MalwareUsed by 1 actor

zgRAT

zgRAT is a malware family observed as a secondary payload in multiple intrusion chains and malware-delivery campaigns. Across the provided reporting, it is delivered by or alongside other malware including StealC, Rhadamanthys, DOILoader, XTinyLoader, CastleLoader, HijackLoader, Amadey, and DanaBot-linked activity. Observed delivery methods include DLL sideloading, PowerShell-based execution chains, and staged loader activity. In one Lovable-abuse campaign, a Dropbox-hosted RAR archive contained a renamed legitimate signed Ace Stream executable and dependencies that sideloaded a trojanized PYTHON27.DLL containing DOILoader; DOILoader then executed an encrypted payload in Vos.xwtx to run zgRAT, with C2 identified as 84[.]32[.]41[.]163:7705. In a tax-themed campaign, a JavaScript file hosted on Microsoft Azure launched PowerShell, which executed Rhadamanthys and then downloaded and ran zgRAT. In a hospitality-focused Booking.com impersonation campaign active from December 2025 through March 2026, victims were tricked via ClickFix-style lures into executing PowerShell, leading to ZIP delivery and DLL sideloading through a legitimate psl.exe binary loading a trojanized libpsl-5.dll; the final payloads were zgRAT and PureHVNC. That campaign provided remote access, screen control, credential theft, and persistence, and was assessed as a financially motivated CIS-linked cybercrime operation. Reporting also states that zgRAT has used Discord webhooks to steal sensitive information including credentials, browser cookies, and cryptocurrency wallets from compromised devices, and that Discord CDN URLs have been used to deliver zgRAT as a second-stage payload. Additional observed contexts include Rhadamanthys campaigns where DOILoader loaded zgRAT, GrayBravo TAG-160 logistics-themed activity delivering zgRAT, and StealC ecosystems where researchers observed zgRAT among delivered payloads. High-confidence indicators directly mentioned in the content include the C2 endpoint 84[.]32[.]41[.]163:7705 and the encrypted payload filename Vos.xwtx in the DOILoader-to-zgRAT chain.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Aggah

This PowerShell script ran Rhadamanthys malware. Rhadamanthys was then observed to download and run zgRAT.

via proofpointproofpoint.com

MITRE ATT&CK

Techniques & procedures

20 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1566.002Spearphishing LinkEvidence2

MITRE ATT&CK Mapping Tactic Technique ID Implementation Initial Access Phishing: Spearphishing Link T1566.002 Booking.com themed Italian spam

Execution

5 techniques

T1059.001PowerShellEvidence2

The JavaScript called PowerShell to run a remote PowerShell script. This PowerShell script ran Rhadamanthys malware.

T1059.007JavaScriptEvidence1

These messages contained URLs leading to a download of a JavaScript file hosted on Microsoft Azure. The JavaScript called PowerShell to run a remote PowerShell script.

T1204User ExecutionEvidence2

These messages contained URLs leading to a download of a JavaScript file hosted on Microsoft Azure. The JavaScript called PowerShell to run a remote PowerShell script.

T1204.001Malicious LinkEvidence1

MITRE ATT&CK Mapping Tactic Technique ID Implementation Execution User Execution: Malicious Link T1204.001 ClickFix/FakeCaptcha pages

T1204.002Malicious FileEvidence1

The RAR file contained the executable “Rechnung DE009100019000.exe”... When the .exe was executed, it sideloaded the included PYTHON27.DLL...

Persistence

1 technique

T1547.001Registry Run Keys / Startup FolderEvidence1

MITRE ATT&CK Mapping Tactic Technique ID Implementation Persistence Boot or Logon Autostart: Registry Run Keys T1547.001 HKCU...\CurrentVersion\Run

Privilege Escalation

1 technique

T1547.001Registry Run Keys / Startup FolderEvidence1

MITRE ATT&CK Mapping Tactic Technique ID Implementation Persistence Boot or Logon Autostart: Registry Run Keys T1547.001 HKCU...\CurrentVersion\Run

Stealth

3 techniques

T1027.002Software PackingEvidence2

MITRE ATT&CK Mapping ... Defense Evasion Obfuscated Files: Software Packing T1027.002 Donut + .NET Reactor + ZgRAT (three-layer packing)

T1036.005Match Legitimate Resource Name or LocationEvidence1

MITRE ATT&CK Mapping Tactic Technique ID Implementation Defense Evasion Masquerading: Match Legitimate Name T1036.005 msedge_elf.dll, libpsl-5.dll

T1497Virtualization/Sandbox EvasionEvidence1

MITRE ATT&CK Mapping Tactic Technique ID Implementation Defense Evasion Virtualization/Sandbox Evasion T1497 Benign API calls (catfact.ninja, httpbin.org) for timing

Credential Access

2 techniques

T1539Steal Web Session CookieEvidence1

According to Trellix's data, various malware families, including Agent Tesla, UmbralStealer, Stealerium, and zgRAT, have also used Discord webhooks over the past few years to steal sensitive information like credentials, browser cookies, and cryptocurrency wallets from compromised devices.

T1649Steal or Forge Authentication CertificatesEvidence1

Discovery

3 techniques

T1033System Owner/User DiscoveryEvidence1

MITRE ATT&CK Mapping Tactic Technique ID Implementation Discovery System Owner/User Discovery T1033 Username, admin status collection

T1082System Information DiscoveryEvidence1

MITRE ATT&CK Mapping Tactic Technique ID Implementation Discovery System Information Discovery T1082 PS1 fingerprinting (OS, model, AV products)

T1497Virtualization/Sandbox EvasionEvidence1

MITRE ATT&CK Mapping Tactic Technique ID Implementation Defense Evasion Virtualization/Sandbox Evasion T1497 Benign API calls (catfact.ninja, httpbin.org) for timing

Collection

1 technique

T1560Archive Collected DataEvidence1

If the target completed the ClickFix steps as instructed, a command was initiated to download a tar archive and run CastleLoader.

Command and Control

3 techniques

T1071.001Web ProtocolsEvidence1

MITRE ATT&CK Mapping Tactic Technique ID Implementation C2 Application Layer Protocol: Web T1071.001 HTTPS to asmweosiqsaaw[.]com

T1102Web ServiceEvidence1

MITRE ATT&CK Mapping Tactic Technique ID Implementation C2 Web Service T1102 Cloudflare-proxied C2

T1105Ingress Tool TransferEvidence6

If the operator adds loader URLs, the StealC clients (bots) that connect to the C2 server will be delivered one or more of these loader URLs. At this point, the StealC malware client will attempt to download and execute one of the payloads from the URLs provided by the server.

Exfiltration

2 techniques

T1041Exfiltration Over C2 ChannelEvidence1

MITRE ATT&CK Mapping Tactic Technique ID Implementation Exfiltration Exfiltration Over C2 Channel T1041 Via zgRAT C2 protocol

T1567Exfiltration Over Web ServiceEvidence1

Discord's permanent file hosting capabilities have frequently been misused to distribute malware and exfiltrate data gathered from compromised systems using webhooks.

INDICATORS OF COMPROMISE

IOCs tracked for this family

45 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

28 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

10 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other

7 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app4 months ago

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app

ibmNews

Jun 24, 2026

StealC you later: Proofpoint and IBM X-Force support Operation Endgame disruptions | IBM

A remote access trojan observed as a payload in StealC-related infection chains.

proofpointNews

Jun 23, 2026

StealC You Later: Proofpoint and IBM X-Force Support Operation Endgame Disruptions | Proofpoint US

zgRAT was observed as a payload delivered in StealC-related operations.

breakglass intelNews

Mar 12, 2026

ResolverRAT Bundles LummaStealer in a Triple-Encrypted .NET Loader: Five Linked Samples, Four C2 Servers, and a Fake Microsoft Domain - Breakglass Intelligence - Breakglass Intelligence

Crypter layer wrapping the .NET payload, providing obfuscation, string encryption, and anti-debugging as part of the multi-layer loader chain.

breakglass intelNews

Mar 12, 2026

Booking.com ClickFix Drops zgRAT via Stolen Dodo.com Wildcard Cert: Bulletproof Hosting, DLL Sideloading, and 14 Phishing Subdomains Targeting Hospitality - Breakglass Intelligence - Breakglass Intelligence

Remote access trojan delivered via PowerShell and DLL sideloading that provides persistent access, remote control, screen control, and credential theft from browsers and email clients.

+6 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching45

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping20

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.