Zhong Stealer
Zhong Stealer is an information-stealing malware family first observed in active campaigns in December 2024. It has been distributed through social engineering that targets customer support personnel, particularly at cryptocurrency, fintech, and broader financial services organizations. In the observed infection chain, attackers posed as customers in support chats or fake support tickets, often using newly created empty accounts, broken Chinese-language messages, and ZIP archives presented as screenshots or supporting details. The ZIP files contained Windows executables, including .scr payloads and files with Chinese-character names.
Once executed, Zhong Stealer contacts command-and-control infrastructure in Hong Kong, including Alibaba Cloud-hosted infrastructure and OSS resources such as kkuu.oss-cn-hongkong.aliyuncs[.]com. Reported related IPs include 156.245.23.188 and 47.79.64.228, and the malware was also observed communicating over non-standard port 1131. The malware can download additional components including down.exe, a DLL, a log file, and a TXT file containing mirrors, and creates a BAT file in the user temporary directory as part of execution.
Its behavior includes system reconnaissance, such as collecting hostname, security settings, and supported language; establishing persistence via Windows Registry keys; disabling event logging; and in some reporting, using scheduled tasks for persistence. Zhong Stealer attempts to harvest browser credentials, saved passwords, session data, authentication tokens, and browser extension data, with specific targeting of browsers including Microsoft Edge and Brave, before exfiltrating the stolen data to its Hong Kong-based C2.
The malware has been linked in reporting to campaigns involving cryptocurrency theft and was described as targeting platforms in the crypto ecosystem. Security researchers linked the Zhong Stealer campaign to GoldenEyeDog (APT-Q-27), although attribution of that group to the separate DigiCert breach itself was not confirmed. In 2026, stolen EV code-signing certificates obtained through the compromise of DigiCert support analyst endpoints were reported to have been used to digitally sign Zhong Stealer payloads. DigiCert revoked 60 certificates in response, and community researchers identified multiple attacker-linked certificates already being used in the wild to sign this malware family.
Reported file indicators associated with the campaign include MD5 778b6521dd2b07d7db0eaeaab9a2f86b; SHA1 ce120e922ed4156dbd07de8335c5a632974ec527; and SHA256 hashes 02244934046333f45bc22abe6185e6ddda033342836062afb681a583aa7d827f, 1abffe97aafe9916b366da57458a78338598cab9742c2d9e03e4ad0ba11f29bf, 4eaebd93e23be3427d4c1349d64bef4b5fc455c93aebb9b5b752981e9266488e, dd44dabff5361aa9b845dd891ad483162d4f28913344c93e5d59f648a186098, e46779869c6797b294cb097f47027a5c52466fd11112b6ccd52c569578d4b8cd, and 5f422be165e4b6557f45719914f724a4fe1840fa792ecc739861bfdb45c1550. An associated email observable reported in the campaign is zhongmaziil992@outlook.com.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The stolen certificates were used to digitally sign payloads delivering Zhong Stealer, a malware family previously associated with cybercrime groups involved in cryptocurrency theft.
The stolen certificates were used to digitally sign payloads delivering Zhong Stealer, a malware family previously associated with cybercrime groups involved in cryptocurrency theft.
Eleven of those were already being used in the wild to sign the Zhong Stealer malware family when community researchers flagged them.
Techniques & procedures
15 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesThe content describes attackers impersonating DigiCert and distributing ZIP archives to targets, consistent with a phishing-based delivery scheme.
On April 2, 2026, a threat actor contacted DigiCert’s customer support team through a Salesforce-based chat channel and repeatedly sent a malicious ZIP file disguised as a customer screenshot. The archive contained a .scr (screensaver) executable, a classic social engineering trick that abuses Windows’ treatment of .scr files as native executables.
Execution
2 techniquesScheduling Tasks (T1053) to maintain persistence even after system reboots.
A sophisticated threat actor breached DigiCert’s internal support environment in early April 2026 by tricking support analysts into executing a disguised malicious screensaver file... The archive contained a .scr (screensaver) executable...
Persistence
2 techniquesPrivilege Escalation
2 techniquesStealth
2 techniquesDefense Impairment
1 techniqueThe DigiCert incident involved a breach of a customer support team member's device, allowing attackers to acquire initialization codes for code-signing certificates, which were then used to sign malware, including the Zhong Stealer campaign.
Credential Access
2 techniquesHarvesting Credentials (T1552) to extract saved passwords, browser session data and authentication tokens.
...the threat actor was able to use this function to access initialization codes for orders that were approved but pending delivery for EV Code Signing certificate orders... Possession of an initialization code, combined with an approved order, is sufficient to obtain the resulting certificate... they were able to obtain EV Code Signing certificates across a set of customer accounts and CAs.
Collection
1 techniqueThe malicious content was delivered in a ZIP archive attached to or linked from the lure.
Command and Control
2 techniquesThe malware’s attack chain includes phishing lures with fake screenshots, first-stage decoy payloads, and retrieval of additional malware from cloud services such as AWS...
Communicating via Non-Standard Ports (T1571), such as port 1131, to transmit stolen data to a command-and-control (C2) server in Hong Kong.
Other
2 techniquesIOCs tracked for this family
20 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An information-stealing malware campaign referenced as having used valid code-signing certificates obtained during the DigiCert incident.
A stealer malware campaign associated with compromised code-signing certificates referenced in the DigiCert incident.
A RAT/stealer hybrid malware family delivered via digitally signed payloads using stolen EV code-signing certificates. The described attack chain includes phishing lures with fake screenshots, first-stage decoy payloads, and retrieval of additional malware from cloud services such as AWS to help evade endpoint detection.
Credential and cryptocurrency stealer that also behaves like a RAT; in this incident it was signed with abused DigiCert-issued code signing certificates.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.