ZeroT
ZeroT is a downloader used by a China-based espionage threat actor to install PlugX, observed in campaigns from at least summer 2016 through early 2017 targeting military and aerospace interests in Russia and Belarus. Proofpoint reported the group had previously used PlugX and NetTraveler and identified infrastructure overlaps between ZeroT and NetTraveler, including shared or related C2 domains such as www.tassnews[.]net, www.riaru[.]net, and www.versig[.]net. Later reporting also noted linkage between the ZeroT-related domain yandax[.]net and infrastructure associated with ShadowPad/Winnti activity.
Observed initial infection vectors included spear-phishing with Microsoft Compiled HTML Help (.chm) files, spear-phishing Word documents exploiting CVE-2012-0158, and RAR/RAR SFX archives. One documented CHM lure used Russian-language defense-themed content and dropped an embedded executable. In RAR SFX-based chains, a component named Go.exe performed a UAC bypass by abusing eventvwr.exe via registry modification to launch another binary, Zlh.exe, a legitimate signed Norman Safeground AS application used for DLL side-loading. The sideloaded malicious DLL was commonly named nflogger.dll and loaded an encrypted ZeroT payload often named NO.2.mui. Some ZeroT DLLs were packed with UPX.
Technically, ZeroT used junk code and dummy API calls for obfuscation. Its shellcode decrypted and decompressed an RC4-encrypted payload, using RtlDecompressBuffer, and tampered with PE header constants. ZeroT communicated with command-and-control over HTTP and used RC4 to encrypt configuration data and subsequent beacon traffic. Reported protocol details include an initial beacon to index.php, an RC4-encrypted response using the static key "(^GF(9042&", and later RC4-encrypted POST beacons using the key "s2-18rg1-41g3j_.;". It used the fake User-Agent string "Mozilla/6.0 (compatible; MSIE 10.0; Windows NT 6.2; Tzcdrnt/6.0)". ZeroT gathered victim information including computer name, local IP address, language, domain, Windows version, IP address, and domain information, and sent this to its C2 server.
ZeroT retrieved stage-two payloads primarily to deliver PlugX. In some cases, payloads were delivered directly as executables or RAR SFX archives; in others, ZeroT downloaded BMP files containing hidden payload data via LSB steganography. It also established persistence for PlugX by creating a Windows service for startup execution.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
In 2017, Proofpoint issued a report about attacks against targets in Russia and Belarus using ZeroT and PlugX.
Techniques & procedures
15 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 techniquePersistence
1 technique“Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer… replaced the ImagePath registry value of a Windows service with a new backdoor binary… [multiple groups/malware] creating a service / installing as a service / modifying service configurations for persistence.”
Privilege Escalation
2 techniques“Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer… replaced the ImagePath registry value of a Windows service with a new backdoor binary… [multiple groups/malware] creating a service / installing as a service / modifying service configurations for persistence.”
"...has presented the user with a UAC prompt to elevate privileges..."; "...has bypassed UAC..."; "...bypass Windows UAC...execute the next payload with higher privileges."
Stealth
6 techniquesThe content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.
"Sandworm Team used UPX to pack a copy of Mimikatz"; "APT38 has used several code packing methods such as Themida, Enigma, VMProtect, and Obsidium"; "Lazarus Group packed malicious .db files with Themida to evade detection."
Examples throughout the content include 'encrypted payloads decrypted and executed in memory,' 'encrypts its configuration file,' 'AES-encrypted resource,' 'RC4 encrypted embedded scripts,' and 'payload includes an encrypted main component.'
The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'
Discovery
3 techniquesThe content repeatedly describes actors and malware using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, netsh interface show, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, and network adapter/interface details.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
Examples include "Bazar can also check if the Russian language is installed on the infected machine and terminate if it is found," "DropBook has checked for the presence of Arabic language," and "Maze has checked the language of the infected system using the GetUSerDefaultUILanguage function."
Command and Control
4 techniquesThe content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
"3PARA RAT command and control commands are encrypted within the HTTP C2 channel using the DES algorithm in CBC mode..."; "APT33 has used AES for encryption of command and control traffic."; "Carbanak encrypts the message body of HTTP traffic with RC2 (in CBC mode)."; "Duqu ... data stream can be encrypted with AES-CBC."; "PoisonIvy uses the Camellia cipher to encrypt communications."
Recent activity
14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Backdoor/RAT referenced in related infrastructure/attribution discussion (TA459 reporting).
A malware family referenced as part of earlier attacks whose infrastructure showed indirect overlap with domains later associated with ShadowPad-related activity.
Downloader/loader used by a China-linked APT to gain execution via spearphishing (CHM droppers, and Word docs exploiting CVE-2012-0158), perform UAC bypass (eventvwr.exe registry hijack), sideload a malicious DLL to decrypt/decompress and run its payload, beacon over HTTP with RC4-encrypted tasking, fingerprint hosts, and retrieve stage-2 payloads (including via LSB-steganography in BMP images). Primarily used to deliver PlugX and establish persistence (service) for it.
Can bypass Windows UAC by leveraging eventvwr.exe to execute a malicious file.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.