Skip to content

S0086 ZLib

ZLib is a full-featured backdoor that was used as a second-stage implant by Dust Storm from 2014 to 2015. It is malware and should not be confused with the compression library from which its name is derived. 1

Item Value
ID S0086
Associated Names
Version 1.1
Created 31 May 2017
Last Modified 19 January 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols ZLib communicates over HTTP for C2.1
enterprise T1560 Archive Collected Data -
enterprise T1560.002 Archive via Library The ZLib backdoor compresses communications using the standard Zlib compression library.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell ZLib has the ability to execute shell commands.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service ZLib creates Registry keys to allow itself to run as various services.1
enterprise T1083 File and Directory Discovery ZLib has the ability to enumerate files and drives.1
enterprise T1105 Ingress Tool Transfer ZLib has the ability to download files.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location ZLib mimics the resource version information of legitimate Realtek Semiconductor, Nvidia, or Synaptics modules.1
enterprise T1113 Screen Capture ZLib has the ability to obtain screenshots of the compromised system.1
enterprise T1082 System Information Discovery ZLib has the ability to enumerate system information.1
enterprise T1007 System Service Discovery ZLib has the ability to discover and manipulate Windows services.1

Groups That Use This Software

ID Name References
G0031 Dust Storm 1


Back to top