{ "id": "9d1ca9e2-32c1-4b97-8335-164b86f67cef", "created_at": "2026-04-06T00:16:47.924239Z", "updated_at": "2026-04-10T03:36:48.137194Z", "deleted_at": null, "sha1_hash": "edf47735c5a4304d05e7d332864b16e662d66b44", "title": "GitHub - X-ZIGZAG/X-ZIGZAG: X-ZIGZAG is a lightweight RAT engineered for stealth, operating exclusively in RAM.", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 320965, "plain_text": "GitHub - X-ZIGZAG/X-ZIGZAG: X-ZIGZAG is a lightweight\r\nRAT engineered for stealth, operating exclusively in RAM.\r\nBy X-SP33D\r\nArchived: 2026-04-05 16:14:13 UTC\r\nX-ZIGZAG is a lightweight and stealthy RAT designed for educational purposes. With a focus on small size\r\nand undetectability, X-ZIGZAG operates entirely in RAM, ensuring no traces are left on the target system. This\r\ntool is built without relying on any external libraries or third-party dependencies, making it both efficient and\r\nversatile.\r\n🚨 Disclaimer\r\nThis project is for educational purposes only. Unauthorized use on any system without the owner’s\r\nexplicit consent is illegal and unethical. The creator assumes no responsibility for any misuse or\r\ndamage caused by this software.\r\n🌟 Key Features\r\n💣 Self Destruct: Completely erase itself from the system without leaving any trace.\r\n⬇️ Download: Fetch and execute files from a remote server.\r\n📶 WiFi Passwords: Retrieve stored WiFi passwords effortlessly.\r\nhttps://github.com/X-ZIGZAG/X-ZIGZAG\r\nPage 1 of 3\n\n🔐 Chromium Browsers Data: Extract saved passwords, credit card details, and cookies from\r\nChromium-based browsers.\r\n️ System Info: Gather comprehensive system information.\r\n📸 Screenshots: Capture screenshots of the target machine in real-time.\r\n📤 Upload: Seamlessly send files from the target system to your server.\r\n️ VPN/Proxy Detection: Detect if the user is accessing the endpoints via a VPN or proxy. If detected,\r\nthe RAT will shut down immediately.\r\n🚫 BlackList IPs: Automatically avoid communication with IP addresses from known data centers (e.g.,\r\nGoogle, Amazon, Azure, OVH). If the RAT detects that it is running from one of these IPs, it will shut\r\ndown without performing any actions.\r\n👻 Hide: Operate in stealth mode to avoid detection.\r\n♻️ AutoStart Setup: Establish persistence on the target machine for continuous operation.\r\n🛑 VM/Server/RDP/VPS Detection: Prevent execution in virtualized environments, servers, or remote\r\ndesktop sessions.\r\n️ CMD / PowerShell Execution: Execute custom commands via CMD or PowerShell.\r\n🔧 Execute C# or VB.NET Code: Run custom C# or VB.NET code dynamically on the target system.\r\n⚙️ How It Works\r\n🔗 Communication: X-ZIGZAG communicates with a predefined server endpoint at intervals specified\r\nby the creator. It retrieves and executes instructions, returning results to the server for later analysis if\r\nnecessary.\r\n🧠 In-RAM Operation: All operations are executed in RAM, ensuring that no files are written to the disk,\r\nsignificantly reducing the risk of detection.\r\n⚖️ Legal \u0026 Ethical Considerations\r\nThe use of X-ZIGZAG on any system without explicit permission from the system’s owner is illegal. This tool is\r\nintended purely for educational purposes, allowing security professionals to study and understand the tactics,\r\ntechniques, and procedures (TTPs) employed by malicious actors.\r\n️ Technologies Used\r\nClient (Target Machine): .NET Framework 4.6.1 - Windows Forms Application\r\nServer Side: ASP.NET 8 Web API, Entity Framework, PostgreSQL, Angular 18\r\n🚀 Installation\r\nFor a comprehensive installation guide, please refer to the release section of our GitHub repository: X-ZIGZAG\r\nReleases.\r\nGet started with ease by following the detailed instructions provided there!\r\nhttps://github.com/X-ZIGZAG/X-ZIGZAG\r\nPage 2 of 3\n\n📃 To-Do List\r\n📄 Firefox Browser Data\r\n📸 Webcam (Not stable and too risky)\r\n📝 Keylogger (Doesn't support all keyboard layouts)\r\n🔴 Live Interaction (Using sockets)\r\n👻 Improve Undetectability\r\n⚡ Optimize Size\r\n🔧 Contribution\r\nContributions are welcome! Please fork this repository, create a feature branch, and submit a pull request.\r\n©️ License\r\nThis project is licensed under the MIT License. See the LICENSE file for more details.\r\n️ Stay ethical, stay safe.\r\nSource: https://github.com/X-ZIGZAG/X-ZIGZAG\r\nhttps://github.com/X-ZIGZAG/X-ZIGZAG\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://github.com/X-ZIGZAG/X-ZIGZAG" ], "report_names": [ "X-ZIGZAG" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434607, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/edf47735c5a4304d05e7d332864b16e662d66b44.pdf", "text": "https://archive.orkl.eu/edf47735c5a4304d05e7d332864b16e662d66b44.txt", "img": "https://archive.orkl.eu/edf47735c5a4304d05e7d332864b16e662d66b44.jpg" } }