ZLib
ZLib is a full-featured backdoor that was used as a second-stage implant duringOperation Dust Storm since at least 2014.ZLib is malware and should not be confused with the legitimate compression library from which its name is derived.[1]
ID: S0086
ⓘ
Type: MALWARE
ⓘ
Platforms: Windows
Version: 1.2
Created: 31 May 2017
Last Modified: 16 April 2025
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol:Web Protocols | |
| Enterprise | T1560 | .002 | Archive Collected Data:Archive via Library | TheZLib backdoor compresses communications using the standard Zlib compression library.[1] |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter:Windows Command Shell | |
| Enterprise | T1543 | .003 | Create or Modify System Process:Windows Service | ZLib creates Registry keys to allow itself to run as various services.[1] |
| Enterprise | T1041 | Exfiltration Over C2 Channel | ZLib has sent data and files from a compromised host to its C2 servers.[1] | |
| Enterprise | T1083 | File and Directory Discovery | ||
| Enterprise | T1105 | Ingress Tool Transfer | ||
| Enterprise | T1036 | .005 | Masquerading:Match Legitimate Resource Name or Location | ZLib mimics the resource version information of legitimate Realtek Semiconductor, Nvidia, or Synaptics modules.[1] |
| Enterprise | T1113 | Screen Capture | ZLib has the ability to obtain screenshots of the compromised system.[1] | |
| Enterprise | T1082 | System Information Discovery | ||
| Enterprise | T1007 | System Service Discovery | ZLib has the ability to discover and manipulate Windows services.[1] | |
Campaigns
| ID | Name | Description |
|---|---|---|
| C0016 | Operation Dust Storm |
References
×