Register to stream ATT&CKcon 2.0 October 29-30


ZLib is a full-featured backdoor that was used as a second-stage implant by Dust Storm from 2014 to 2015. It is malware and should not be confused with the compression library from which its name is derived. [1]

ID: S0086
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface ZLib has the ability to execute shell commands. [1]
Enterprise T1002 Data Compressed The ZLib backdoor compresses communications using the standard Zlib compression library. [1]
Enterprise T1083 File and Directory Discovery ZLib has the ability to enumerate files and drives. [1]
Enterprise T1036 Masquerading ZLib mimics the resource version information of legitimate Realtek Semiconductor, Nvidia, or Synaptics modules. [1]
Enterprise T1050 New Service ZLib creates Registry keys to allow itself to run as various services. [1]
Enterprise T1105 Remote File Copy ZLib has the ability to download files. [1]
Enterprise T1113 Screen Capture ZLib has the ability to obtain screenshots of the compromised system. [1]
Enterprise T1071 Standard Application Layer Protocol ZLib communicates over HTTP for C2. [1]
Enterprise T1082 System Information Discovery ZLib has the ability to enumerate system information. [1]
Enterprise T1007 System Service Discovery ZLib has the ability to discover and manipulate Windows services. [1]

Groups That Use This Software

ID Name References
G0031 Dust Storm [1]