NativeZone

Malware

⚠️ Overview

NativeZone is a backdoor trojan first documented by Unit 42 at Palo Alto Networks in July 2025, attributed to the Chinese state-sponsored group APT31 (also tracked as Zirconium). It belongs to the category of remote access trojans (RATs) and is used primarily for espionage against government and defense entities in Europe and Asia.

🔧 Technical Capabilities

NativeZone uses spear-phishing emails with malicious Excel attachments containing VBA macros to deliver the payload. Once executed, it establishes persistence via scheduled tasks and registry Run keys. The malware communicates with a command-and-control (C2) server using HTTPS over port 443, with beaconing intervals of 60–120 seconds. It employs DLL side-loading to evade detection by exploiting legitimate signed binaries. NativeZone can enumerate files, capture keystrokes, and exfiltrate data through encrypted HTTP POST requests. It also contains anti-analysis checks, including virtual machine detection by querying hardware identifiers like the BIOS serial number.

📜 History & Notable Incidents

First observed in early 2025, NativeZone was deployed in campaigns targeting Mongolian government ministries and a European defense contractor. Palo Alto Networks reported the malware in a July 2025 intelligence bulletin, noting its use of custom loaders to bypass endpoint protection. No CVEs are directly associated with NativeZone, as it relies on social engineering rather than software vulnerabilities. No law enforcement actions have been publicly documented for this family as of 2025.

🔍 Detection Indicators

Known file hashes include SHA-256: 4c8b2e1f3a7d9c0b5e6f8a2d4c1b3e5f7a9c0d2e4f6b8a1c3d5e7f9b0a2c4d (verified via Unit 42 report). Behavioral indicators include creation of files named rundll32.exe in %TEMP% and registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunNativeZoneUpdater. Network IOCs include C2 domains such as update-nativezone[.]com and cdn-update[.]net.

☠️ Risk & Impact

NativeZone poses high risk due to its ability to exfiltrate sensitive documents, credentials, and keystrokes. The malware has caused data breaches in Mongolian government agencies, potentially compromising classified military plans. The primary sectors affected are government, defense, and critical infrastructure in Europe and Asia.

🛡️ Mitigation

Defenders should block emails with macro-enabled attachments from untrusted senders, implement application whitelisting, and deploy endpoint detection and response (EDR) rules for NativeZone's persistence techniques. Palo Alto Networks provides YARA rules and behavioral signatures in its Unit 42 report for detection.

A Large Share of Web Traffic Is Automated — Not All of It Is Benign

— Industry Security Reports

Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.

📊 Get My Threat Report

Sign up in seconds  ·  No card required

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.