ZLoader Returns Through Spelevo Exploit Kit & Phishing Campaign

Exploit kits (EKs) dominated the cybersecurity industry in 2018 and 2019. These kits were the major, initial infection methods used by hackers to carry out major malware campaigns or advanced persistent threat (APT) attacks.  

In 2020, EKs were not considered a potential threat vector for client-side attacks because phishing attacks and other social engineering attacks emerged as the significant threat vector. Based on Cyble’s research, we have found that the recent Spelevo EK targeted the vulnerabilities in Internet Explorer and Flash Player. 

In the past, the Spelevo EK was found to be delivering payloads such as Ursnif and Qakbot. In a recent campaign in March 2021, we observed the same EK delivering ZLoader payload files. The Spelevo EK campaign was seen to be targeting US users with the flash vulnerability. The initial findings can be attributed to Malware Traffic Analysis. The image below showcases the popular PopCash site, compromised by EK and redirecting to a landing page. 

After successful redirection to the landing page, the malicious flash file is dropped on the victim machine based on client vulnerability. The landing page script and flash file delivery are shown below. 

Upon execution of the malicious flash file, it drops and executes the ZLoader payload on the victim’s machine. The image below showcases the decompiled malicious flash file.  

After exploitation, Spelevo EK redirects the user to google.com, typically after a 60-seconds delay, and the code snippet for the same is shown below. 

Spear phishing delivers ZLoader: 

ZLoader also targets users through phishing campaigns with maliciously crafted MS Office attachments. As showcased in the image below, we discovered this campaign to be circulating as a compensation claim.  

Upon execution of the malicious macro, it downloads and executes the payload on the victim machine. The attachment also displays a Security Warning that urges the user to enable macros.  

The following Wireshark capture showcases the payload delivery on the victim machine. 

Technical analysis of the payload:  

The payload file that we have analysed is:  SHA256:”9ef6c5467fd80274e6a37e2883a5e83a894cf2148ce37bf0adb1e884acbc4c0b”  

It is a VC compiled malware COM DLL file with multiple exports. The following image shows the malware payload file with its export functions. 

ZLoader has many anti-debugging, evasion techniques and does process injection. The malware uses other techniques such as custom encrypted network communication and Domain Generating Algorithm (DGA) for command-and-control (C&C) domains etc.  

ZLoader is notable variant of the Zeus banking malware which was identified in 2006. This banking malware typically targets users to steal credentials and other sensitive financial information. Finally, with these stolen credentials threat actors can perform illicit financial transactions from the victim’s banking account by logging into their devices. It has been observed that after a few months’ break, the same malware campaign reappears with different Tactics, Techniques, and Procedures (TTPs). 

Cyble will continue to track these new malware activities to collect advanced threat intelligence related to the campaign.  


Initial Access  Persistence Privilege Escalation Defence Evasion  Credential Access  Discovery Collection Command and Control 
Phishing: Spearphishing Attachment DLL Side-Loading Process Injection  Masquerading  
Input Capture  
Security Software Discovery  
Input Capture  
Encrypted Channel 
Driver-by Compromise   DLL Side-Loading Process Injection  Process Discovery Archive Collected Data Non-Application Layer Protocol 
   Obfuscated Files or Information  System Information Discovery  Application Layer Protocol 
   DLL Side-Loading  File and Directory Discovery   

Indicators of Compromise (IoCs): 


SHA256 Type Malware 
f8ba1699d9c63a2bcdb4fe48cd229074e2ab87512891d6c6adff6bd838847c11 f5493ea3f2e6b61670be5ec8fcf6951f425476db2a5fe8c18ecd07ee782b5204 1f20001d975b1d7f7700fa0b6c45cfed6e5655658fd4271ec48e41ebbf4c58c5 489feb09e7b98fdc6529b1e49278f3a5364a656f7dd6417a791cd6ef7a5a8059 82108dcb026cb9be07d005a1132885172d1d645649c93b10d45a89f4580c80cd ec84ae3a06201d199b499661297fc24df937c6ce7473f5f13c9ec3b7394d956e 93cbd9fef7c99ec6d1676a8c594b448a9fe30594e044a2901e1d4ea6abf36375 7a0d186b3b4eca994f3d0c58f804c21c9ee8c4a1b49f421e1d5dd7badfacb112 4df52d9310aaf8d5b861c6a2cede6e03e72c3159bd3deceed74fc3438e4b8bc3 f06a0e0b576dccb87e429f907ce89937928cb8d5061108d22b5d63bb56223899 af35bc550364913f7e82ac1467144e8227e124cc209176e303106834618c38f6 1723124d4e83f05a121e32841bcb751bf28fcf88dc4c8a1f2c1bb0c32c47350e 52d09a8ef8f782c8f153c196b3f1388992ce6fbb12a5d853fbf9fdd4e8a674d4 8c8a8df603ced4ed66d0e0193018e8f391ab4bcc0eaf78085ed71771403ba735 d71a7dff1625c74d51048aaaa3b3edd79284f809558428bc9d8c8dadfaba6063 89995646cb71f2bc023dfb7f1d3a481da3320e0cb34de7fbef15cec081c5080d 04ab068d0ea6898eb9dcc34b2c6dd340c94154c57c51c269e2dabe89211fd077 5a8eee9529bf64f9e25ac4a3fe0879f79233cb83d9e31fd32068017307aecb14 0e8d6601980bc18d8a61f067dcb40c0e6f7028b74f59abee13da7bb4edede2c1 e31b461b6a9caa1a99bc6118884fa971c7cb5e12401ce08f7112f08941596276 cb219dd9ddb0756445fa71d099fa2c64a88c43eef64485ede28e1ee3c35a1530 23dec3965fa84f2a28ca02d26700cffd98c38fb3e6c752c8abf0160314755718 c452502c9f82bee0a6fd0bdef4938cd94820bd4b281bc41145b3933db56169c5 5a0474a2b9b8fce49fd5b58142a17657fd7f657b8124fd8adccacfb845eff042 7feb627baf29005af5676b3f473981b876d23eebfde252a657669b173ed702e5 ac4a4fb192de6162154bc7ec120f865802e18a7ea13492e8e48b79aeeb39ff7d e99d77d8624d1ff729b26cf95c11b353bab0290cfe54c02976b7d8ca0e60d5a2 7bdabf55709b4bcdaa858dc1f5af67e42c1247e41d231b79651911156bbb39ca 3d9d8201a8fdbee470ac03e69ab0bc2585db22164796f8449e92af08a55eed33 39f33286f23561fc9422c4f9420e4ff469789118811bc0746fac98f0c5f30de3 a8c29216ec4a7e60def482937d90fdb3eb36b4c3c98becb67dd4ea83eac203c9 d496cd48a29b337cd847212de791fdc7109eb62261b5f3b43051773582de983b 5713ff019a73cc3a6a4e26134fb6b591b65ea7d1216d0f7ee58cf7cc422ac5ce c85a6bc1eb5573ca2c7edd6590c69385954502021f74a93e8f0656c97301d547 671db28ddb45e383ff70f91e4a34a0e6c32117140505bfd6ba5cf15b579effcd 180cccc2e51d3bf7de314401b945138263149da8712f7b3924a2ae66ee90dbed xlsx file MSExcel/ZLoader 
fbc4ff74fc7ee03fd3c451b6f20a820cb7bea5dbef4efa19aa567f6bfae58d48  Malicious Flash file Exploit.SWF 
9ef6c5467fd80274e6a37e2883a5e83a894cf2148ce37bf0adb1e884acbc4c0b ce9d8545eb14f98f81526457b784ada2e37057dae2d74f625e47b4ed10549397 b250b1ccb8194ce1ccc86b4a88bd7279f6804fac990758e95d203fdd1d97dcc2 eb12afe158fd7f4236a98c7c6b686dfe9838c3d986c28b593a54303c68534661 9ef6c5467fd80274e6a37e2883a5e83a894cf2148ce37bf0adb1e884acbc4c0b ce1eea0c7412213542f7ef19abb861de203ead8f92ac28825958787c8002c625 59fc347dac3dd1c78d62393589818b5417ca041d697d155040988b14562bc797 1d4a08313417977219d5f36679d775f3314b675b20e0202ba2e064a654348647 b70f6b2942fcd266a4fed8283cea70f57fc07e2894d348260372aa56d9e17d1b e4dc58943d74e0b9c3d37c8c096d341fbe80748ca7661e73cce66084e05412be 1f48bd51b131fb3a35c43343a047e37cd830567b43250d5369930be91ee00080 fd03251ac200b55685a961fefe0ca893c749f785c4347ab0f2f168866011e510 87f63627eeb82274a1fcc29a0009555221faccc9ea9d18784aadb4e0485eafc6 e084547248fa0dff79e2187cc90aeac379aaa22c7bedcc65c43d0e63d4867b0a 56c26ed446ff536e676969a770d3ca72bd5bb1faf20aa64ecb559cbaab4d36d2 d289d95b804cc3fc00894586e06a40026c4a3499391c2f01b205459b1138525d 02055320bbe1ef2d0fae4e38af054b2d6b96ece974d9641b165dbd9dad6f5a16 f5b0a1a41ee9205e37e3323890277bdda772aa8c5c0d01f7a99f5001c5ab9b01 f0e036d0befc2ce1fce4f64f43a862a3164c3a364a3ed7bb2db4a5d62928ebf5 25a36bfc968df7220b1cacfc3c33d119cb1afa661102f89b7c2546e78eab5860 4c554b964b9a4b076262805de7183221d9c876bdfff7ab5336f8cdb63348f0ef Payload file Trojan.ZLoader  
hxxp://195.123.208[.]172/44300,5396033565[.]dat/  URL  Payload download link.  
31f81d3319ad104bcd6afcc114c5d2de073af83feb5db8f187af79a09d930599  Html Exploit.Script.Generic 

Our Recommendations:  

  • Block the IoCs shared above.  
  • We encourage our customers to conduct investigations and implement proactive measures for identifying previous campaigns and preventing future ones that may target their systems.  
  • Use strong passwords and enforce multi-factor authentication wherever possible.  
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.  
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.  
  • People concerned about their exposure in the Dark web can register at AmiBreached.com to ascertain their exposure.  
  • Refrain from opening untrusted links and email attachments without verifying their authenticity. 

About Cyble: 

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com

Recent Blogs


Cyble analyzes BATLoader – A sophisticated loader being utilized by Threat Actors to deliver several malware families.

Read More »

Cyble Research & Intelligence Labs analyzes new strategies deployed by Qakbot to infect users via Microsoft OneNote.

Read More »
Scroll to Top