{
	"id": "1b837d20-b3f2-4e31-8ec4-35e7b0bd7638",
	"created_at": "2026-04-06T00:13:11.356051Z",
	"updated_at": "2026-04-10T03:21:13.673354Z",
	"deleted_at": null,
	"sha1_hash": "fdb662e1b4b1d3648231392a4a9f20605487434f",
	"title": "Microsoft research uncovers new Zerobot capabilities | Microsoft Security Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 155453,
	"plain_text": "Microsoft research uncovers new Zerobot capabilities | Microsoft\r\nSecurity Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2022-12-21 · Archived: 2026-04-05 17:29:18 UTC\r\nBotnet malware operations are a constantly evolving threat to devices and networks. Threat actors target Internet of\r\nThings (IoT) devices for recruitment into malicious operations as IoT devices’ configurations often leave them exposed,\r\nand the number of internet-connected devices continue to grow. Recent trends have shown that operators are\r\nredeploying malware for a variety of distributions and objectives, modifying existing botnets to scale operations and\r\nadd as many devices as possible to their infrastructure.\r\nZerobot, a Go-based botnet that spreads primarily through IoT and web application vulnerabilities, is an example of an\r\nevolving threat, with operators continuously adding new exploits and capabilities to the malware. The Microsoft\r\nDefender for IoT research team has been monitoring Zerobot (also called ZeroStresser by its operators) for months.\r\nZerobot is offered as part of a malware as a service scheme and has been updated several times since Microsoft started\r\nto track it. One domain with links to Zerobot was among several domains associated with DDoS-for-hire services\r\nseized by the FBI in December 2022.\r\nMicrosoft has previously reported on the evolving threat ecosystem. The shift toward malware as a service in the cyber\r\neconomy has industrialized attacks and has made it easier for attackers to purchase and use malware, establish and\r\nmaintain access to compromised networks, and utilize ready-made tools to perform their attacks. We have tracked\r\nadvertisements for the Zerobot botnet on various social media networks in addition to other announcements regarding\r\nthe sale and maintenance of the malware, as well as new capabilities in development.\r\nIn this blog post, we present information about the latest version of the malware, Zerobot 1.1, including newly\r\nidentified capabilities and further context to Fortinet’s recent analysis on the threat. Zerobot 1.1 increases its\r\ncapabilities with the inclusion of new attack methods and new exploits for supported architectures, expanding the\r\nmalware’s reach to different types of devices. In addition to these findings, we’re sharing new indicators of compromise\r\n(IOCs) and recommendations to help defenders protect devices and networks against this threat.\r\nWhat is Zerobot?\r\nZerobot affects a variety of devices that include firewall devices, routers, and cameras, adding compromised devices to\r\na distributed denial of service (DDoS) botnet. Using several modules, the malware can infect vulnerable devices built\r\non diverse architectures and operating systems, find additional devices to infect, achieve persistence, and attack a range\r\nof protocols. Microsoft tracks this activity as DEV-1061.\r\nApril 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy\r\naligned around the theme of weather. DEV-1061 is now tracked as Storm-1061.\r\nTo learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to\r\nget a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor\r\nnaming taxonomy.\r\nhttps://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/\r\nPage 1 of 10\n\nThe most recent distribution of Zerobot includes additional capabilities, such as exploiting vulnerabilities in Apache\r\nand Apache Spark (CVE-2021-42013 and CVE-2022-33891 respectively), and new DDoS attack capabilities.\r\nHow Zerobot gains and maintains device access\r\nIoT devices are often internet-exposed, leaving unpatched and improperly secured devices vulnerable to exploitation by\r\nthreat actors. Zerobot is capable of propagating through brute force attacks on vulnerable devices with insecure\r\nconfigurations that use default or weak credentials. The malware may attempt to gain device access by using a\r\ncombination of eight common usernames and 130 passwords for IoT devices over SSH and telnet on ports 23 and 2323\r\nto spread to devices. Microsoft researchers identified numerous SSH and telnet connection attempts on default ports 22\r\nand 23, as well as attempts to open ports and connect to them by port-knocking on ports 80, 8080, 8888, and 2323.\r\nIn addition to brute force attempts on devices, Zerobot exploits dozens of vulnerabilities, which malware operators add\r\non a rolling basis to gain access and inject malicious payloads. Zerobot 1.1 includes several new vulnerabilities, such\r\nas:\r\nVulnerability Affected software\r\nCVE-2017-17105 Zivif PR115-204-P-RS\r\nCVE-2019-10655 Grandstream\r\nCVE-2020-25223 WebAdmin of Sophos SG UTM\r\nCVE-2021-42013 Apache\r\nCVE-2022-31137 Roxy-WI\r\nCVE-2022-33891 Apache Spark\r\nZSL-2022-5717 MiniDVBLinux\r\nSince the release of Zerobot 1.1, the malware operators have removed CVE-2018-12613, a phpMyAdmin vulnerability\r\nthat could allow threat actors to view or execute files. Microsoft researchers have also identified that previous reports\r\nhave used the vulnerability ID “ZERO-32906” for CVE-2018-20057, “GPON” for CVE-2018-10561, and “DLINK” for\r\nCVE-2016-20017; and that CVE-2020-7209 was mislabeled as CVE-2017-17106 and CVE-2022-42013 was\r\nmislabeled as CVE-2021-42013.\r\nMicrosoft researchers have also found new evidence that Zerobot propagates by compromising devices with known\r\nvulnerabilities that are not included in the malware binary, such as CVE-2022-30023, a command injection\r\nvulnerability in Tenda GPON AC1200 routers.\r\nUpon gaining device access, Zerobot injects a malicious payload, which may be a generic script called zero.sh that\r\ndownloads and attempts to execute Zerobot, or a script that downloads the Zerobot binary of a specific architecture.\r\nThe bash script that attempts to download different Zerobot binaries tries to identify the architecture by brute-force,\r\nattempting to download and execute binaries of various architectures until it succeeds, as IoT devices are based on\r\nmany computer processing units (CPUs). Microsoft has observed scripts targeting various architectures including\r\nARM64, MIPS, and x86_64.\r\nhttps://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/\r\nPage 2 of 10\n\nDepending on the operating system of the device, the malware has different persistence mechanisms. Persistence tactics\r\nare used by malware operators to obtain and maintain access to devices. While Zerobot is unable to spread to Windows\r\nmachines, we have found several samples that can run on Windows. On Windows machines, the malware copies itself\r\nto the Startup folder with the file name FireWall.exe (older versions use my.exe). Microsoft Defender for Endpoint\r\ndetects this malware and related malicious activity on both Windows and Linux devices. See detection details below.\r\nTo achieve persistence on Linux-based devices, Zerobot uses a combination of desktop entry, daemon, and service\r\nmethods:\r\nDesktop entry:\r\nZerobot copies itself to $HOME/.config/ssh.service/sshf then writes a desktop entry file called sshf.desktop to the same\r\ndirectory. Older Linux versions use $HOME/.config/autostart instead of $HOME/.config/ssh.service.\r\nDaemon:\r\nCopies itself to /usr/bin/sshf and writes a configuration at /etc/init/sshf.conf.\r\nService:\r\nCopies itself to /etc/sshf and writes a service configuration at /lib/system/system/sshf.service, then enables the service\r\n(to make sure it starts at boot) with two commands:\r\nsystemctl enable sshf\r\nservice enable sshf\r\nAll persistence mechanisms on older Linux versions use my.bin and my.bin.desktop instead of sshf and sshf.desktop.\r\nNew attack capabilities\r\nIn addition to the functions and attacks included in previous versions of the malware, Zerobot 1.1 has additional DDoS\r\nattack capabilities. These functions allow threat actors to target resources and make them inaccessible. Successful\r\nDDoS attacks may be used by threat actors to extort ransom payments, distract from other malicious activities, or\r\ndisrupt operations. In almost every attack, the destination port is customizable, and threat actors who purchase the\r\nmalware can modify the attack according to their target.\r\nThe following are the previously known Zerobot capabilities:\r\nAttack method Description\r\nUDP_LEGIT Sends UDP packets without data.\r\nMC_PING\r\nMeant for DDoS on Minecraft servers. Sends a handshake and status\r\nrequest.\r\nTCP_HANDSHAKE Floods with TCP handshakes.\r\nTCP_SOCKET\r\nContinuously sends random payloads on an open TCP socket. Payload\r\nlength is customizable.\r\nhttps://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/\r\nPage 3 of 10\n\nTLS_SOCKET\r\nContinuously sends random payloads on an open TLS socket. Payload\r\nlength is customizable.\r\nHTTP_HANDLE Sends HTTP GET requests using a Golang standard library.\r\nHTTP_RAW Formats and sends HTTP GET requests.\r\nHTTP_BYPASS Sends HTTP GET requests with spoofed headers.\r\nHTTP_NULL HTTP headers are each one random byte (not necessarily ascii).\r\nPreviously undisclosed and new capabilities are the following:\r\nAttack method Description\r\nUDP_RAW Sends UDP packets where the payload is customizable.\r\nICMP_FLOOD Supposed to be an ICMP flood, but the packet is built incorrectly.\r\nTCP_CUSTOM Sends TCP packets where the payload and flags are fully customizable.\r\nTCP_SYN Sends SYN packets.\r\nTCP_ACK Sends ACK packets.\r\nTCP_SYNACK Sends SYN-ACK packets.\r\nTCP_XMAS Christmas tree attack (all TCP flags are set). The reset cause field is “xmas”.\r\nHow Zerobot spreads\r\nAfter persistence is achieved, Zerobot scans for other internet-exposed devices to infect. The malware randomly\r\ngenerates a number between 0 and 255 and scans all IPs starting with this value. Using a function called\r\nnew_botnet_selfRepo_isHoneypot, the malware tries to identify honeypot IP addresses, which are used by network\r\ndecoys to attract cyberattacks and collect information on threats and attempts to access resources. This function\r\nincludes 61 IP subnets, preventing scanning of these IPs.\r\nMicrosoft researchers also identified a sample that can run on Windows based on a cross-platform (Linux, Windows,\r\nmacOS) open-source remote administration tool (RAT) with various features such as managing processes, file\r\noperations, screenshotting, and running commands. This tool was found by investigating the command-and-control\r\n(C2) IPs used by the malware. The script, which is used to download this RAT, is called impst.sh:\r\nhttps://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/\r\nPage 4 of 10\n\nFigure 1. The impst.sh script used to download the remote administration tool\r\nDefending devices and networks against Zerobot\r\nThe continuous evolution and rapid addition of new capabilities in the latest Zerobot version underscores the urgency of\r\nimplementing comprehensive security measures. Microsoft recommends the following steps to protect devices and\r\nnetworks against the threat of Zerobot:\r\nUse security solutions with cross-domain visibility and detection capabilities like Microsoft 365 Defender,\r\nwhich provides integrated defense across endpoints, identities, email, applications, and data. Microsoft Defender\r\nAntivirus and Microsoft Defender for Endpoint detect Zerobot malware variants and malicious behavior related\r\nto this threat.\r\nAdopt a comprehensive IoT security solution such as Microsoft Defender for IoT to allow visibility and\r\nmonitoring of all IoT and OT devices, threat detection and response, and integration with SIEM/SOAR and\r\nXDR platforms such as Microsoft Sentinel and Microsoft 365 Defender.\r\nEnsure secure configurations for devices: Change the default password to a strong one, and block SSH\r\nfrom external access.\r\nMaintain device health with updates: Make sure devices are up to date with the latest firmware and\r\npatches.\r\nUse least privileges access: Use a secure virtual private network (VPN) service for remote access and\r\nrestrict remote access to the device.\r\nHarden endpoints with a comprehensive Windows security solution:\r\nManage the apps your employees can use through Windows Defender Application Control and for\r\nunmanaged solutions, enabling Smart App Control.\r\nPerform timely cleanup of all unused and stale executables sitting on yours or your organizations’\r\ndevices.\r\nDetections\r\nMicrosoft Defender for IoT\r\nMicrosoft Defender for IoT uses detection rules and signatures to identify malicious behavior. Microsoft Defender for\r\nIoT has alerts for the following vulnerabilities and exploits which may be tied to Zerobot activity:\r\nCVE-2014-8361\r\nCVE-2016-20017\r\nCVE-2017-17105\r\nCVE-2017-17215\r\nCVE-2018-10561\r\nCVE-2018-20057\r\nCVE-2019-10655\r\nCVE-2020-7209\r\nCVE-2020-10987\r\nCVE-2020-25506\r\nCVE-2021-35395\r\nhttps://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/\r\nPage 5 of 10\n\nCVE-2021-36260\r\nCVE-2021-42013\r\nCVE-2021-46422\r\nCVE-2022-22965\r\nCVE-2022-25075\r\nCVE-2022-26186\r\nCVE-2022-26210\r\nCVE-2022-30023\r\nCVE-2022-30525\r\nCVE-2022-31137\r\nCVE-2022-33891\r\nCVE-2022-34538\r\nCVE-2022-37061\r\nZERO-36290\r\nZSL-2022-5717\r\nMicrosoft Defender Antivirus\r\nMicrosoft Defender Antivirus detects the malicious files under the following platforms and threat names:\r\nZerobot (Win32/64 and Linux)\r\nSparkRat (Win32/64 and Linux)\r\nMicrosoft Defender for Endpoint\r\nMicrosoft Defender for Endpoint alerts with the following titles can indicate threat activity on your network:\r\nDEV-1061 threat activity group detected\r\nAn active ‘PrivateLoader’ malware process was detected while executing\r\n‘Morila’ malware was prevented\r\n‘Multiverze’ malware was detected\r\nMicrosoft Defender for Endpoint also has detections for the following vulnerabilities exploited by Zerobot:\r\nCVE-2022-22965 (Spring4Shell)\r\nMicrosoft Defender for Endpoint’s Device Discovery capabilities discover and classify devices. With these capabilities,\r\nMicrosoft 365 Defender customers using Microsoft Defender for IoT have visibility into security recommendations for\r\ndevices with the following vulnerabilities:\r\nCVE-2014-8361\r\nCVE-2019-10655\r\nCVE-2020-25506\r\nCVE-2021-36260\r\nCVE-2021-42013\r\nCVE-2022-30525\r\nCVE-2022-31137\r\nCVE-2022-37061\r\nhttps://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/\r\nPage 6 of 10\n\nDevices with these vulnerabilities are also visible in the Microsoft Defender Vulnerability Management inventory.\r\nMicrosoft Defender for Cloud\r\nMicrosoft Defender for Cloud alerts with the following titles can indicate threat activity on your network:\r\nVM_ReverseShell\r\nVM_SuspectDownloadArtifacts\r\nSQL.VM_ShellExternalSourceAnomaly\r\nAppServices_CurlToDisk\r\nAdvanced hunting queries\r\nMicrosoft 365 Defender\r\nMicrosoft 365 Defender customers can run the following query to find related activity in their networks.\r\nZerobot files\r\nThis query finds the file hashes associated with Zerobot activity.\r\nlet IoCList =\r\nexternaldata(TimeGenerated:datetime,IoC:string,IoC_Type:string,ExpirationDateTime:datetime,Description:string,\r\nAction:string, ConfidenceScore:real, ThreatType:string, Active:string,Type:string,\r\nTrafficLightProtocolLevel:string,\r\nwith(format=\"csv\", ignoreFirstRecord=True);\r\nlet shahashes = IoCList\r\n| where IoC_Type =~ \"sha256\" and Description =~ \"Dev-1061 Zerobot affecting IoT devices\"\r\n| distinct IoC;\r\nDeviceFileEvents\r\n| where SHA256 in (shahashes)\r\nZerobot HTTP requests\r\nThis query finds suspicious HTTP requests originated by the IOCs associated with Zerobot activity.\r\nDeviceNetworkEvents\r\n| where RemoteIP in(\"176.65.137.5\",\"176.65.137.6\")\r\n| where ActionType == \"NetworkSignatureInspected\"\r\n| where Timestamp \u003e ago(30d)\r\n|extend json = parse_json(AdditionalFields)\r\nhttps://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/\r\nPage 7 of 10\n\n| extend SignatureName =tostring(json.SignatureName), SignatureMatchedContent =\r\ntostring(json.SignatureMatchedContent), SignatureSampleContent = tostring(json.SamplePacketContent)\r\n|where SignatureName == \"HTTP_Client\"\r\n|project Timestamp, DeviceId, DeviceName, RemoteIP, RemotePort, LocalIP, LocalPort, SignatureName,\r\nSignatureMatchedContent, SignatureSampleContent\r\nZerobot port knocking\r\nThis query finds incoming connections from IOCs associated with Zerobot activity.\r\nDeviceNetworkEvents\r\n| where RemoteIP in(\"176.65.137.5\",\"176.65.137.6\")\r\n| where ActionType == \"InboundConnectionAccepted\"\r\n| where Timestamp \u003e ago(30d)\r\n|project Timestamp, DeviceId, DeviceName, RemoteIP, RemotePort, LocalIP, LocalPort,\r\nInitiatingProcessFileName\r\nMicrosoft Sentinel\r\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to\r\nautomatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI\r\nMap analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft\r\nSentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub\r\ncan be found here:  https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy\r\nIndicators of compromise (IOCs):\r\nDomains and IP addresses:\r\nzero[.]sudolite[.]ml\r\n176.65.137[.]5\r\n176.65.137[.]5:1401\r\n176.65.137[.]6\r\nws[:]//176.65.137[.]5/handle\r\nhttp[:]//176.65.137[.]5:8000/ws\r\nNew Zerobot hashes (SHA-256)\r\naed95a8f5822e9b1cd1239abbad29d3c202567afafcf00f85a65df4a365bedbb\r\nbf582b5d470106521a8e7167a5732f7e3a4330d604de969eb8461cbbbbdd9b9a\r\n0a5eebf19ccfe92a2216c492d6929f9cac72ef37089390572d4e21d0932972c8\r\n1e7ca210ff7bedeefadb15a9ec5ea68ad9022d0c6f41c4e548ec2e5927026ba4\r\n05b7517cb05fe1124dd0fad4e85ddf0fe65766a4c6c9986806ae98a427544e9d\r\nhttps://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/\r\nPage 8 of 10\n\n5625d41f239e2827eb05bfafde267109549894f0523452f7a306b53b90e847f2\r\nc304a9156a032fd451bff49d75b0e9334895604549ab6efaab046c5c6461c8b3\r\n66c76cfc64b7a5a06b6a26976c88e24e0518be3554b5ae9e3475c763b8121792\r\n539640a482aaee2fe743502dc59043f11aa8728ce0586c800193e30806b2d0e5\r\n0f0ba8cc3e46fff0eef68ab5f8d3010241e2eea7ee795e161f05d32a0bf13553\r\n343c9ca3787bf763a70ed892dfa139ba69141b61c561c128084b22c16829c5af\r\n874b0691378091a30d1b06f2e9756fc7326d289b03406023640c978ff7c87712\r\n29eface0054da4cd91c72a0b2d3cda61a02831b4c273e946d7e106254a6225a7\r\n4a4cb8516629c781d5557177d48172f4a7443ca1f826ea2e1aa6132e738e6db2\r\nbdfd89bdf6bc2de5655c3fe5f6f4435ec4ad37262e3cc72d8cb5204e1273ccd6\r\n62f23fea8052085d153ac7b26dcf0a15fad0c27621f543cf910e37f8bf822e0e\r\n788e15fd87c45d38629e3e715b0cb93e55944f7c4d59da2e480ffadb6b981571\r\n26e68684f5b76d9016d4f02b8255ff52d1b344416ffc19a2f5c793ff1c2fdc65\r\ne4840c5ac2c2c2170d00feadb5489c91c2943b2aa13bbec00dbcffc4ba8dcc2d\r\n45059f26e32da95f4bb5dababae969e7fceb462cdeadf7d141c39514636b905a\r\n77dd28a11e3e4260b9a9b60d58cb6aaaf2147da28015508afbaeda84c1acfe70\r\ncf232e7d39094c9ba04b9713f48b443e9d136179add674d62f16371bf40cf8c8\r\n13657b64a2ac62f9d68aeb75737cca8f2ab9f21e4c38ce04542b177cb3a85521\r\neb33c98add35f6717a3afb0ab2f9c0ee30c6f4e0576046be9bf4fbf9c5369f71\r\ne3dd20829a34caab7f1285b730e2bb0c84c90ac1027bd8e9090da2561a61ab17\r\n3685d000f6a884ca06f66a3e47340e18ff36c16b1badb80143f99f10b8a33768\r\ncdc28e7682f9951cbe2e55dad8bc2015c1591f89310d8548c0b7a1c65dbefae3\r\n869f4fb3f185b2d1231d9378273271ddfeebb53085daede89989f9cc8d364f5f\r\n6c59af3ed1a616c238ee727f6ed59e962db70bc5a418b20b24909867eb00a9d6\r\nef28ee3301e97eefd2568a3cb4b0f737c5f31983710c75b70d960757f2def74e\r\n95e4cc13f8388c195a1220cd44d26fcb2e10b7b8bfc3d69efbc51beb46176ff1\r\n62f9eae8a87f64424df90c87dd34401fe7724c87a394d1ba842576835ab48afc\r\n54d1daf58ecd4d8314b791a79eda2258a69d7c69a5642b7f5e15f2210958bdce\r\n8176991f355db10b32b7562d1d4f7758a23c7e49ed83984b86930b94ccc46ab3\r\n8aa89a428391683163f0074a8477d554d6c54cab1725909c52c41db2942ac60f\r\nfd65bd8ce671a352177742616b5facc77194cccec7555a2f90ff61bad4a7a0f6\r\n1e66ee40129deccdb6838c2f662ce33147ad36b1e942ea748504be14bb1ee0ef\r\n57f83ca864a2010d8d5376c68dc103405330971ade26ac920d6c6a12ea728d3d\r\n7bfd0054aeb8332de290c01f38b4b3c6f0826cf63eef99ddcd1a593f789929d6\r\nSparkRat hashes (SHA-256):\r\n0ce7bc2b72286f236c570b1eb1c1eacf01c383c23ad76fd8ca51b8bc123be340\r\ncacb77006b0188d042ce95e0b4d46f88828694f3bf4396e61ae7c24c2381c9bf\r\n65232e30bb8459961a6ab2e9af499795941c3d06fdd451bdb83206a00b1b2b88\r\nRotem Sde-Or, Ilana Sivan, Gil Regev, Microsoft Defender for IoT Research Team\r\nMeitar Pinto, Nimrod Roimy, Nir Avnery, Microsoft Defender Research Team\r\nRamin Nafisi, Ross Bevington, Microsoft Threat Intelligence Center (MSTIC)\r\nhttps://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/\r\nPage 9 of 10\n\nSource: https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/\r\nhttps://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/"
	],
	"report_names": [
		"microsoft-research-uncovers-new-zerobot-capabilities"
	],
	"threat_actors": [],
	"ts_created_at": 1775434391,
	"ts_updated_at": 1775791273,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fdb662e1b4b1d3648231392a4a9f20605487434f.pdf",
		"text": "https://archive.orkl.eu/fdb662e1b4b1d3648231392a4a9f20605487434f.txt",
		"img": "https://archive.orkl.eu/fdb662e1b4b1d3648231392a4a9f20605487434f.jpg"
	}
}