Zingdoor
ZingDoor is an HTTP backdoor written in Go. It has been described as a DLL-based malware family and was first publicly disclosed by Trend Micro in 2023, with development activity noted as early as June 2022. The malware is heavily obfuscated, including UPX packing with the UPX header modified from "UPX!" to "MSE!" to hinder unpacking. It has been observed disguised as mpclient.dll and executed via DLL sideloading, including abuse of the Windows Defender binary MsSecEs.exe; reporting also notes sideloading with a legitimate Trend Micro binary in later intrusions. ZingDoor can collect system information, enumerate Windows services, upload, download, and enumerate files, and execute arbitrary commands. It has been observed establishing persistence via a Windows service named "MsSecEsSvc."
ZingDoor has been associated with China-linked espionage activity and has repeatedly been linked to Earth Estries, also known as Glowworm and FamousSparrow. It has also been reported in activity tracked as UAT-8302, a China-nexus threat cluster, including cases where it was deployed together with SNAPPYBEE/Deed RAT. Symantec reporting tied ZingDoor to overlap among Chinese APT operations alongside ShadowPad and KrustyLoader.
Observed victimology in the provided reporting includes government entities, telecoms, universities, and technology-sector organizations across Africa, the Middle East, South America, southeastern Europe, the United States, and other regions. In 2025, ZingDoor was deployed after exploitation of the SharePoint ToolShell vulnerability (CVE-2025-53770) against a Middle Eastern telecom and government departments in Africa, and it was also found in broader intrusions affecting additional government and academic targets. Other reporting places it in long-term espionage campaigns against government and technology organizations, with operators using DLL sideloading, internal proxy routing, credential theft, reconnaissance, and lateral movement to maintain stealthy access.
High-confidence indicators and artifacts directly mentioned in the content include the filenames mpclient.dll and the Windows service name MsSecEsSvc, as well as execution via MsSecEs.exe.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Zingdoor, which was deployed on the networks of all three organizations, has in the past been associated with the Chinese group Glowworm (aka Earth Estries, FamousSparrow). | China-based attackers used the ToolShell vulnerability (CVE-2025-53770) to compromise a telecoms company in the Middle East shortly after the vulnerability was publicly revealed and patched in July 2025... ToolShell affects on-premise SharePoint servers and gives an attacker unauthenticated access to vulnerable servers, allowing them to remotely execute code and access all content and file systems.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Zingdoor, which was deployed on the networks of all three organizations, has in the past been associated with the Chinese group Glowworm (aka Earth Estries, FamousSparrow).
In one documented intrusion, the group also deployed SNAPPYBEE and ZingDoor together, a tactic independently highlighted by Trend Micro in 2024 reporting on similar China-linked activity.
Deed RAT (aka Snappybee), a successor of ShadowPad, and Zingdoor, both of which have been deployed by Earth Estries in late 2024.
Techniques & procedures
13 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques“We found Earth Estries compromising existing accounts with administrative privileges after it successfully infected one of the organization’s internal servers.”
China-based attackers used the ToolShell vulnerability (CVE-2025-53770) to compromise a telecoms company in the Middle East shortly after the vulnerability was publicly revealed and patched in July 2025... In these attacks, the attackers used other vulnerabilities for initial access and exploited SQL servers and Apache HTTP servers running the Adobe ColdFusion software to deliver their malware.
Execution
3 techniques“Through the Server Message Block (SMB) and WMI command line (WMIC), the threat actors propagated backdoors and hacking tools…”
Zingdoor can collect system information, upload and download files, and run arbitrary commands on compromised networks.
“Shell: Launches an interactive command shell.” / “CMD: Executes a command via cmd”
Persistence
2 techniques“We found Earth Estries compromising existing accounts with administrative privileges after it successfully infected one of the organization’s internal servers.”
Privilege Escalation
2 techniques“We found Earth Estries compromising existing accounts with administrative privileges after it successfully infected one of the organization’s internal servers.”
Stealth
3 techniques“Zingdoor is packed using UPX and heavily obfuscated…” / “TrillClient… heavily obfuscated… for anti-analysis.”
“threat actors regularly cleaned their existing backdoor after finishing each round of operation and redeployed a new piece of malware…”
Discovery
2 techniquesLateral Movement
1 technique“Through the Server Message Block (SMB) and WMI command line (WMIC), the threat actors propagated backdoors and hacking tools in other machines…”
Command and Control
2 techniques“Zingdoor is a new HTTP backdoor…” / “HemiGate communicates to its C&C server over port 443… Communication… using POST method”
“By installing Cobalt Strike on the system, the actors behind Earth Estries were able to deploy more pieces of malware…”
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Backdoor used together with SNAPPYBEE in a documented intrusion tied to UAT-8302.
Backdoor malware deployed by Earth Estries.
A DLL-based malware family used by UAT-8302, often in conjunction with SNAPPYBEE/DeedRAT. It has also been observed following exploitation activity in 2025.
Backdoor deployed after exploitation of a SharePoint vulnerability, used in intrusions against telecom and government targets; historically associated with the China-nexus cluster Glowworm/Earth Estries/FamousSparrow per the cited reporting.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.