CTI Roundup: Seasonal Phishing, Zloader, and Secret Blizzard

This week, CTI shares details of a phishing campaign that lured employees with a message from HR containing a fake mandatory leave notice. Next up, CTI looks at the latest version of Zloader and its most recent updates. Finally, CTI provides the latest details about the Russian nation-state actor known as Secret Blizzard.

Threat actors impersonate HR in phishing campaign

Cofense recently intercepted a phishing email that pretended to come from the human resources department of an organization. The email, which contains a fake mandatory leave notice, attempts to trick victims into clicking a malicious link that downloads the FormBook malware.

Technical details

• According to Cofense, 55 out of 72 vendors on VirusTotal flagged the malware sample as malicious. These vendors indicate that the sample is either AutoIt injector or FormBook malware.
• After the victim clicks on the malicious link in the email, a .zip file downloads into their default downloads directory. The file uses a double extension .xls.zip to trick the victim into thinking it is simply a spreadsheet of details they should open.
• The .zip file contains an AutoIt-compiled executable. The sample uses AutoIt as the parent process to inject a script into the target process.
• In the case analyzed by Cofense, the targeted process was UtilMan.exe. This is then used to run the FormBook malware in memory.

Analyst comments from Tanium’s Cyber Threat Intelligence team

As this campaign demonstrates, threat actors often choose lures based on what is happening worldwide. Cofense refers to this specific example as “seasonal relevance.”

This type of lure is common and has the potential to be successful. As such, staying current on the latest phishing techniques is important to prevent costly mistakes.

[Read also: Top 10 bold cybersecurity predictions for 2025]

Zloader receives new features and capabilities

Researchers at Zscaler have discovered a new version of Zloader with additional features. The latest variant includes new anti-analysis capabilities, an interactive shell, and a DNS tunnel for C2 communications.

What is Zloader?

Zloader was initially created for banking fraud. It has since evolved to be used for initial access.

Last year, the malware reemerged after a two-year hiatus with new features. Zscaler has since identified an updated version of the malware, version 2.9.4.0, with even more features — including a new DNS tunneling protocol.

Infection vector

According to Zscaler, Zloader’s distribution is becoming more small-scale and targeted — an increasingly popular trend among initial access brokers.

Researchers have observed Zloader being distributed in an infection chain that begins with remote monitoring and management (RMM) tools like AnyDesk and Microsoft Quick Assist. Zscaler also observed an additional payload called GhostSocks during the attack.

Zloader configuration

Zscaler discovered that the static configuration of the malware changed in this version and is no longer encrypted via a hardcoded and plain text key. In this version, the key must be computed via an XOR operation.

Zscaler decrypts the configuration to reveal two new sections related to the new DNS tunneling feature.

Zloader’s anti-analysis capabilities

This new Zloader version comes with a couple anti-analysis capabilities:

1. The first is an environment check that we see in many malware samples.
2. The second relates to API resolution, which was updated in this version. The API resolution result is now calculated using an XOR operation.

Interactive shell

Zscaler also identified a new interactive shell that allows the threat actor to execute binaries and shellcode, steal data, kill processes, and more. This allows the threat actor to perform hands-on keyboard activity.

Network communication

The malware still uses HTTPS with POST as its primary C2 communication method. The most noteworthy change to C2 communication is adding a DNS tunneling technique. The malware uses a custom protocol on top of DNS and IPv4 to tunnel encrypted TLS traffic. Zloader can construct and parse DNS packets and does not need to leverage a third-party library or the Windows API.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Zloader has evolved quite a bit since emerging in 2015 for banking fraud. The latest version reveals an increased focus on detection evasion, which aligns with many other malware families this year.

The new features position Zloader for threat actors seeking an initial access broker. As Zscaler notes with these latest updates, “organizations must ensure that they are inspecting not only web-based traffic, but also DNS-based network traffic.”

New details emerge about Secret Blizzard

Additional details have emerged about the Russian nation-state actor known as Secret Blizzard.

Microsoft recently determined that Secret Blizzard has been using the tools and infrastructure of at least six threat actors. In addition, Secret Blizzard is targeting infrastructure that other threat actors are using to stage exfiltrated data.

What is Secret Blizzard?

Secret Blizzard has been linked to Center 16 of Russia’s Federal Security Service (FSB). The actor is known to target a range of sectors across the globe with a focus on gaining long-term access to espionage efforts. There have been campaigns where the actor is observed leveraging tools or compromised infrastructure belonging to other threat actors.

Compromise and post-compromise activities

Microsoft has been observing Secret Blizzard using another actor’s C2 infrastructure since November 2022. The other actor is a Pakistan-based espionage actor tracked as Storm-0156.

Secret Blizzard has been using Storm-0156’s backdoors to deploy their backdoors and deploying their tools to virtual private servers (VPS) that stage Storm-0156’s exfiltrated data. Right now, it is unknown what initial access mechanism Secret Blizzard is using to obtain access to Storm-0156’s infrastructure.

[Read also: What is access control in security? An in-depth guide to types and best practices]

Secret Blizzard backdoors

Secret Blizzard has deployed several different backdoors on Storm-0156’s infrastructure. This includes a TinyTurla backdoor variant, a custom downloader called TwoDash, a custom trojan called Statuezy, and a custom downloader called MiniPocket.

In the campaign analyzed by Microsoft, Storm-0156 was observed using multiple backdoors, including Wainscot variants, to target Windows, Linux, and CrimsonRAT.

Analyst comments from Tanium’s Cyber Threat Intelligence team

While most threat actors target individuals or organizations, Secret Blizzard is going after other threat actors’ infrastructure and tools. The actor is essentially trying to piggyback off the work other threat actors have already done and looking for an easy way to steal data without taking part in the initial compromise.

As Microsoft points out, the actor’s data may not align with their espionage interests. This begs the question of why the actor isn’t going the initial access broker (IAB) route.

Microsoft has since published a second post that’s worth reading.

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.