Zupdax
Zupdax is a remote access trojan/backdoor that has been in use since at least early 2014. It has been observed in cyber-espionage activity associated with multiple Asia-focused intrusion clusters, including PKPLUG-related operations, the Vatican-targeting Operation Exorcist activity, and the Space Pirates cluster. Reporting cited in the content notes that the malware itself cannot be unambiguously attributed to a single group, but its use has overlapped with activity assessed as aligned with Chinese strategic interests or Chinese-speaking operators.
Zupdax is commonly delivered and executed via DLL side-loading. Multiple reports state that, like PlugX, it often uses DLL side-loading as part of the infection process. In Vatican intrusions, a Zupdax installer referred to as P1Rat used a malicious siteadv.dll sideloaded by the legitimate McAfee SiteAdvisor executable siteadv.exe. Positive Technologies also reported that newer Zupdax variants used the same loading scheme as MyKLoadClient test samples, and assessed that a payload labeled Korplug in the Able Desktop supply-chain compromise was actually Zupdax.
The malware uses a plugin-based architecture and communicates over a UDT-over-UDP command-and-control protocol; PT ESC described a magic constant of 0x12345678 in this protocol. Some configurations disguised traffic as DNS by using port 53 and ns*-prefixed domains. PT ESC assessed Zupdax is likely a redesigned version of the older Redsip backdoor, citing similarities in message structure, command identifiers, and plugin architecture. The code base was described as originating around 2010.
Operationally, Zupdax has been seen alongside other malware families including PlugX, Poison Ivy, ShadowPad, MyKLoadClient, BH_A006, Deed RAT, RtlShare, HenBox, 9002, and Farseer depending on the campaign. Associated targeting in the cited reporting includes government, aerospace, IT, and energy organizations in Russia, Georgia, and Mongolia; victims in Myanmar, Taiwan, Vietnam, Indonesia, Tibet, and Xinjiang in PKPLUG-related activity; and the Holy See and Roman Catholic Church in surveillance-focused intrusions. High-confidence infection vectors and tradecraft mentioned in the content include spear-phishing and DLL side-loading.
Notable indicators and artifacts directly mentioned in the content include use of siteadv.exe and malicious siteadv.dll in Zupdax installation, P1Rat-related naming, UDT communications over UDP, DNS-masquerading via port 53 and ns*-prefixed domains, and shared certificate or infrastructure overlaps reported by PT ESC, including certificates issued to YD Online Corp. and NFINITY GAMES BILISIM ANONIM SIRKET and shared C2 subdomains playdr2.com and gamepoer7.com.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Other publicly available malware seen in relation to PKPLUG activity includes Poison Ivy and Zupdax.
Злоумышленники также имеют доступ к бэкдору Zupdax: его современные варианты используют аналогичную MyKLoadClient схему исполнения, однако код самого бэкдора берет начало в 2010 году и не может быть однозначно привязан к группе.
Злоумышленники также имеют доступ к бэкдору Zupdax: его современные варианты используют аналогичную MyKLoadClient схему исполнения, однако код самого бэкдора берет начало в 2010 году и не может быть однозначно привязан к группе.
Злоумышленники также имеют доступ к бэкдору Zupdax: его современные варианты используют аналогичную MyKLoadClient схему исполнения, однако код самого бэкдора берет начало в 2010 году и не может быть однозначно привязан к группе.
Злоумышленники также имеют доступ к бэкдору Zupdax: его современные варианты используют аналогичную MyKLoadClient схему исполнения, однако код самого бэкдора берет начало в 2010 году и не может быть однозначно привязан к группе.
Techniques & procedures
18 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
2 techniquesPersistence
2 techniquesДля закрепления на узле группа Space Pirates создает вредоносные сервисы
Privilege Escalation
3 techniquesДля закрепления на узле группа Space Pirates создает вредоносные сервисы
Install loader exe in registry run key and load payload... Alternatively, a shortcut file - “Internet Explorer.lnk” - with the same function may be placed in the %STARTUP% folder.
в siteadv.dll присутствует ... экспорт ... отвечающий за обход UAC... применяемый метод UAC bypass зависит ... реализовано три известных метода
Stealth
4 techniquesГруппа Space Pirates маскирует свое ВПО под легитимное ПО
ВПО группы Space Pirates шифрует конфигурационные данные и полезную нагрузку с помощью различных алгоритмов
PlugX is usually distributed as a package of several files. These files are composed to exploit a phenomenon called DLL search order hijacking (also called sideloading)... The malware thus gets the unwitting help of a trusted executable to run.
дроппер также выполняет рефлективную загрузку и исполнение EXE-файла непосредственно в текущем процессе... ВПО группы Space Pirates использует рефлективную загрузку для запуска полезной нагрузки в памяти
Defense Impairment
1 techniqueНекоторые экземпляры Zupdax имеют валидные цифровые подписи... подписан сертификатом YD Online Corp.... NFINITY GAMES... Приложения MITRE: T1553.002
Discovery
3 techniquesГруппа Space Pirates собирает информацию о сетевых параметрах зараженной машины
Группа Space Pirates собирает информацию о пользователях скомпрометированных компьютеров
Сразу же после установки соединения с C2 бэкдор собирает и отправляет информацию о системе... Приложения MITRE: T1082
Command and Control
6 techniquesData transferred is encrypted using RC4 with the encryption key “Microsoft”... Network traffic is LZ-compressed and base64 encoded... usernames and passwords are encrypted and base64 encoded.
ВПО группы Space Pirates поддерживает работу с несколькими C2 и может обновлять список C2 через веб-страницы
Once installed, the main payload connects back to C2 server and sets up communication... It is installed as a service in the Windows System folder, and when run, it sets up communication with C2 server over HTTP.
The malware will in some configurations try to disguise this as legitimate traffic by connecting to port 53 (DNS) on the command & control server, as well as deliberately naming the C2 domains with the ns* (nameserver) prefix.
Соединение с контрольным сервером происходит по TCP, при этом трафик не шифруется... Zupdax ... использует протокол UDT ... поверх UDP... ВПО группы Space Pirates использует собственные протоколы
Группа Space Pirates загружает дополнительные утилиты с управляющего сервера посредством утилиты certutil
IOCs tracked for this family
69 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Backdoor using UDT-over-UDP C2 with magic 0x12345678; collects host profiling immediately after connect. Supports plugin-based execution, C2 update, self-removal, and downloading/executing updates. Modern variants use a MyKLoadClient-like dropper/launcher chain (legit siteadv.exe + launcher + encrypted payload ok.obj), often launched via mrun (RC4 + reflective loading). Strong lineage to Redsip (Night Dragon-era) based on identical message structure/magic and command semantics.
Zupdax is cited as another malware family associated with PKPLUG activity, but the content provides no further functional detail.
Модульный бэкдор, существующий как минимум с 2014 года, использующий UDT поверх UDP для связи с C2. Основные возможности сводятся к исполнению дополнительного кода и плагинов, получаемых от управляющего сервера.
A remote access trojan used since at least early 2014 that employs DLL sideloading, RC4-encrypted payloads, UDT-based communications, and supports plugin loading, file download/execute, persistence, and service installation.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.