{ "id": "2362004a-ac6f-4edd-9266-cb9dda4d9bac", "created_at": "2026-04-06T00:16:57.369454Z", "updated_at": "2026-04-10T03:37:09.402285Z", "deleted_at": null, "sha1_hash": "edf5dc0649939726d27de817439f79d9df5739ba", "title": "Zloader 2: The Silent Night", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 116500, "plain_text": "Zloader 2: The Silent Night\r\nBy Threat Research TeamThreat Research Team\r\nArchived: 2026-04-05 15:36:22 UTC\r\nIn this study we are considering one of Zeus successors – Zloader 2. We’ll show how it works and its code\r\npeculiarities. We’ll present the result of our deep dive into the botnets and campaigns and show some interesting\r\nconnections between Zloader and other malware families.\r\nIntroduction\r\nZloader 2 (also known as Silent Night) is a multifunctional modular banking malware, aimed at providing\r\nunauthorized access to online banking systems, payment systems and other financial-related services. In addition\r\nto these functions it’s able to download and execute arbitrary files, steal files, inject arbitrary code to visited\r\nHTML pages and so on.\r\nHistory\r\nAccording to ZeusMuseum, first versions of Zeus were observed in 2006-2008. Later, in 2011 its source code\r\nleaked. As a result, new versions and variants appeared. One of the Zeus successors named Zloader appeared at\r\nthe turn of 2016 and 2017. Finally, another successor named Silent Night appeared in 2019. It was for sale on the\r\nunderground market.\r\nThe earliest version of this variant we found has a SHA256:\r\n384f3719ba4fbcf355cc206e27f3bfca94e7bf14dd928de62ab5f74de90df34a\r\nTimestamp 4 December 2019 and version number 1.0.2.0. In the middle of July 2021 the version 2.0.0.0 was\r\nspotted.\r\nMicrosoft recently announced a joint investigation of multiple security companies and information sharing and\r\nanalysis centers (ISACs) with the aim to take down the Zloader botnet and took the whole case to court.\r\nAlthough the original name of the malware likely was Silent Night and the ZeusMuseum calls it Zloader 2 we are\r\nsimply going to use the name Zloader.\r\nTechnical analysis\r\nModules and components\r\nZloader consists of different modules and components:\r\nDownloader – initial infector\r\nBackdoor – main module, exists in x86 and x64 versions\r\nVNC module (x86 and x64)\r\nhttps://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/\r\nPage 1 of 8\n\nWeb Injects – received from C\u0026C\r\nAdditional libraries (openssl, sqlite, zlib, Mozilla libraries)\r\nBackdoors, VNC modules and additional libraries have assigned module IDs that are used by other components to\r\nrefer to them.\r\nDistribution\r\nZloader was distributed using classic email spam. In 2021 the attackers abused Google AdWords to advertise sites\r\nwith fake Zoom communication tool which actually installed Zloader. Another campaign in 2021 used fake\r\npornsites, where users needed to download additional software to watch video. Downloaders are distributed in a\r\npacked form sometimes signed with a valid digital signature.\r\nMap showing the distribution of infected systems:\r\nCode peculiarities\r\nZloader code is very recognizable. First of all, it is diluted with functions which will never be called. Downloader\r\nmodule may contain functions from the Backdoor module and vice versa. In total, about a half of the code will\r\nnever be called.\r\nSecond, simple x86 instructions like CMP, ADD and XOR are replaced with special functions. These functions\r\ncontain a lot of useless code to complicate the analysis and they can call other “replacement” functions. To add\r\nmore insult to the injury multiple “replacement” functions exist for a particular instruction. Also some constants\r\nare calculated in runtime using aforementioned “replacement” functions.\r\nStrings are encrypted with a simple XOR algorithm.\r\nSamples have very little imported functions. APIs are resolved in runtime by the hashes of their names.\r\nAs a result, more than a half of the file size is useless and serves as an obfuscation of simple operations.\r\nConfiguration\r\nBoth Downloader and Backdoor modules have built in configuration encrypted with RC4. The decryption key is\r\nstored in a plaintext and looks like vcvslrpvwwfanquofupxt . The structure of earlier versions (1.0.x, for example)\r\ndiffers from later versions (1.6.x and 1.8.x). Modern versions store the following information in config:\r\nBotnet name ( divader on the picture below)\r\nCampaign name ( xls_s_2010 )\r\nList of hardcoded C\u0026Cs\r\nRC4 key ( 03d5ae30a0bd934a23b6a7f0756aa504 )\r\nBinStorage\r\nWe have to briefly cover the BinStorage – the data format used by Zloader to communicate with C\u0026Cs and to\r\nstore various data: web injects, system information, stolen data and logs. BinStorages consists of the header and\r\nhttps://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/\r\nPage 2 of 8\n\nrecords (also called fields). Main header stores information about the number of records, data size (in bytes) and\r\ntheir MD5. Records have their own small headers, containing FieldID - DWORD describing the meaning of the\r\ndata.\r\nSome FieldIDs are hardcoded. For example, in FieldID=0x4E20 the last working C\u0026C is stored. Other FieldIDs\r\nare derived from file paths (used to store stolen files).\r\nRegistry usage\r\nZloader modules (at least Downloaders and Backdoors) use a registry to store various data necessary for their\r\nwork. The ROOT_KEY for this data is HKEY_CURRENT_USER\\Software\\Microsoft\\\r\nThe most important and interesting data structure, stored by the Zloader in the registry is called MAIN_STRUCT .\r\nIt’s subkey in the ROOT_KEY and the value name is derived from the RC4 key found in the configuration. We\r\nsuppose that bots from one actor use the same RC4 key, so they can easily find and read the MAIN_STRUCT .\r\nMAIN_STRUCT is encrypted using RC4 with the key from the configuration. It stores:\r\nRegistry paths to other storages, used by Zloader\r\nFiles and directories path, used by Zloader\r\nEncryption key(s) to decrypt those storages\r\nFiles usage\r\nRoot path is %APPDATA% . Zloader creates directories with random names inside it to store modules, stolen data\r\nand logs. These paths are stored into the MAIN_STRUCT .\r\nNetworking\r\nAs was mentioned before, communication between the bot and C\u0026C is done using BinStorages. Depending on the\r\nactual type of the message, field list may be changed, but there are 5 constant fields sent to C\u0026C:\r\nSome DWORD from the Configuration\r\nBotnet name from the Configuration\r\nBotID, derived from the system information\r\nDebug flag from the Configuration\r\n16 random bytes\r\nRequests are encrypted using the RC4 key from the Configuration. C\u0026C responses are signed with RSA.\r\nPING request\r\nThis request is used to check if C\u0026C is alive. Response contains only random bytes sent by a bot.\r\nDOWNLOAD MODULE request\r\nThis request is used to download modules by their ID from the C\u0026C. The response is not in a BinStorage form!\r\nhttps://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/\r\nPage 3 of 8\n\nGET CONFIG request\r\nUsed to receive configuration updates: new C\u0026Cs, WebInjects, tasks for downloading etc.\r\nC\u0026Cs and DGA\r\nAs was shown before, built in configuration has a list of hardcoded C\u0026Cs. Actually, these lists have not changed\r\nfor years. To bypass blocking of these hardcoded C\u0026Cs, Zloader uses DGA – Domain Generation Algorithm. In\r\nthe Zloader, DGA produces 32 domains, based on the current date and RC4 key from the configuration.\r\nThere is a 3rd type of C\u0026Cs – received in the response from the server. They’re stored into the Registry.\r\nDownloader module\r\nAnalysis based on version 1.6.28.0, 44ede6e1b9be1c013f13d82645f7a9cff7d92b267778f19b46aa5c1f7fa3c10b\r\nFunction of Downloader is to download, install and run the next module – the Backdoor.\r\nMain function\r\nJust after the start of the Downloader module, junk code is started. It consists of many junk functions, which\r\nforms a kind of a “network”. In the image below there is a call graph from just a single junk function. These\r\nfunctions also trying to read, write and delete some *.txt files %TEMP% . The purpose of this is to delay the\r\nexecution of the payload and, We suppose, to complicate the emulation, debugging and analysis.\r\nThe second and the last task of the Main function is to start msiexec.exe and perform the PE injection of the\r\ncode into it. Injected data consists of two buffers: the big one, where the Downloader is stored in the encrypted\r\nform and the small one (0x42 bytes) with decryption code. Just after the injection Downloader terminates himself.\r\nInjected code\r\nControl flow passed to the small buffer, which decrypts the Downloader in the address space of msiexec.exe After\r\nthe decryption, Downloader begins to execute its main task. \r\nFirst of all, the injected code tries to read MAIN_STRUCT from the registry. If this fails, it thinks it was not installed\r\non this system and the installation process begins: MAIN_STRUCT is created, Downloader module is copied into\r\n%APPDATA% and added to the autorun key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run with random\r\nvalue name.\r\nIn any case, the Backdoor module is requested from the disk or from the network and executed.\r\nBackdoor module\r\nAnalysis based on version 1.6.28.0, c7441a27727069ce11f8d54676f8397e85301b4d65d4d722c6b239a495fd0282\r\nThere are actually two Backdoor modules: for 32-bit systems (moduleID 0x3EE ) and for 64-bit systems\r\n(moduleID 0x3E9 ). Downloader always requests a 32-bit Backdoor.\r\nhttps://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/\r\nPage 4 of 8\n\nBackdoors are much more complicated than Downloaders. If we compare the size of our samples (after\r\nunpacking), Backdoor will be twice bigger.\r\nKey Backdoor abilities:\r\nStarting VNC module\r\nInjecting WebInjects into the pages visited using browsers\r\nDownloading and execute arbitrary file\r\nKeylogging\r\nMaking screenshots\r\nStealing files and sending to C\u0026C\r\nStealing files\r\nThe largest group of software from which Zloader steal files is crypto wallets:\r\nElectrum\r\nEthereum\r\nExodus cryptowallet\r\nZcash\r\nBitcoin-Qt\r\nEtc.\r\nIt also steals data from browsers: cookies from Chrome, Firefox and IE; saved logins from Chrome. And, finally, it\r\nis able to steal accounts information from Microsoft Outlook.\r\nHooking\r\nTo achieve his goals, Zloader performs WinAPI hooking. In order to perform it, Backdoor module enumerates\r\nprocesses and injects itself into the following ones:\r\nexplorer.exe\r\nmsiexec.exe\r\niexplore.exe\r\nfirefox.exe\r\nchrome.exe\r\nmsedge.exe\r\n64-bit version of Backdoor is injected into 64-bit processes, 32-bit version – into 32-bit processes.\r\nInjected code hooks the following WinAPI functions:\r\nNtCreateUserProcess\r\nNtCreateThread\r\nZwDeviceIoControlFile\r\nTranslateMessage\r\nhttps://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/\r\nPage 5 of 8\n\nCertGetCertificateChain\r\nCertVerifyCertificateChainPolicy\r\nHooks might be divided in 3 groups, depending on the purpose:\r\n1. NtCreateUserProcess and NtCreateThread are hooked to inject a Backdoor module to newly created\r\nthreads and processes.\r\n2. ZwDeviceIoControlFile , CertGetCertificateChain and CertVerifyCertificateChainPolicy are\r\nhooked to support WebInjection mechanism\r\n3. TranslateMessage is hooked to log the keys pressed and to create screenshots\r\nWeb Injecting\r\nFirst of all, browsers must have a Backdoor module injected. At this moment, there are multiple instances of\r\nBackdoor Modules running in the system: one, started by Downloader which is “Main Instance” and others,\r\nrunning in browsers. Main Instance starts Man-in-the-browser proxy, other modules hooks\r\nZwDeviceIoControlFile and cert-related WinAPIs (see above). Proxy port number is stored in the BinStorage\r\nstructure into the Registry, so it is synchronized between Backdoor instances.\r\nHooked ZwDeviceIoControlFile function is waiting for IOCTL_AFD_CONNECT or IOCTL_AFD_SUPER_CONNECT and\r\nrouting connections to the proxy. Hooked cert-related functions inform browsers what everything is good with\r\ncertificates.\r\nBotnets, Campaigns and their activity\r\nMost active botnets and campaigns use RC4 key 03d5ae30a0bd934a23b6a7f0756aa504 and we’ll focus on them in\r\nour analysis. Samples with the aforementioned key have versions 1.x, usually 1.6.28, but some have even 1.0.x.\r\nBotnet and Campaign names\r\nAmong botnet names it is worth mentioning the following groups:\r\n1. DLLobnova , AktualizacjaDLL , googleaktualizacija , googleaktualizacija1 , obnovlenie19 ,\r\nvasja , ivan\r\n2. 9092zi , 9092ti , 9092ca , 9092us , 909222 , 9092ge\r\nThe first one contains transliterated Slavic words and names ( vasja , ivan ), maybe with errors. It sheds light\r\non the origins of bad guys – they are definitely Slavs.\r\nSamples with botnet names from the second group were first observed in November 2021 and we found 6 botnet\r\nnames from this group in the next two months. Letters after numbers, like ca and us might be country codes.\r\nWe see the same picture with campaign names: quite a big amount of Slavic words and the same 9092* group. \r\nWebInjects\r\nhttps://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/\r\nPage 6 of 8\n\nWe analyzed webinjects and can confirm that they are targeting financial companies: banks, brokerage firms,\r\ninsurance companies, payment services, cryptocurrency-related services etc.\r\nInjected code is usually small: from dozens of bytes up to 20 kb. To perform its tasks, it loads JavaScript code\r\nfrom external domains, controlled by bad guys. Analysis of these domains allowed us to find connections between\r\nZloader operators and other cybercrime gangs.\r\nDownload tasks\r\nZloader is able to download and execute arbitrary files by the commands from his C\u0026Cs, but for a long time we\r\nhaven’t seen these commands at all. Things changed on 24 November 2021, when botnet 9092ca received a\r\ncommand to download and execute the file from teamworks455[.]com . This domain was mentioned in [6].\r\nAnother two download tasks contained braves[.]fun and endoftheendi[.]com\r\nConnections\r\nDuring our tracking we have noticed links to other malware families we originally thought were unrelated.\r\nRaccoon Stealer\r\nTwo out of three download tasks contained links to Raccoon Stealer. Downloaded samples have the following\r\nsha256 hashes:\r\n5da3db74eee74412c1290393a0a0487c63b2c022e57aebcd632f0c3caf23d8bc\r\n5b731854c58c2c1316633e570c9ec82474347e64b07ace48017d0be2b6331eed\r\nBoth of them have the same Raccoon configuration with Telegram channel kumchakl1 .\r\nMoreover, Raccoon was mentioned in [6] before we received commands from C\u0026Cs with links to Raccoon. We\r\nare lost in conjecture why Zloader operators used Raccoon Stealer? You can read our dive into Racoon stealer\r\nhere.\r\nUrsnif\r\nUrsnif, also known as Gozi and ISFB is another banking malware family with similar functions.\r\nDigital Signatures\r\nIt was quite a big surprise when we found Zloader samples and Ursnif samples signed with the same digital\r\nsignature!\r\nAs an example, consider a signature:\r\nIssuer BABJNCXZHQCJUVWAJJ\r\nThumbprint 46C79BD6482E287647B1D6700176A5F6F5AC6D57 .\r\nhttps://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/\r\nPage 7 of 8\n\nZloader sample signed with it has a SHA256 hash:\r\n2a9ff0a0e962d28c488af9767770d48b9128b19ee43e8df392efb2f1c5a696f .\r\nSigned Ursnif sample has a SHA256 hash:\r\n54e6e6b23dec0432da2b36713a206169468f4f9d7691ccf449d7d946617eca45\r\nIt is not the only digital signature, shared among Ursnif and Zloader samples.\r\nInfrastructure\r\nAs we mentioned before, the first observed download command contained a link to teamworks455[.]com . We\r\nchecked the TLS certificate for this site and realized that it was for another site – dotxvcnjlvdajkwerwoh[.]com .\r\nWe saw this hostname on 11 November 2021 in Ursnif webinjects, it was used to receive stolen data.\r\nAnother example – aerulonoured[.]su – host used by Zloader to receive stolen data at least from August 2021.\r\nIt also appeared in Ursnif webinjects in November 2021.\r\nThird example – qyfurihpsbhbuvitilgw[.]com which was found in Zeus configuration update, received from\r\nC\u0026C on 20 October 2021. It must be added to a C\u0026C list and then used by Zloader bots. The same domain was\r\nfound in Ursnif webinjects on 1 November 2021\r\nAnd, finally, 4th example – etjmejjcxjtwweitluuw[.]com This domain was generated using DGA from key\r\n03d5ae30a0bd934a23b6a7f0756aa504 and date – 22 September 2021. We have very strong evidence that it was\r\nactive on that date as a Zloader C\u0026C. The same host was found in Ursnif WebInjects on 1 November 2021\r\nConclusion\r\nWe are proud we could be part of the investigation as we continue our mission to make the world a safer place for\r\neverybody. We hope for a successful takedown of the Zloader botnet and prosecution of people who created and\r\noperated it.\r\nSource: https://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/\r\nhttps://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/" ], "report_names": [ "zloader-the-silent-night" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434617, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/edf5dc0649939726d27de817439f79d9df5739ba.pdf", "text": "https://archive.orkl.eu/edf5dc0649939726d27de817439f79d9df5739ba.txt", "img": "https://archive.orkl.eu/edf5dc0649939726d27de817439f79d9df5739ba.jpg" } }