Technical Analysis of Xloader Versions 6 and 7 | Part 1
IntroductionXloader is a malware family that is the successor to Formbook with information stealing capabilities targeting web browsers, email clients, and File Transfer Protocol (FTP) applications. The malware is also able to deploy second-stage payloads to an infected system. The author of Xloader regularly adds new functionality to target more ... Read More
Technical Analysis of RiseLoader
IntroductionIn October 2024, Zscaler ThreatLabz came across malware samples that use a network communication protocol that is similar to RisePro. However, unlike RisePro which has primarily been used for information stealing, this new malware specializes in downloading and executing second-stage payloads. Due its distinctive focus and similarities with RisePro’s communication ... Read More
Inside Zloader’s Latest Trick: DNS Tunneling
IntroductionZloader (a.k.a. Terdot, DELoader, or Silent Night) is a modular Trojan based on the leaked Zeus source code that emerged in 2015. The malware was originally designed to facilitate banking fraud via Automated Clearing House (ACH) and wire transfers. However, similar to other malware families like Qakbot and Trickbot, Zloader ... Read More
SmokeBuster: Keeping Systems SmokeLoader Free
IntroductionIn May 2024, international law enforcement agencies, in collaboration with private industry partners (including Zscaler ThreatLabz), conducted Operation Endgame, disrupting many prominent malware loaders including Smoke (a.k.a. SmokeLoader or Dofoil). This operation led to the seizure of more than 1,000 SmokeLoader command-and-control (C2) domains, and remotely cleaned over 50K infections ... Read More
Shining Light on the Dark Angels Ransomware Group
The Dark Angels ransomware threat group launched attacks beginning in April 2022, and has since been quietly executing highly targeted attacks. Dark Angels operate with more stealthy and sophisticated strategies than many other ransomware groups. Instead of outsourcing breaches to third-party initial access brokers that target a wide range of ... Read More
A Brief History of SmokeLoader, Part 2
IntroductionIn this two-part blog series, we explore the evolution of SmokeLoader, a malware downloader that has been active since 2011. In Part 1, we explored early versions of SmokeLoader, from its initial rudimentary framework to its adoption of a modular architecture and introduction of encryption and obfuscation. This blog provides ... Read More
A Brief History of SmokeLoader, Part 1
IntroductionThis is Part 1 in our series on the history of SmokeLoader. Stay tuned for Part 2.In May 2024, Zscaler ThreatLabz technical analysis of SmokeLoader supported an international law enforcement action known as Operation Endgame, which remotely disinfected tens of thousands of infections. In the process of providing assistance to ... Read More
Operation Endgame: Up In Smoke
IntroductionSmoke (a.k.a. SmokeLoader or Dofoil) is a malware loader that has been operational since 2011. Smoke is primarily used to deliver second-stage malware payloads including various trojans, ransomware, and information stealers. In addition, Smoke can deploy its own custom plugins that extend its functionality including mining cryptocurrency, harvesting credentials, and ... Read More
Insight from the Front Lines: Zscaler ThreatLabZ to Give Keynote at Zenith Live
We’re excited to announce that Zscaler ThreatLabZ will be a part of our keynote lineup at this year’s Zenith Live on June 15 and 16. Backed by the world’s largest security cloud, Zscaler ThreatLabZ is our internal research team dedicated to uncovering and investigating emerging threats, while educating the cybersecurity ... Read More
