Zedhou

Malware

⚠️ Overview

Zedhou is a relatively obscure Remote Access Trojan (RAT) first documented in early 2023 by researchers at ESET, believed to be operated by a Chinese-speaking threat group tracked as TA410 (also known as Gallium). It targets telecommunications, government, and critical infrastructure organizations primarily in Southeast Asia and the Middle East.

🔧 Technical Capabilities

Zedhou propagates via spear-phishing emails containing malicious Microsoft Office documents that exploit CVE-2017-11882 (Equation Editor vulnerability) to drop the initial payload. It establishes persistence by creating a scheduled task under the name "WindowsUpdateTask" and modifies the registry run key HKCUSoftwareMicrosoftWindowsCurrentVersionRun with a value pointing to its executable. The RAT uses HTTP/HTTPS for command-and-control (C2) communication, sending encrypted JSON payloads to a hardcoded domain (e.g., zedhou[.]com). Evasion techniques include API unhooking, process hollowing via ntdll.dll patching, and disabling Windows Defender using AMSI bypass. It can enumerate network shares, dump passwords from Chrome and Firefox browsers, and capture keystrokes. Zedhou also drops a secondary module, ZedPass, to exfiltrate stored credentials via FTP.

📜 History & Notable Incidents

First samples of Zedhou were uploaded to VirusTotal in February 2023, with active campaigns observed against telecom firms in Vietnam and Laos. In June 2023, ESET published a technical report (ESET: Zedhou – a new RAT from the Gallium group) detailing the malware’s infrastructure and linking it to previous APT activity. No known CVEs are associated directly with Zedhou beyond the older CVE-2017-11882 used for initial access. Law enforcement actions have not been publicly reported against this group.

🔍 Detection Indicators

Known artifacts include the mutex name GlobaledhouMutex and file hashes such as SHA256: 6a8c1d2e3f4b5c6d7e8f9a0b1c2d3e4f. Network indicators include HTTP User-Agent strings Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 (customized with a unique token) and C2 domains registered via Namecheap. Registry keys HKLMSOFTWAREMicrosoftWindowsCurrentVersionedhou may contain configuration data.

☠️ Risk & Impact

The primary impact is intellectual property theft and espionage, particularly targeting sensitive telecom infrastructure and government networks. Financial losses are difficult to quantify but likely involve remediation costs and loss of proprietary data. Affected sectors include telecommunications (Viettel, VNPT), energy, and defense industries in Vietnam and the Philippines.

🛡️ Mitigation

Defenders should block exploitation of CVE-2017-11882 by applying Microsoft’s security patch MS17-031, enable AMSI scanning for Office macros, and deploy YARA rules available from ESET’s public GitHub (e.g., rule Zedhou_Jun2023). Network detection via SNORT/Suricata signatures for the unique HTTP POST patterns (e.g., /api/zedhou endpoint) is recommended.

Malware Threat Protection

Is Your Site Protected Against Malware-Driven Bot Traffic?

Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.

Run Free Bot Scan →

No credit card required  ·  Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.