r\nESET Research now also offers private APT intelligence reports and data feeds. For any inquiries about this service, visit\r\nthe ESET Threat Intelligence page.\r\nIoCs\r\nSamples\r\nSHA-1 Filename ESET detection name Description\r\n4858BC02452A266EA3E1A0DD84A31FA050134FB8 9092.dll Win32/Kryptik.HNLQ trojan\r\nZloader return botnet as do\r\nhttps://teamworks455[.]co\r\nhttps://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/\r\nPage 7 of 11\n\nSHA-1 Filename ESET detection name Description\r\nBEAB91A74563DF8049A894D5A2542DD8843553C2\r\n9092.dll\r\nus.dll\r\nWin32/Kryptik.HODI trojan\r\nZloader 9092us botnet as d\r\nhttps://endoftheendi[.]com\r\n462E242EF2E6BAD389DAB845C68DD41493F91C89 N/A Win32/Spy.Zbot.ADI trojan\r\nUnpacked initial loader co\r\nbotnet.\r\n30D8BA32DAF9E18E9E3CE564FC117A2FAF738405 N/A Win32/Spy.Zbot.ADI trojan\r\nDownloaded Zloader main\r\n(x86).\r\nBD989516F902C0B4AFF7BCF32DB511452355D7C5 N/A Win64/Spy.Zbot.Q trojan\r\nDownloaded Zloader main\r\n(x64).\r\nE7D7BE1F1FE04F6708EFB8F0F258471D856F8F8F N/A Win32/Hvnc.AO trojan Downloaded Zloader HVN\r\n5AA2F377C73A0E73E7E81A606CA35BC07331EF51 N/A Win64/Hvnc.AK trojan Downloaded Zloader HVN\r\n23D38E876772A4E28F1B8B6AAF03E18C7CFE5757 auto.bat BAT/Agent.PHM trojan Script used by Atera Agen\r\n9D3E6B2F91547D891F0716004358A8952479C14D new.bat BAT/Agent.PHL trojan Script used by Atera Agen\r\n33FD41E6FD2CCF3DFB0FCB90EB7F27E5EAB2A0B3 new1.bat BAT/Shutdown.NKA trojan Script used by Atera Agen\r\n5A4E5EE60CB674B2BFCD583EE3641D7825D78221 new2.bat BAT/Shutdown.NKA trojan Script used by Atera Agen\r\n3A80A49EFAAC5D839400E4FB8F803243FB39A513 adminpriv.exe Win64/NSudo.A potentially unsafe\r\napplication\r\nNSudo tool used for privil\r\ndistribution scripts.\r\nF3B3CF03801527C24F9059F475A9D87E5392DAE9 reboot.dll Win32/Agent.ADUM trojan\r\nSigned file exploiting CVE\r\nmalicious script command\r\nA187D9C0B4BDB4D0B5C1D2BDBCB65090DCEE5D8C TeamViewer.msi\r\nWin64/TrojanDownloader.Agent.KY\r\ntrojan\r\nMalicious MSI installer co\r\nused to deliver Zloader.\r\nF4879EB2C159C4E73139D1AC5D5C8862AF8F1719 tvlauncher.exe Win64/TrojanDownloader.Agent.KY\r\ntrojan\r\nDownloader used to delive\r\nE4274681989347FABB22050A5AD14FE66FFDC000 12.exe Win32/Kryptik.HOGN trojan Raccoon infostealer down\r\nFA1DB6808D4B4D58DE6F7798A807DD4BEA5B9BF7 racoon.exe Win32/Kryptik.HODI trojan Raccoon infostealer down\r\nNetwork\r\nDomains and URLs used in distribution\r\nhttps://endoftheendi[.]com\r\nhttps://sofftsportal[.]su\r\nhttps://pornokeyxxx[.]pw\r\nhttps://porno3xgirls[.]website\r\nhttps://porno3xgirls[.]space\r\nhttps://porno3xgirls[.]fun\r\nhttps://porxnoxxx[.]site\r\nhttps://porxnoxxx[.]pw\r\nhttps://pornoxxxguru[.]space\r\nhttps://helpdesksupport072089339.servicedesk.atera[.]com/GetAgent/Msi/?\r\ncustomerId=1\u0026integratorLogin=izunogg1017@gmail.com\r\nhttps://helpdesksupport350061558.servicedesk.atera[.]com/GetAgent/Msi/?\r\ncustomerId=1\u0026integratorLogin=Ario.hi@rover.info\r\nhttps://clouds222[.]com\r\nhttps://teamworks455[.]com\r\nhttps://commandaadmin[.]com\r\nhttps://cmdadminu[.]com\r\nhttps://checksoftupdate[.]com\r\nhttps://datalystoy[.]com\r\nhttps://updatemsicheck[.]com\r\nLatest Zloader C\u0026C servers\r\nhttps://asdfghdsajkl[.]com/gate.php\r\nhttps://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/\r\nPage 8 of 11\n\nhttps://lkjhgfgsdshja[.]com/gate.php\r\nhttps://kjdhsasghjds[.]com/gate.php\r\nhttps://kdjwhqejqwij[.]com/gate.php\r\nhttps://iasudjghnasd[.]com/gate.php\r\nhttps://daksjuggdhwa[.]com/gate.php\r\nhttps://dkisuaggdjhna[.]com/gate.php\r\nhttps://eiqwuggejqw[.]com/gate.php\r\nhttps://dquggwjhdmq[.]com/gate.php\r\nhttps://djshggadasj[.]com/gate.php\r\nURLs used to download arbitrary malware\r\nhttps://braves[.]fun/racoon.exe\r\nhttps://endoftheendi[.]com/12.exe\r\nDomains used in recent Zloader’s Webinjects attacks\r\nhttps://dotxvcnjlvdajkwerwoh[.]com\r\nhttps://aerulonoured[.]su\r\nhttps://rec.kindplanet[.]us\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 10 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1583.001 Acquire Infrastructure: Domains\r\nSeveral domains were acquired by Zloader to\r\nsupport C\u0026C.\r\nT1583.004 Acquire Infrastructure: Server\r\nSeveral servers were used to host Zloader\r\ninfrastructure.\r\nT1584.004 Compromise Infrastructure: Server\r\nSome legitimate websites were compromised\r\nto host parts of Zloader infrastructure.\r\nT1587.001 Develop Capabilities: Malware\r\nZloader is malware targeting users of the\r\nWindows operating system.\r\nT1587.002\r\nDevelop Capabilities: Code\r\nSigning Certificates\r\nSome of Zloader's distribution methods use\r\nsigned malicious binaries.\r\nT1587.003\r\nDevelop Capabilities: Digital\r\nCertificates\r\nZloader used digital certificates in HTTPS\r\ntraffic.\r\nT1588.001 Obtain Capabilities: Malware\r\nVarious malware samples are used to distribute\r\nZloader or are distributed by Zloader itself.\r\nT1588.002 Obtain Capabilities: Tool\r\nVarious legitimate tools and libraries are used\r\nto support Zloader tasks.\r\nT1588.006\r\nObtain Capabilities:\r\nVulnerabilities\r\nCVE-2013-3900 is exploited in one of\r\nZloader's distribution methods.\r\nInitial Access T1189 Drive-by Compromise\r\nZloader operators use Google Ads and fake\r\nwebsites to lure victims into downloading\r\nmalicious installers.\r\nExecution\r\nT1059.001\r\nCommand and Scripting\r\nInterpreter: PowerShell\r\nPowerShell commands are used to support\r\nsome of Zloader's distribution methods.\r\nT1059.003\r\nCommand and Scripting\r\nInterpreter: Windows Command\r\nShell\r\nBatch files are used to support some of\r\nZloader's distribution methods.\r\nT1059.005\r\nCommand and Scripting\r\nInterpreter: Visual Basic\r\nVBScript is used to launch the main Zloader\r\npayload.\r\nT1106 Native API\r\nZloader makes heavy use of dynamic\r\nWindows API resolution.\r\nhttps://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/\r\nPage 9 of 11\n\nTactic ID Name Description\r\nT1204.001 User Execution: Malicious Link\r\nZloader is commonly distributed through\r\nmalicious links.\r\nT1204.002 User Execution: Malicious File\r\nZloader is commonly distributed via malicious\r\nMSI installers.\r\nT1047\r\nWindows Management\r\nInstrumentation\r\nZloader uses WMI to gather various system\r\ninformation.\r\nPersistence T1547.001\r\nBoot or Logon Autostart\r\nExecution: Registry Run Keys /\r\nStartup Folder\r\nZloader uses registry run key to establish\r\npersistence.\r\nPrivilege\r\nEscalation\r\nT1548.002\r\nAbuse Elevation Control\r\nMechanism: Bypass User Account\r\nControl\r\nSeveral methods are used to bypass UAC\r\nmechanisms during Zloader's deployment.\r\nDefense\r\nEvasion\r\nT1055.001\r\nProcess Injection: Dynamic-link\r\nLibrary Injection\r\nZloader injects its modules into several\r\nprocesses.\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nZloader stores its modules in an encrypted\r\nform to hide their presence.\r\nT1562.001\r\nImpair Defenses: Disable or\r\nModify Tools\r\nSome distribution methods disable Windows\r\nDefender prior to the installation of Zloader.\r\nT1070.004\r\nIndicator Removal on Host: File\r\nDeletion\r\nSome components of Zloader or its\r\ndistribution method are removed after\r\nsuccessful installation.\r\nT1036.001 Masquerading: Invalid Code\r\nSignature\r\nSome of the Zloader installers have been\r\nsigned using invalid certificates to make them\r\nseem more legitimate.\r\nT1036.005 Masquerading: Match Legitimate\r\nName or Location\r\nSome of the Zloader installers mimic names of\r\nlegitimate applications.\r\nT1027.002\r\nObfuscated Files or Information:\r\nSoftware Packing\r\nZloader’s code is obfuscated and its payload is\r\nusually packed.\r\nT1553.004\r\nSubvert Trust Controls: Install\r\nRoot Certificate\r\nZloader installs browser certificates are\r\ninstalled to support AitB attack.\r\nCredential\r\nAccess\r\nT1557 Adversary-in-the-Middle\r\nZloader leverages AitB techniques to intercept\r\nselected HTTP/HTTPS traffic.\r\nT1555.003\r\nCredentials from Password Stores:\r\nCredentials from Web Browsers\r\nZloader can gather saved credentials from\r\nbrowsers.\r\nT1056.001 Input Capture: Keylogging\r\nZloader can capture keystrokes and send them\r\nto its C\u0026C server.\r\nT1539 Steal Web Session Cookie Zloader can gather cookies saved by browsers.\r\nDiscovery T1482 Domain Trust DiscoveryZloader gathers information about domain\r\ntrust relationships.\r\nT1083 File and Directory Discovery\r\nZloader can search for various documents and\r\ncryptocurrency wallets.\r\nT1057 Process Discovery Zloader enumerates running processes.\r\nT1012 Query Registry\r\nZloader queries registry keys to gather various\r\nsystem information.\r\nT1518.001\r\nSoftware Discovery: Security\r\nSoftware Discovery\r\nZloader uses a WMI command to discover\r\ninstalled security software.\r\nT1082 System Information Discovery\r\nZloader gathers various system information\r\nand sends it to its C\u0026C.\r\nhttps://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/\r\nPage 10 of 11\n\nTactic ID Name Description\r\nT1016\r\nSystem Network Configuration\r\nDiscovery\r\nZloader gathers network interface information\r\nand sends to the C\u0026C.\r\nT1033 System Owner/User Discovery\r\nZloader uses the victim's username to generate\r\na botID to identify a system in a botnet.\r\nT1124 System Time Discovery\r\nZloader gathers Information about the system’s\r\ntime zone and sends it to the C\u0026C.\r\nCollection\r\nT1560.003\r\nArchive Collected Data: Archive\r\nvia Custom Method\r\nZloader uses RC4 and XOR to encrypt data\r\nbefore sending them to the C\u0026C.\r\nT1005 Data from Local System\r\nZloader can collect documents and\r\ncryptocurrency wallets.\r\nT1074.001 Data Staged: Local Data Staging\r\nZloader saves its collected data to file prior to\r\nexfiltration.\r\nT1113 Screen Capture\r\nZloader has the ability to create screenshots of\r\nwindows of interest.\r\nCommand and\r\nControl\r\nT1071.001\r\nApplication Layer Protocol: Web\r\nProtocols\r\nZloader uses HTTP/HTTPS for C\u0026C\r\ncommunication.\r\nT1568.002\r\nDynamic Resolution: Domain\r\nGeneration Algorithms\r\nZloader uses a DGA as a fallback in samples\r\nsince 2020-03.\r\nT1573.001\r\nEncrypted Channel: Symmetric\r\nCryptography\r\nZloader uses RC4 for C\u0026C traffic encryption.\r\nSome of the data is additionally XOR\r\nencrypted.\r\nT1008 Fallback Channels\r\nMultiple C\u0026C servers are usually present in\r\nZloader configurations to avoid relying on just\r\none. A DGA is also implemented.\r\nT1219 Remote Access Software\r\nZloader uses a HiddenVNC module is used to\r\nsupport remote access.\r\nExfiltration T1041 Exfiltration Over C2 Channel\r\nZloader exfiltrates gathered data over its C\u0026C\r\ncommunication.\r\nImpact\r\nT1490 Inhibit System Recovery\r\nSome of the Zloader distribution methods\r\ndisable Windows recovery function through\r\nbcdedit.exe.\r\nT1489 Service Stop\r\nSome of the Zloader distribution methods\r\ndisable the Windows Defender service.\r\nT1529 System Shutdown/Reboot\r\nSome of the Zloader distribution methods shut\r\ndown the system after the initial compromise.\r\nSource: https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/\r\nhttps://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/"
	],
	"report_names": [
		"eset-takes-part-global-operation-disrupt-zloader-botnets"
	],
	"threat_actors": [],
	"ts_created_at": 1775438962,
	"ts_updated_at": 1775826717,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/eddd42fc421adce3ca1615c7ef88a6dbf3aaea9b.pdf",
		"text": "https://archive.orkl.eu/eddd42fc421adce3ca1615c7ef88a6dbf3aaea9b.txt",
		"img": "https://archive.orkl.eu/eddd42fc421adce3ca1615c7ef88a6dbf3aaea9b.jpg"
	}
}