zwShell is a remote access tool (RAT) written in Delphi that has been seen in the wild since the spring of 2010 and used by threat actors during Night Dragon.[1]

ID: S0350
Platforms: Windows
Version: 2.0
Created: 30 January 2019
Last Modified: 22 September 2022

Techniques Used

Domain ID Name Use
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

zwShell can launch command-line shells.[1]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

zwShell has established persistence by adding itself as a new service.[1]

Enterprise T1083 File and Directory Discovery

zwShell can browse the file system.[1]

Enterprise T1070 .004 Indicator Removal: File Deletion

zwShell has deleted itself after creating a service as well as deleted a temporary file when the system reboots.[1]

Enterprise T1112 Modify Registry

zwShell can modify the Registry.[1]

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

zwShell has used RDP for lateral movement.[1]

.002 Remote Services: SMB/Windows Admin Shares

zwShell has been copied over network shares to move laterally.[1]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

zwShell has used SchTasks for execution.[1]

Enterprise T1082 System Information Discovery

zwShell can obtain the victim PC name and OS version.[1]

Enterprise T1016 System Network Configuration Discovery

zwShell can obtain the victim IP address.[1]

Enterprise T1033 System Owner/User Discovery

zwShell can obtain the name of the logged-in user on the victim.[1]


ID Name Description
C0002 Night Dragon

During Night Dragon, threat actors used zwShell to generate Trojan variants, control victim machines, and exfiltrate data.[1]