Technical Analysis of Zloader Updates

Sept. 22, 2025, 9:14 p.m.

Description

Recent versions of Zloader, a Zeus-based modular trojan, have introduced significant enhancements to its functionality. These updates include improved obfuscation techniques, anti-analysis strategies, and network communication methods. The malware now supports WebSockets and has modified its DNS tunneling protocol, replacing TLS encryption with a custom algorithm. New LDAP functions have been added to improve network discovery and lateral movement capabilities. Zloader continues to evolve its evasion tactics, including checks for process integrity levels to avoid detection in sandbox environments. The malware has also removed its Domain Generation Algorithm and made changes to its static configuration format. These updates demonstrate Zloader's ongoing development as a sophisticated tool for initial access and potential ransomware deployment.

External References

https://www.zscaler.com/blogs/security-research/technical-analysis-zloader-updates
https://otx.alienvault.com/pulse/68d1a617f335188fccdd1b72
Tags
obfuscation
ransomware
evasion
anti-analysis
zloader
zeus
trojan
banking
websockets
2025-09-22
dns-tunneling
zeus-based
ldap

Date

  • Created: Sept. 22, 2025, 7:40 p.m.
  • Published: Sept. 22, 2025, 7:40 p.m.
  • Modified: Sept. 22, 2025, 9:14 p.m.

Attack Patterns

  • Zloader