ZLib is a full-featured backdoor that was used as a second-stage implant by Dust Storm from 2014 to 2015. It is malware and should not be confused with the compression library from which its name is derived. [1]

ID: S0086
Platforms: Windows

Version: 1.0

Techniques Used

EnterpriseT1059Command-Line InterfaceZLib has the ability to execute shell commands.[1]
EnterpriseT1002Data CompressedThe ZLib backdoor compresses communications using the standard Zlib compression library.[1]
EnterpriseT1083File and Directory DiscoveryZLib has the ability to enumerate files and drives.[1]
EnterpriseT1036MasqueradingZLib mimics the resource version information of legitimate Realtek Semiconductor, Nvidia, or Synaptics modules.[1]
EnterpriseT1050New ServiceZLib creates Registry keys to allow itself to run as various services.[1]
EnterpriseT1105Remote File CopyZLib has the ability to download files.[1]
EnterpriseT1113Screen CaptureZLib has the ability to obtain screenshots of the compromised system.[1]
EnterpriseT1071Standard Application Layer ProtocolZLib communicates over HTTP for C2.[1]
EnterpriseT1082System Information DiscoveryZLib has the ability to enumerate system information.[1]
EnterpriseT1007System Service DiscoveryZLib has the ability to discover and manipulate Windows services.[1]


Groups that use this software:

Dust Storm