The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

New Zloader Variant Discovered

Feb 9, 2024 1:16:59 PM / by The Hivemind

NEWZLOADERRelated Families: ZeuS

Executive Summary

A new variant of the modular trojan Zloader was recently identified. The new variant has been in development since September 2023.

Key Takeaways

  • A new variant of Zloader was recently identified.
  • Zloader is a modular trojan that is an offshoot of Zeus. 
  • The new Zloader variant has multiple upgrades, including new obfuscation techniques, an updated DGA, and use of encrypted C2 communication. 
  • The new Zloader variant has native support for 64-bit versions of Windows.

What is a Zloader?

Zscaler recently reported on a newly discovered Zloader variant. Zloader, also known as Terdot, DELoader, and Silent Night, is a modular trojan that is an offshoot of ZeuS. ZeuS is known as one of the most notorious banking trojans to date. Zloader is usually distributed via phishing campaigns or malicious ads.

Zloader was first used in the wild as early as 2015 but gained recognition when it was used in a 2016 campaign targeting German financial institutions. Zloader, under the name Silent Night, was originally offered for sale on a Russian malware forum by the user Axe, who was previously known for the Axebot malware. In 2018, Zloader took a brief hiatus before reemerging in late 2019.

In 2021, a new version of Zloader was observed in the wild. Following an April 2022 takedown, Zloader again seemed to fade into oblivion. However, another new Zloader variant recently emerged. Zscaler analysts note development on the new variant appears to have started in September 2023.

The new Zloader variant includes several changes, such as new obfuscation techniques, an updated DGA, and the use of RSA encryption for C2 communication. It employs several anti-analysis techniques, including API import hashing, junk code, filename checks, and string obfuscation. Additionally, Zloader now has native support for 64-bit versions of Windows. The versions analyzed by Zscaler include version and version

Zscaler analysts noted that all the analyzed samples use the same public RSA key, likely indicating that only one threat actor is currently using the new Zloader variant. 


PolySwarm has multiple samples of the new Zloader variant.

















You can use the following CLI command to search for all Zloader samples in our portal:

$ polyswarm link list -f Zloader


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at | Check out our blog | Subscribe to our reports.


Topics: Threat Bulletin, Windows, Trojan, Zloader, ZeuS, 64-bit

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts