| SYMBOL | COMMON_NAME | aka. SYNONYMS |
This family describes the (initially small) loader, which downloads Zeus OpenSSL.
In June 2016, a new loader was dubbed DEloader by Fortinet. It has some functions borrowed from Zeus 2.0.8.9 (e.g. the versioning, nrv2b, binstorage-labels), but more importantly, it downloaded a Zeus-like banking trojan (-> Zeus OpenSSL). Furthermore, the loader shared its versioning with the Zeus OpenSSL it downloaded.
The initial samples from May 2016 were small (17920 bytes). At some point, visualEncrypt/Decrypt was added, e.g. in v1.11.0.0 (September 2016) with size 27648 bytes. In January 2017 with v1.15.0.0, obfuscation was added, which blew the size up to roughly 80k, and the loader became known as Zloader aka Terdot. These changes may be related to the Moskalvzapoe Distribution Network, which started the distribution of it at the same time.
Please note that IBM X-Force decided to call win.zloader/win.zeus_openssl "Zeus Sphinx", after mentioning it as "a new version of Zeus Sphinx" in their initial post in August 2016. Malpedia thus lists the alias "Zeus XSphinx" for win.zeus_openssl - the X to refer to IBM X-Force.
| 2024-07-29
⋅
Mandiant
⋅
UNC4393 Goes Gently into the SILENTNIGHT Black Basta QakBot sRDI SystemBC Zloader UNC4393 |
| 2024-04-29
⋅
Zscaler
⋅
Zloader Learns Old Tricks Zloader |
| 2024-02-14
⋅
K7 Security
⋅
Zloader Strikes Back Zloader |
| 2024-01-19
⋅
Zscaler
⋅
Zloader: No Longer Silent in the Night Zloader |
| 2023-07-29
⋅
Medium walmartglobaltech
⋅
Unknown powershell backdoor with ties to new Zloader Zloader |
| 2023-03-30
⋅
United States District Court (Eastern District of New York)
⋅
Cracked Cobalt Strike (1:23-cv-02447) Black Basta BlackCat LockBit RagnarLocker LockBit Black Basta BlackCat Cobalt Strike Cuba Emotet LockBit Mount Locker PLAY QakBot RagnarLocker Royal Ransom Zloader |
| 2023-02-27
⋅
PRODAFT Threat Intelligence
⋅
RIG Exploit Kit: In-Depth Analysis Dridex IcedID ISFB PureCrypter Raccoon RecordBreaker RedLine Stealer Royal Ransom Silence SmokeLoader Zloader |
| 2022-08-10
⋅
Avast Decoded
⋅
Avast Q2/2022 Threat Report: Farewell to Conti, Zloader, and Maldocs; Hello Resurrection of Raccoon Stealer, and more Ransomware Attacks Conti Raccoon RecordBreaker Zloader Caramel Tsunami |
| 2022-08-08
⋅
Medium CSIS Techblog
⋅
An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader |
| 2022-06-24
⋅
Palo Alto Networks Unit 42
⋅
There Is More Than One Way to Sleep: Dive Deep Into the Implementations of API Hammering by Various Malware Families BazarBackdoor Zloader |
| 2022-06-02
⋅
Youtube (AhmedS Kasmani)
⋅
Zloader Malware Analysis - 1. Unpacking First stage. Zloader |
| 2022-04-25
⋅
VinCSS
⋅
[RE026] A Deep Dive into Zloader - the Silent Night Zloader |
| 2022-04-25
⋅
Cybereason
⋅
THREAT ANALYSIS REPORT: SocGholish and Zloader – From Fake Updates and Installers to Owning Your Systems FAKEUPDATES Zloader |
| 2022-04-20
⋅
CISA
⋅
Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader Killnet |
| 2022-04-20
⋅
CISA
⋅
AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader |
| 2022-04-14
⋅
Avast Decoded
⋅
Zloader 2: The Silent Night ISFB Raccoon Zloader |
| 2022-04-13
⋅
Microsoft
⋅
Dismantling ZLoader: How malicious ads led to disabled security tools and ransomware BlackMatter Cobalt Strike DarkSide Ryuk Zloader |
| 2022-04-13
⋅
ESET Research
⋅
ESET takes part in global operation to disrupt Zloader botnets Cobalt Strike Zloader |
| 2022-04-13
⋅
UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF GEORGIA
⋅
Court order for taking down Zloader Infrastructure Zloader |
| 2022-04-13
⋅
Microsoft
⋅
Notorious cybercrime gang’s botnet disrupted Ryuk Zloader |
| 2022-03-14
⋅
CrowdStrike
⋅
Falcon OverWatch Threat Hunting Uncovers Ongoing NIGHT SPIDER Zloader Campaign Zloader |
| 2022-01-19
⋅
Sophos
⋅
Zloader Installs Remote Access Backdoors and Delivers Cobalt Strike Cobalt Strike Zloader |
| 2022-01-11
⋅
Medium walmartglobaltech
⋅
Signed DLL campaigns as a service BATLOADER Cobalt Strike ISFB Zloader |
| 2022-01-05
⋅
Check Point
⋅
Can You Trust a File’s Digital Signature? New Zloader Campaign exploits Microsoft’s Signature Verification putting users at risk Zloader |
| 2021-11-03
⋅
Team Cymru
⋅
Webinject Panel Administration: A Vantage Point into Multiple Threat Actor Campaigns - A Case Study on the Value of Threat Reconnaisance DoppelDridex IcedID QakBot Zloader |
| 2021-10-19
⋅
Cisco
⋅
STRRAT, ZLoader, and HoneyGain STRRAT Zloader |
| 2021-10-18
⋅
ZLoader Reversing Zloader |
| 2021-09-29
⋅
Trend Micro
⋅
Zloader Campaigns at a Glance Zloader |
| 2021-09-29
⋅
Trend Micro
⋅
Zloader Campaigns at a Glance (IOCs) Zloader |
| 2021-09-13
⋅
SentinelOne
⋅
Hide and Seek | New Zloader Infection Chain Comes With Improved Stealth and Evasion Mechanisms Zloader |
| 2021-09-03
⋅
Trend Micro
⋅
The State of SSL/TLS Certificate Usage in Malware C&C Communications AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader |
| 2021-07-08
⋅
McAfee
⋅
Zloader With a New Infection Technique Zloader |
| 2021-06-23
⋅
K7 Security
⋅
Java Plug-Ins Delivering Zloader Zloader |
| 2021-05-26
⋅
DeepInstinct
⋅
A Deep Dive into Packing Software CryptOne Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader |
| 2021-05-14
⋅
GuidePoint Security
⋅
From ZLoader to DarkSide: A Ransomware Story DarkSide Cobalt Strike Zloader |
| 2021-05-11
⋅
Mal-Eats
⋅
Campo, a New Attack Campaign Targeting Japan AnchorDNS BazarBackdoor campoloader Cobalt Strike Phobos Snifula TrickBot Zloader |
| 2021-05-10
⋅
Mal-Eats
⋅
Overview of Campo, a new attack campaign targeting Japan AnchorDNS BazarBackdoor Cobalt Strike ISFB Phobos TrickBot Zloader |
| 2021-04-21
⋅
PhishLabs
⋅
ZLoader Dominates Email Payloads in Q1 Zloader |
| 2021-04-19
⋅
Cybleinc
⋅
ZLoader Returns Through Spelevo Exploit Kit & Phishing Campaign Zloader |
| 2021-04-12
⋅
PTSecurity
⋅
PaaS, or how hackers evade antivirus software Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader |
| 2021-03-29
⋅
Hornetsecurity
⋅
Zloader email campaign using MHTML to download and decrypt XLS Zloader |
| 2021-03-23
⋅
Quick Heal
⋅
Zloader: Entailing Different Office Files Zloader |
| 2021-03-17
⋅
HP
⋅
Threat Insights Report Q4-2020 Agent Tesla BitRAT ComodoSec Dridex Emotet Ficker Stealer Formbook Zloader |
| 2021-03-10
⋅
⋅
NTT Security
⋅
日本を標的としたPseudoGateキャンペーンによるSpelevo Exploit Kitを用いた攻撃について Zloader |
| 2021-03-05
⋅
Forcepoint
⋅
Advancements in Invoicing - A highly sophisticated way to distribute ZLoader Zloader |
| 2021-03-01
⋅
Group-IB
⋅
Ransomware Uncovered 2020/2021 RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader |
| 2021-02-23
⋅
CrowdStrike
⋅
2021 Global Threat Report RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER |
| 2021-02-23
⋅
PhishLabs
⋅
Surge in ZLoader Attacks Observed Zloader |
| 2021-02-02
⋅
⋅
CRONUP
⋅
De ataque con Malware a incidente de Ransomware Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader |
| 2020-12-23
⋅
0xC0DECAFE
⋅
Detect RC4 in (malicious) binaries SmokeLoader Zloader |
| 2020-12-21
⋅
Cisco Talos
⋅
2020: The year in malware WolfRAT Prometei Poet RAT Agent Tesla Astaroth Ave Maria CRAT Emotet Gozi IndigoDrop JhoneRAT Nanocore RAT NjRAT Oblique RAT SmokeLoader StrongPity WastedLocker Zloader |
| 2020-11-20
⋅
ZDNet
⋅
The malware that usually installs ransomware and you need to remove right away Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader |
| 2020-11-18
⋅
Sophos
⋅
SOPHOS 2021 THREAT REPORT Navigating cybersecurity in an uncertain world Agent Tesla Dridex TrickBot Zloader |
| 2020-11-16
⋅
Malwarebytes
⋅
Malsmoke operators abandon exploit kits in favor of social engineering scheme Zloader |
| 2020-11-09
⋅
Bleeping Computer
⋅
Fake Microsoft Teams updates lead to Cobalt Strike deployment Cobalt Strike DoppelPaymer NjRAT Predator The Thief Zloader |
| 2020-11-06
⋅
⋅
LAC WATCH
⋅
分析レポート:Emotetの裏で動くバンキングマルウェア「Zloader」に注意 Emotet Zloader |
| 2020-11-05
⋅
Twitter (@ffforward)
⋅
Tweet on Zloader infection leads to Cobaltstrike Installation and deployment of RYUK Cobalt Strike Ryuk Zloader |
| 2020-10-28
⋅
SophosLabs Uncut
⋅
Hacks for sale: inside the Buer Loader malware-as-a-service Buer Ryuk Zloader |
| 2020-10-21
⋅
⋅
Alyac
⋅
ZLoader 악성코드, 사업 정지 경고로 위장해 유포중 Zloader |
| 2020-10-07
⋅
CrowdStrike
⋅
Duck Hunting with Falcon Complete: Analyzing a Fowl Banking Trojan, Part 2 QakBot Zloader |
| 2020-09-24
⋅
Click All the Things! Blog
⋅
zLoader XLM Update: Macro code and behavior change Zloader |
| 2020-09-02
⋅
Cisco Talos
⋅
Salfram: Robbing the place without removing your name tag Ave Maria ISFB SmokeLoader Zloader |
| 2020-08-19
⋅
SecurityLiterate
⋅
Chantay’s Resume: Investigating a CV-Themed ZLoader Malware Zloader |
| 2020-08-14
⋅
Twitter (@VK_intel)
⋅
Tweet on Zloader infection leading to Cobaltstrike Installation Cobalt Strike Zloader |
| 2020-07-30
⋅
Spamhaus
⋅
Spamhaus Botnet Threat Update Q2 2020 AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader |
| 2020-07-22
⋅
SentinelOne
⋅
Enter the Maze: Demystifying an Affiliate Involved in Maze (SNOW) ISFB Maze TrickBot Zloader |
| 2020-06-24
⋅
Morphisec
⋅
Obfuscated VBScript Drops Zloader, Ursnif, Qakbot, Dridex Dridex ISFB QakBot Zloader |
| 2020-06-19
⋅
Click All the Things! Blog
⋅
zloader: VBA, R1C1 References, and Other Tomfoolery Zloader |
| 2020-06-19
⋅
Yet Another Security Blog
⋅
Further Evasion in the Forgotten Corners of MS-XLS Zloader |
| 2020-06-11
⋅
Nullteilerfrei Blog
⋅
API Hashing in the Zloader malware Zloader |
| 2020-06-02
⋅
Lastline Labs
⋅
Evolution of Excel 4.0 Macro Weaponization Agent Tesla DanaBot ISFB TrickBot Zloader |
| 2020-05-24
⋅
Nullteilerfrei Blog
⋅
Zloader String Obfuscation Zloader |
| 2020-05-21
⋅
Malwarebytes
⋅
The “Silent Night” Zloader/Zbot Zloader |
| 2020-05-20
⋅
Proofpoint
⋅
ZLoader Loads Again: New ZLoader Variant Returns Zloader |
| 2020-05-12
⋅
Yet Another Security Blog
⋅
Evading Detection with Excel 4.0 Macros and the BIFF8 XLS Format Zloader |
| 2020-04-26
⋅
Johannes Bader's Blog
⋅
The DGA of Zloader Zloader |
| 2020-04-07
⋅
Youtube (DissectMalware)
⋅
Malware Analysis in Action - Episode 2 Zloader |
| 2020-03-30
⋅
IBM
⋅
Zeus Sphinx Trojan Awakens Amidst Coronavirus Spam Frenzy Zeus OpenSSL Zloader |
| 2020-03-30
⋅
Bleeping Computer
⋅
Banking Malware Spreading via COVID-19 Relief Payment Phishing Zloader |
| 2020-03-13
⋅
Comae
⋅
Yet Another Active Email Campaign With Malicious Excel Files Identified Zloader |
| 2018-09-06
⋅
int 0xcc blog
⋅
Dissecting DEloader malware with obfuscation Zloader |
| 2017-06-15
⋅
Zeus Sphinx Pushes Empty Configuration Files — What Has the Sphinx Got Cooking? Zloader |
| 2017-01-26
⋅
SecurityIntelligence
⋅
Around the World With Zeus Sphinx: From Canada to Australia and Back Zloader |
| 2017-01-26
⋅
Malwarebytes
⋅
Zbot with legitimate applications on board Zloader |
| 2016-09-22
⋅
Forcepoint
⋅
Zeus Delivered by DELoader to Defraud Customers of Canadian Banks Zloader |
| 2016-06-21
⋅
Fortinet
⋅
The Curious Case of an Unknown Trojan Targeting German-Speaking Users Zloader |