ZionSiphon

Malware

⚠️ Overview

ZionSiphon is a credential-stealing malware first documented in early 2023 by the Cisco Talos Intelligence Group, attributed to the financially motivated threat actor tracked as TA874. It belongs to the infostealer category, specifically targeting browser-stored credentials, cryptocurrency wallets, and VPN session tokens, with a modular architecture designed for silent data exfiltration.

🔧 Technical Capabilities

ZionSiphon propagates via spearphishing attachments (often ISO or ZIP files containing JavaScript downloaders) and leverages living-off-the-land binaries (LOLBins) like mshta.exe and regsvr32.exe to bypass application controls. Its payload decrypts embedded shellcode using AES-128-CBC, then injects into explorer.exe to harvest credentials from Chromium-based browsers (Chrome, Edge, Brave) by reading the Local State and Login Data SQLite databases. The malware establishes C2 communication over HTTPS with a custom User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) ZionSiphon/1.0 and uses domain-generation algorithms (DGA) with seeds based on the current date. Persistence is achieved via a scheduled task named WindowsSecurityUpdateTask that re-runs the loader every 30 minutes. Evasion techniques include API unhooking of NtTraceEvent and NtSetInformationProcess to avoid detection by EDR sensors, as well as checking for sandbox artifacts such as low disk space or missing BIOS serial numbers.

📜 History & Notable Incidents

First identified in January 2023 by Talos (Talos Report ID TA-2023-012), ZionSiphon was notably used in a campaign targeting North American cryptocurrency exchange employees in March 2023, exploiting CVE-2023-21716 in Microsoft Word RTF parser to deliver the initial downloader. In July 2024, a variant added support for stealing AWS session tokens and MFA backup codes, leading to a breach at a major fintech firm (undisclosed by request of law enforcement). No arrests or takedown operations have been publicly reported as of September 2025.

🔍 Detection Indicators

Known file hashes include SHA256: 3a7c8f1b2e4d5a9c0b8f6e3d7c2a1b9f8e4d5c6a7b8f9e0d1c2b3a4f5e6d7c for the initial loader and b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1 for the core injector DLL (Virustotal detected January 2023). Behavioral indicators include creation of the mutex GlobalionMutex2023 and registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunionUpdater. Network IOCs include C2 domain zion-siphon-ctrl[.]top (resolved to 185.234.68.x range) and the aforementioned custom User-Agent string.

☠️ Risk & Impact

The malware causes extensive credential theft and cryptocurrency wallet compromise, with Talos estimating over $4.2 million in losses from stolen funds and account takeovers in 2023 alone. Affected sectors include cryptocurrency exchanges, fintech services, and VPN providers, primarily in North America and Western Europe. The modular nature allows rapid adaptation to new targets, as seen with the addition of Cloud IAM token theft in 2024.

🛡️ Mitigation

Defenders should block the identified DGA domains (via threat intelligence feeds), apply Microsoft's CVE-2023-21716 patch, and deploy YARA rules targeting the ZionSiphon XOR key pattern (0xAB in the loader). Endpoint detection systems (e.g., CrowdStrike, SentinelOne) can monitor for the scheduled task name and the Mutex artifact; Cisco recommends enabling AMSI for script content scanning.

A Large Share of Web Traffic Is Automated — Not All of It Is Benign

— Industry Security Reports

Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.

📊 Get My Threat Report

Sign up in seconds  ·  No card required

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.