What is Zloader 2 and why is it called 'The Silent Night'?

Zloader 2, also known as 'The Silent Night,' is a sophisticated malware family that consists of multiple modules including a downloader, backdoor, VNC module, and web injects. It is known for its stealthy operations, code obfuscation, and ability to evade detection, making it a persistent threat in the cyber landscape.

How is Zloader 2 distributed to victims?

Zloader 2 is distributed via classic email spam campaigns and, in 2021, through malicious Google AdWords ads and fake websites (e.g., fake Zoom installers, fake adult sites). Downloaders are often packed and sometimes signed with valid digital signatures to evade detection.

What code obfuscation techniques does Zloader 2 use?

Zloader 2 uses extensive code obfuscation, including inserting unused functions, replacing simple instructions with complex 'replacement' functions, encrypting strings with XOR, and resolving APIs at runtime by hashing their names. Over half the file size is dedicated to obfuscation.

How does Zloader 2 store its configuration and what information is included?

Both Downloader and Backdoor modules have built-in configuration encrypted with RC4. The decryption key is stored in plaintext. Modern versions store the botnet name, campaign name, hardcoded C&C servers, RC4 key, and other operational data.

Where does Zloader 2 store its modules and stolen data?

Zloader 2 creates directories with random names inside the %APPDATA% folder to store modules, stolen data, and logs. The paths are recorded in the MAIN_STRUCT registry structure.

How does Zloader 2 communicate with its command and control (C&C) servers?

Zloader 2 communicates with C&C servers using encrypted messages (RC4) and signed responses (RSA). It uses hardcoded C&Cs, domains generated by a Domain Generation Algorithm (DGA), and C&Cs received from the server, which are stored in the registry.

What is the purpose of the junk code in Zloader 2?

The junk code in Zloader 2 is designed to delay payload execution and complicate analysis, emulation, and debugging. It consists of many unused functions and file operations in the %TEMP% directory.

What are the main capabilities of the Zloader 2 Backdoor module?

The Backdoor module can start a VNC module, inject web injects into browsers, download and execute arbitrary files, log keystrokes, take screenshots, and steal files (including crypto wallets, browser cookies, and Outlook accounts).

How does Zloader 2 perform process injection and hooking?

Zloader 2 injects its Backdoor module into processes like explorer.exe, msiexec.exe, and browsers (iexplore.exe, firefox.exe, chrome.exe, msedge.exe). It hooks WinAPI functions such as NtCreateUserProcess, NtCreateThread, ZwDeviceIoControlFile, TranslateMessage, CertGetCertificateChain, and CertVerifyCertificateChainPolicy to facilitate persistence, web injection, and keylogging.

What is the role of web injects in Zloader 2's operation?

Web injects allow Zloader 2 to manipulate browser traffic by injecting JavaScript code into web pages. This enables credential theft, session hijacking, and other malicious activities. The injected code is loaded from attacker-controlled domains.

How does Zloader 2 use Domain Generation Algorithms (DGA)?

Zloader 2 uses a DGA to generate 32 domains based on the current date and RC4 key from the configuration. This helps bypass blocking of hardcoded C&C servers and maintain communication with attackers.

What types of files and data does Zloader 2 target for theft?

Zloader 2 targets crypto wallet files (Electrum, Ethereum, Exodus, Zcash, Bitcoin-Qt, etc.), browser cookies (Chrome, Firefox, IE), saved logins from Chrome, and Microsoft Outlook account information.

How does Zloader 2 delay execution and evade analysis?

Zloader 2 delays execution by running junk code and performing file operations in %TEMP%. This complicates emulation and debugging, making it harder for analysts to study the malware.

What is the significance of the MAIN_STRUCT in Zloader 2?

The MAIN_STRUCT is a registry structure encrypted with RC4 that stores critical operational data for Zloader 2, including paths to modules, stolen data, and encryption keys. It is essential for the malware's persistence and operation.

How does Zloader 2 update its configuration and modules?

Zloader 2 can receive configuration updates, new C&C servers, web injects, and download tasks from its C&C servers. Modules are downloaded by their ID and stored for execution.

What browsers and processes does Zloader 2 target for injection?

Zloader 2 targets explorer.exe, msiexec.exe, and browsers such as Internet Explorer, Firefox, Chrome, and Microsoft Edge for injection of its Backdoor module.

How does Zloader 2 use WinAPI hooking for its operations?

Zloader 2 hooks WinAPI functions to inject its code into new processes, support web injection mechanisms, and log keystrokes or create screenshots. This allows it to maintain persistence and perform malicious activities undetected.

How does Zloader 2 synchronize its proxy port between Backdoor instances?

The proxy port number used for man-in-the-browser attacks is stored in the BinStorage structure in the registry, allowing synchronization between different Backdoor instances running on the system.

How does Zloader 2's web inject mechanism work?

Injected code in browsers loads JavaScript from attacker-controlled domains. This code can manipulate web pages, steal credentials, and facilitate financial fraud. The mechanism relies on process injection and WinAPI hooking for effectiveness.

How does Cymulate help organizations defend against threats like Zloader 2?

Cymulate enables organizations to simulate real-world cyberattacks, including malware like Zloader 2, to test and validate their security defenses. The platform provides continuous threat validation, identifies security gaps, and offers actionable remediation to strengthen defenses against advanced threats. Source

What types of threats can Cymulate validate?

Cymulate validates threats across the full kill chain, including phishing, malware, lateral movement, data exfiltration, and zero-day exploits, using daily updated threat templates and AI-generated attack plans. Source

What are the key features of Cymulate's Exposure Management Platform?

Key features include continuous threat validation, exposure awareness, defensive posture optimization, attack path discovery, automated mitigation, comprehensive integration with SIEM/EDR tools, and dedicated cloud security validation. Source

How does Cymulate's immediate threats module benefit security teams?

Cymulate's immediate threats module is rapidly updated to reflect new attacks, allowing organizations to quickly assess their exposure and implement remedial actions. Customers praise its speed and relevance for proactive defense. Source

What types of endpoint threats and techniques does Cymulate simulate?

Cymulate simulates known malicious file samples, malicious behaviors, ransomware, worms, trojans, rootkits, DLL side-loading, and code injection to validate endpoint security controls. Source

How does Cymulate prioritize threat exposures?

Cymulate uses automated threat validation and exposure scoring to identify and rank vulnerabilities based on exploitability and business impact, helping teams focus on exposures not protected by security controls. Source

What integrations does Cymulate support?

Cymulate integrates with leading security tools such as BlackBerry Cylance, Carbon Black, Cisco Secure Endpoint, CrowdStrike Falcon, SentinelOne, AWS GuardDuty, Splunk, Rapid7 InsightVM, Akamai Guardicore, and more. For a full list, visit the Partnerships and Integrations page .

What security and compliance certifications does Cymulate hold?

Cymulate is certified for SOC2 Type II, ISO 27001:2013, ISO 27701, ISO 27017, and CSA STAR Level 1, demonstrating adherence to industry-leading security and privacy standards. Source

How easy is it to implement Cymulate and start using it?

Cymulate is known for its quick deployment and agentless mode, allowing organizations to start running simulations almost immediately with minimal configuration. Customers consistently praise its ease of use and intuitive interface. Source

Who can benefit from using Cymulate?

Cymulate is designed for CISOs, Security Operations (SecOps) teams, Red Teams, Detection Engineers, and Vulnerability Management teams across industries such as finance, healthcare, and technology. Source

What business impact can organizations expect from Cymulate?

Organizations using Cymulate report a 52% reduction in critical exposures, 60% increase in team efficiency, 81% reduction in cyber risk within four months, and 30% improvement in threat prevention. Source

How does Cymulate compare to competitors like AttackIQ, Mandiant, Pentera, Picus, SafeBreach, Scythe, and NetSPI?

Cymulate differentiates itself with the industry's largest threat scenario library, AI-powered automation, continuous innovation, ease of use, and comprehensive exposure validation. Each competitor has different strengths, but Cymulate is recognized as a leader in exposure validation by Gartner and G2. Read more

What technical documentation is available for Cymulate?

Cymulate provides whitepapers, data sheets, and integration guides covering its Exposure Management Platform, custom attacks, technology integrations, and MITRE ATT&CK alignment. Resources

What is Cymulate's pricing model?

Cymulate uses a subscription-based pricing model tailored to each organization's needs, based on chosen package, number of assets, and scenarios. For a custom quote, schedule a demo .

What pain points does Cymulate address for security teams?

Cymulate addresses overwhelming threat volume, lack of visibility, unclear prioritization, operational inefficiencies, fragmented tools, cloud complexity, and communication barriers for CISOs and security teams. Case studies

What customer feedback has Cymulate received regarding ease of use?

Customers consistently praise Cymulate for its intuitive, user-friendly design and ease of implementation. Testimonials highlight the platform's simplicity and actionable insights. Source

What is the vision and mission of Cymulate?

Cymulate's vision is to lead the way in cybersecurity strategy, making the world safer. Its mission is to empower organizations against threats and make advanced cybersecurity as simple as sending an email. Source

What is an insider threat?

An insider threat is a security risk originating from within an organization, such as employees, contractors, or partners with legitimate access. They can be malicious, negligent, or compromised by external attackers. Source

What types of cyber threats does the financial services sector face?

The financial services sector faces sophisticated threats such as ransomware, phishing, and advanced persistent threats (APTs), requiring robust security controls. Source

What is the Rubella Macro Builder and how is it used by cybercriminals?

Rubella Macro Builder is a crimeware kit sold on dark web forums, enabling easy malware spam campaigns. It allows users to select payloads and distribution methods, and has been used in attacks against financial institutions. Source

What is the main topic of the blog post 'Zero-Click, One NTLM: Microsoft Security Patch Bypass (CVE-2025-50154)'?

The blog post discusses a vulnerability that allows attackers to bypass Microsoft's patch for CVE-2025-24054, enabling NTLM hash leakage and silent binary downloads in zero-click scenarios. Read more

What are the key risks associated with the CVE-2025-50154 Microsoft security patch bypass?

Key risks include NTLM hash leakage in zero-click scenarios, silent remote binary downloads, potential for credential theft, ransomware deployment, lateral movement, and chaining of weaknesses for powerful compromise paths. Source

Zloader 2 - The Silent Night

April 24, 2022

Modules and components Zloader consists of different modules and components: Downloader - initial infector Backdoor - main module, exists in x86 and x64 versions VNC module (x86 and x64) Web Injects - received from C&C Additional libraries (openssl, sqlite, zlib, Mozilla libraries) Backdoors, VNC modules and additional libraries have assigned module IDs that are used by other components to refer to them. Distribution Zloader was distributed using classic email spam. In 2021 the attackers abused Google AdWords to advertise sites with fake Zoom communication tool which actually installed Zloader. Another campaign in 2021 used fake pornsites, where users needed to download additional software to watch video. Downloaders are distributed in a packed form sometimes signed with a valid digital signature. Code peculiarities Zloader code is very recognizable. First of all, it is diluted with functions which will never be called. Downloader module may contain functions from the Backdoor module and vice versa. In total, about a half of the code will never be called. Second, simple x86 instructions like CMP, ADD and XOR are replaced with special functions. These functions contain a lot of useless code to complicate the analysis and they can call other "replacement" functions. To add more insult to the injury multiple "replacement" functions exist for a particular instruction. Also some constants are calculated in runtime using aforementioned "replacement" functions. Strings are encrypted with a simple XOR algorithm. Samples have very little imported functions. APIs are resolved in runtime by the hashes of their names. As a result, more than a half of the file size is useless and serves as an obfuscation of simple operations. Configuration Both Downloader and Backdoor modules have built in configuration encrypted with RC4. The decryption key is stored in a plaintext and looks like vcvslrpvwwfanquofupxt. The structure of earlier versions (1.0.x, for example) differs from later versions (1.6.x and 1.8.x). Modern versions store the following information in config: Botnet name (divader on the picture below) Campaign name (xls_s_2010) List of hardcoded C&Cs RC4 key (03d5ae30a0bd934a23b6a7f0756aa504) Registry usage Zloader modules (at least Downloaders and Backdoors) use a registry to store various data necessary for their work. The ROOT_KEY for this data is HKEY_CURRENT_USERSoftwareMicrosoft The most important and interesting data structure, stored by the Zloader in the registry is called MAIN_STRUCT. It's subkey in the ROOT_KEY and the value name is derived from the RC4 key found in the configuration. analysts suppose that bots from one actor use the same RC4 key, so they can easily find and read the MAIN_STRUCT. MAIN_STRUCT is encrypted using RC4 with the key from the configuration. It stores: Registry paths to other storages, used by Zloader Files and directories path, used by Zloader Encryption key(s) to decrypt those storages Files usage Root path is %APPDATA%. Zloader creates directories with random names inside it to store modules, stolen data and logs. These paths are stored into the MAIN_STRUCT. Networking As was mentioned before, communication between the bot and C&C is done using BinStorages. Depending on the actual type of the message, field list may be changed, but there are 5 constant fields sent to C&C: Some DWORD from the Configuration Botnet name from the Configuration BotID, derived from the system information Debug flag from the Configuration 16 random bytes Requests are encrypted using the RC4 key from the Configuration. C&C responses are signed with RSA. PING request This request is used to check if C&C is alive. Response contains only random bytes sent by a bot. DOWNLOAD MODULE request This request is used to download modules by their ID from the C&C. The response is not in a BinStorage form! GET CONFIG request Used to receive configuration updates: new C&Cs, WebInjects, tasks for downloading etc. C&Cs and DGA As was shown before, built in configuration has a list of hardcoded C&Cs. Actually, these lists have not changed for years. To bypass blocking of these hardcoded C&Cs, Zloader uses DGA - Domain Generation Algorithm. In the Zloader, DGA produces 32 domains, based on the current date and RC4 key from the configuration. There is a 3rd type of C&Cs - received in the response from the server. They're stored into the Registry. Main function Just after the start of the Downloader module, junk code is started. It consists of many junk functions, which forms a kind of a "network". In the image below there is a call graph from just a single junk function. These functions also trying to read, write and delete some *.txt files %TEMP%. The purpose of this is to delay the execution of the payload and, analysts suppose, to complicate the emulation, debugging and analysis. The second and the last task of the Main function is to start msiexec.exe and perform the PE injection of the code into it. Injected data consists of two buffers: the big one, where the Downloader is stored in the encrypted form and the small one (0x42 bytes) with decryption code. Just after the injection Downloader terminates himself. Injected code Control flow passed to the small buffer, which decrypts the Downloader in the address space of msiexec.exe After the decryption, Downloader begins to execute its main task. First of all, the injected code tries to read MAIN_STRUCT from the registry. If this fails, it thinks it was not installed on this system and the installation process begins: MAIN_STRUCT is created, Downloader module is copied into %APPDATA% and added to the autorun key HKCUSoftwareMicrosoftWindowsCurrentVersionRun with random value name. In any case, the Backdoor module is requested from the disk or from the network and executed. Backdoor module Analysis based on version 1.6.28.0, c7441a27727069ce11f8d54676f8397e85301b4d65d4d722c6b239a495fd0282 There are actually two Backdoor modules: for 32-bit systems (moduleID 0x3EE) and for 64-bit systems (moduleID 0x3E9). Downloader always requests a 32-bit Backdoor. Backdoors are much more complicated than Downloaders. If analysts compare the size of our samples (after unpacking), Backdoor will be twice bigger. Key Backdoor abilities: Starting VNC module Injecting WebInjects into the pages visited using browsers Downloading and execute arbitrary file Keylogging Making screenshots Stealing files and sending to C&C Stealing files The largest group of software from which Zloader steal files is crypto wallets: Electrum Ethereum Exodus cryptowallet Zcash Bitcoin-Qt Etc. It also steals data from browsers: cookies from Chrome, Firefox and IE; saved logins from Chrome. And, finally, it is able to steal accounts information from Microsoft Outlook. Hooking To achieve his goals, Zloader performs WinAPI hooking. In order to perform it, Backdoor module enumerates processes and injects itself into the following ones: explorer.exe msiexec.exe iexplore.exe firefox.exe chrome.exe msedge.exe 64-bit version of Backdoor is injected into 64-bit processes, 32-bit version - into 32-bit processes. Injected code hooks the following WinAPI functions: NtCreateUserProcess NtCreateThread ZwDeviceIoControlFile TranslateMessage CertGetCertificateChain CertVerifyCertificateChainPolicy Hooks might be divided in 3 groups, depending on the purpose: NtCreateUserProcess and NtCreateThread are hooked to inject a Backdoor module to newly created threads and processes. ZwDeviceIoControlFile, CertGetCertificateChain and CertVerifyCertificateChainPolicy are hooked to support WebInjection mechanism TranslateMessage is hooked to log the keys pressed and to create screenshots Web Injecting First of all, browsers must have a Backdoor module injected. At this moment, there are multiple instances of Backdoor Modules running in the system: one, started by Downloader which is "Main Instance" and others, running in browsers. Main Instance starts Man-in-the-browser proxy, other modules hooks ZwDeviceIoControlFile and cert-related WinAPIs (see above). Proxy port number is stored in the BinStorage structure into the Registry, so it is synchronized between Backdoor instances. Hooked ZwDeviceIoControlFile function is waiting for IOCTL_AFD_CONNECT or IOCTL_AFD_SUPER_CONNECT and routing connections to the proxy. Hooked cert-related functions inform browsers what everything is good with certificates. WebInjects Injected code is usually small: from dozens of bytes up to 20 kb. To perform its tasks, it loads JavaScript code from external domains, controlled by bad guys. Analysis of these domains allowed us to find connections between Zloader operators and other cybercrime groups.

Featured Resources

View More Resources

blog

MITRE ATT&CK v19 Unpacked: What Changed and How to Operationalize

MITRE ATT&CK v19 introduces major changes that reshape how organizations understand and validate adversary behavior, including retiring the Defense Evasion tactic and introducing Stealth and Defense Impairment tactics.

Cymulate Event

CymuLab Live: A Hands-On Lab