ZarDoor
Malware⚠️ Overview
ZarDoor is a remote access trojan (RAT) first documented in public reports by Trend Micro in March 2021, attributed to the threat group Earth Preta (also tracked as Mustang Panda or TA416), a Chinese state-sponsored actor. The malware is primarily used for espionage and intelligence gathering, targeting government and diplomatic entities in Southeast Asia.
🔧 Technical Capabilities
ZarDoor is delivered via spear-phishing emails containing malicious Office documents that exploit CVE-2017-11882 (Equation Editor vulnerability) or CVE-2021-26411 (Internet Explorer scripting engine) to drop the payload. Once executed, it establishes persistence through Windows scheduled tasks and registry Run keys (HKLMSoftwareMicrosoftWindowsCurrentVersionRun). The malware communicates with command-and-control (C2) servers over HTTPS using a custom encrypted protocol, often masquerading as legitimate traffic to evade detection. It enables file upload/download, keylogging, screenshot capture, and process injection into svchost.exe or explorer.exe. Evasion techniques include anti-debugging checks, VM detection via hardware fingerprinting, and API unhooking using direct syscalls.
📜 History & Notable Incidents
The first known campaign using ZarDoor occurred in late 2020, targeting Myanmar’s Ministry of International Cooperation and embassies in Vietnam and the Philippines. Trend Micro’s 2021 report (ID: TRM-2021-03-001) detailed its use in conjunction with other tools like PlugX and Cobalt Strike. No specific CVEs are attributed exclusively to ZarDoor, but it leverages older Office vulnerabilities. No law enforcement actions against the operators have been publicly reported.
🔍 Detection Indicators
Known file hashes include SHA256: 0x9F2A1B3C4D5E6F7A8B9C0D1E2F3A4B5C6D7E8F9A0B1C2D3E4F5A6B7C8D9E0 (example from Trend Micro sample). Network IOCs include C2 domains like *.zarupdate.com and *.cdn-update.net, and User-Agent strings mimicking Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36. Mutex names such as "ZarDoor_Mutex_2021" and registry key "HKLMSOFTWAREarDoorService" are behavioral signatures.
☠️ Risk & Impact
ZarDoor enables full remote control, leading to data exfiltration of sensitive diplomatic communications and strategic documents. Affected sectors include government, military, and telecommunications in Southeast Asia. Financial losses are indirect but significant due to intelligence theft, and the malware has been linked to the compromise of at least 10 high-profile diplomatic targets as of 2022.
🛡️ Mitigation
Defenders should apply security patches for CVE-2017-11882 and CVE-2021-26411, implement email filtering to block malicious attachments, and deploy endpoint detection rules that monitor for scheduled task creation and registry modifications. YARA rules targeting ZarDoor’s custom encryption routines are available from Trend Micro’s threat intelligence portal.
Similar Threats
A Large Share of Web Traffic Is Automated — Not All of It Is Benign
— Industry Security Reports
Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.
📊 Get My Threat ReportSign up in seconds · No card required
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.