Zloader Resurfaces: Stealthier Trojan Evolves with DNS Tunneling and WebSocket C2
Ddos 
Example Zloader attack chain | Image: Zscaler ThreatLabz
After nearly two years of silence, Zloader (a.k.a. Terdot, DELoader, or Silent Night) has returned with new versions featuring enhanced anti-analysis, obfuscation, and command-and-control (C2) capabilities. Researchers at Zscaler ThreatLabz warn that the malware is no longer just a banking trojan but a modular platform for ransomware operators.
According to the report, “Zloader was originally designed to facilitate banking, but has since been repurposed for initial access, providing an entry point into corporate environments for the deployment of ransomware.”
Zloader is based on the leaked Zeus source code from 2015, and like its predecessor, it continues to adapt.
ThreatLabz highlights that, “Zloader 2.13.7.0 includes improvements and updates to the custom DNS tunnel protocol for command-and-control (C2) communications, along with added support for WebSockets.”
These updates are not cosmetic — they are designed to bypass modern detection methods while maintaining persistence in high-value networks.
The new versions demonstrate advanced sandbox evasion. Earlier Zloader builds would only execute if run with a hardcoded filename, but this has been replaced with flexibility: “the malware author introduced two new generic filenames to allow the threat actors… more flexibility. These two generic filenames are Updater.exe and Updater.dll.”
Zloader also employs multi-layer obfuscation, including XOR-based integer decoding, and even checks Windows process integrity levels. The malware exits if it detects high integrity (administrator-level execution), a clever trick since many sandboxes run with admin privileges.
Beyond stealth, Zloader’s interactive shell has been upgraded to assist attackers in network discovery and lateral movement.
The report notes, “The latest version of Zloader adds a new set of LDAP functions to improve network discovery and expand lateral movement capabilities.”
These LDAP commands allow attackers to bind to directory servers, query users and attributes, and move deeper into enterprise environments.
One of the most significant changes lies in Zloader’s C2 communication.
- The malware has dropped its old Domain Generation Algorithm (DGA).
- Instead of TLS payloads in DNS queries, it now uses Base32 encoding layered with a custom algorithm, making traffic blend in with normal DNS.
- To further evade detection, Zloader added WebSocket support, allowing attackers to hide malicious traffic inside what looks like legitimate web connections.
ThreatLabz explains, “The introduction of WebSockets in Zloader may be designed to further blend in with legitimate web-based traffic to bypass network-based detections.”
Unlike commodity malware that spreads indiscriminately, Zloader is now used in highly targeted intrusions.
The researchers emphasize, “Zloader continues to be deployed only at a small number of entities rather than being spread indiscriminately. As a result of this targeted approach, Zloader samples are not frequently observed in the wild.”
This suggests that Zloader is increasingly aligned with initial access broker (IAB) operations, paving the way for ransomware groups.
Related Posts:
- Zloader Trojan Employs Novel DNS Tunneling Protocol for Enhanced Evasion
- Zloader’s Comeback: Navigating the Enhanced Trojan Threat
- Zloader Reloaded: Malware Adopts Evasive Anti-Analysis Tactics
- Beyond Windows: Pakistan’s APT36 Group Is Now Attacking Linux Systems with Stealthy Malware
- Researcher Exposes WebSockets’ Role in Credit Card Skimming
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
