Skip to content

S0086 ZLib

ZLib is a full-featured backdoor that was used as a second-stage implant during Operation Dust Storm since at least 2014. ZLib is malware and should not be confused with the legitimate compression library from which its name is derived.1

Item Value
ID S0086
Associated Names
Type MALWARE
Version 1.2
Created 31 May 2017
Last Modified 30 September 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols ZLib communicates over HTTP for C2.1
enterprise T1560 Archive Collected Data -
enterprise T1560.002 Archive via Library The ZLib backdoor compresses communications using the standard Zlib compression library.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell ZLib has the ability to execute shell commands.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service ZLib creates Registry keys to allow itself to run as various services.1
enterprise T1041 Exfiltration Over C2 Channel ZLib has sent data and files from a compromised host to its C2 servers.1
enterprise T1083 File and Directory Discovery ZLib has the ability to enumerate files and drives.1
enterprise T1105 Ingress Tool Transfer ZLib has the ability to download files.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location ZLib mimics the resource version information of legitimate Realtek Semiconductor, Nvidia, or Synaptics modules.1
enterprise T1113 Screen Capture ZLib has the ability to obtain screenshots of the compromised system.1
enterprise T1082 System Information Discovery ZLib has the ability to enumerate system information.1
enterprise T1007 System Service Discovery ZLib has the ability to discover and manipulate Windows services.1

References