ZeroT
ZeroT is a Windows downloader/loader first observed in 2016 and used to install second-stage malware, primarily the PlugX remote access Trojan. Reporting in the provided content links its use to a China-linked espionage actor tracked by Proofpoint as TA459, targeting organizations and individuals in Russia, Belarus, Central Asia, Mongolia, and neighboring regions, including military, aerospace, and financial-sector targets such as telecommunications analysts.
Observed delivery vectors include spear-phishing emails with malicious Microsoft Word documents exploiting CVE-2012-0158 and CVE-2017-0199, Microsoft Compiled HTML Help (.chm) droppers, and RAR/RAR SFX archives and SCR executables. In one 2017 chain, a Word document exploiting CVE-2017-0199 downloaded an HTA disguised as an RTF file, which used VBScript and PowerShell to retrieve and execute ZeroT.
ZeroT has used DLL side-loading with legitimate signed executables, including Norman Safeground AS Zlh.exe and later McAfee mcut.exe, to load malicious DLLs such as nflogger.dll. Related components and samples have used obfuscation with dummy API calls and junk code, RC4 decryption, and RtlDecompressBuffer to unpack payloads; some DLLs were packed with UPX. The malware has also tampered with PE header constants and can perform UAC bypass via eventvwr.exe by modifying registry keys to execute a malicious file.
For command and control, ZeroT communicates over HTTP and has used fake browser User-Agent strings. It sends host fingerprinting data including computer name, local IP address, system language, domain information, and Windows version. C2 traffic and responses have been RC4-encrypted. The content also states that ZeroT gathers the victim's IP address and domain information and sends them to its C2 server.
A notable capability is retrieval of stage-two payloads hidden in BMP images using least significant bit steganography. ZeroT shellcode decrypts and decompresses its RC4-encrypted payload, and some variants extracted malicious modules from BMP files downloaded from C2 infrastructure. The extracted or downloaded second-stage payloads were primarily PlugX, though the content also mentions less common delivery of PCRat/Gh0st in 2017 TA459 activity.
For persistence, ZeroT has been used to add a new Windows service so PlugX persists and runs at system startup. Infrastructure overlaps in the provided content link ZeroT activity with NetTraveler and prior PlugX operations, including domains such as tassnews[.]net, riaru[.]net, and versig[.]net.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
attackers opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan... In this campaign, attackers used a Microsoft Word document called 0721.doc, which exploits CVE-2017-0199. This vulnerability was disclosed and patched days prior to this attack. | attackers opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan, which in turn downloaded the PlugX Remote Access Trojan (RAT).
In previous campaigns, the group used spear-phishing emails with Microsoft Word document attachments utilizing CVE-2012-0158... Attackers also continued to send spear-phishing emails with Microsoft Word attachments utilizing CVE-2012-0158 to exploit the client. | Since the summer of 2016, this group began using a new downloader known as ZeroT to install the PlugX remote access Trojan (RAT) and added Microsoft Compiled HTML Help (.chm) as one of the initial droppers delivered in spear-phishing emails.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
attackers opportunistically used spear-phishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan, which in turn downloaded the PlugX Remote Access Trojan (RAT).
Techniques & procedures
26 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
the group used spear-phishing emails with Microsoft Word document attachments utilizing CVE-2012-0158, or URLs linking to RAR-compressed executables... added Microsoft Compiled HTML Help (.chm) as one of the initial droppers delivered in spear-phishing emails.
Execution
5 techniques
Execution
uses PowerShell to download yet another script: power.ps1. This is a PowerShell script that downloads and runs the ZeroT payload cgi.exe.
the HTA’s VBScript changes the window size and location and then uses PowerShell to download yet another script
Attackers also continued to send spear-phishing emails with Microsoft Word attachments utilizing CVE-2012-0158 to exploit the client. These documents were built with MNKit
Persistence
1 technique
Persistence
Privilege Escalation
3 techniques
Privilege Escalation
The encrypted ZeroT payload, named Mctl.mui, is decoded in memory revealing a similarly tampered PE header
Stealth
9 techniques
Stealth
This executable is obfuscated... dummy API calls inserted in between real instructions... the PE header of ZeroT has been tampered with, specifically the “MZ” and “PE” constants
Usually the DLL is not packed, but we have observed instances compressed by UPX
Analysis of the F.bmp image revealed that it is indeed using Least Significant Bit (LSB) Steganography... embeds data in an image without significantly affecting its appearance.
Defense Evasion. ...Работают сразу две техники: Steganography (T1027.003) для обфускации пейлоада и Embedded Payloads (T1027.009) для сокрытия кода внутри медиафайла.
Examples throughout the content include 'encrypted payloads decrypted and executed in memory,' 'encrypts its configuration file,' 'AES-encrypted resource,' 'RC4 encrypted embedded scripts,' and 'payload includes an encrypted main component.'
The payload is actually an HTML Application (HTA) file, not an RTF document.
The encrypted ZeroT payload, named Mctl.mui, is decoded in memory revealing a similarly tampered PE header
Discovery
3 techniques
Discovery
The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.
This POST sends basic fingerprinting data including computer name, system language, domain information and Windows versioning.
Examples include "Bazar can also check if the Russian language is installed on the infected machine and terminate if it is found," "DropBook has checked for the presence of Arabic language," and "Maze has checked the language of the infected system using the GetUSerDefaultUILanguage function."
Collection
2 techniques
Collection
Examples in the content include malware extracting or unpacking ZIP, RAR, CAB, tar.gz, and other archived content, such as 'Emotet has used a self-extracting RAR file to deliver modules to victims' and 'Rocke has extracted tar.gz files after downloading them from a C2 server.'
Command and Control
4 techniques
Command and Control
ZeroT still expects an RC4-encrypted response using a static key ... All posts are encrypted
The content repeatedly describes threat actors and malware using HTTP and HTTPS for command and control, such as: "Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests."
The final piece of ZeroT’s C&C protocol is to retrieve any stage-2 payloads... the ones we did observe were RAR SFX archives used to deliver PlugX.
"3PARA RAT command and control commands are encrypted within the HTTP C2 channel using the DES algorithm in CBC mode..."; "APT33 has used AES for encryption of command and control traffic."; "Carbanak encrypts the message body of HTTP traffic with RC2 (in CBC mode)."; "Duqu ... data stream can be encrypted with AES-CBC."; "PoisonIvy uses the Camellia cipher to encrypt communications."
IOCs tracked for this family
57 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
18 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Загрузчик из экосистемы Enfal, использующий стеганографию: скачивает BMP-файлы с C2 и извлекает скрытые в LSB модули вредоносной нагрузки.
Backdoor/RAT referenced in related infrastructure/attribution discussion (TA459 reporting).
A malware family referenced as part of earlier attacks whose infrastructure showed indirect overlap with domains later associated with ShadowPad-related activity.
Trojan that adds a new service to ensure PlugX persists when delivered as a secondary payload.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.