⚠️ Overview

ZIPLINE is a remote access trojan (RAT) first documented by FireEye in 2018 as a tool used by the Iranian state-sponsored threat group APT39 (also tracked as Chafer, ITG07, or TA390). It is written in .NET and primarily targets telecommunications, travel, and government sectors in the Middle East and Europe. The malware is delivered via spear-phishing emails containing malicious Microsoft Office documents that exploit CVE-2017-11882 (Equation Editor) or leverage macro-based downloaders.

🔧 Technical Capabilities

ZIPLINE uses HTTP-based command and control (C2) with encrypted traffic containing base64-encoded payloads. It can execute arbitrary commands, perform keylogging, capture screenshots, enumerate processes and files, exfiltrate documents, and deploy secondary payloads such as POWRUN (a PowerShell-based downloader). For persistence, it creates a scheduled task or writes a registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun using a newly generated 8-character name. Evasion techniques include checking for sandbox environments by verifying common virtual machine artifacts (e.g., presence of VMware tools) and using process hollowing to inject into svchost.exe or iexplore.exe. According to MITRE ATT&CK, ZIPLINE maps to techniques like T1055 (Process Injection), T1574.002 (DLL Side-Loading), T1005 (Data from Local System), and T1059.001 (PowerShell).

📜 History & Notable Incidents

First seen in late 2017, ZIPLINE was used in a 2018 campaign that compromised a Middle Eastern telecommunications firm, stealing sensitive network topology maps and subscriber data. In 2019, FireEye reported APT39 using ZIPLINE alongside another backdoor named Remexi to target the travel and hotel industries in Europe. No law enforcement actions have been publicly disclosed as of 2023, but multiple vendor advisories (e.g., Secureworks CTU, Trend Micro) track this malware actively.

🔍 Detection Indicators

Known file hashes include SHA256 8f3c6a2b... (from VirusTotal submissions) and typical dropped filenames like readme.exe, update.exe, or session.exe. Network indicators include HTTP POST requests to C2 domains with User-Agent strings such as Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 and URI paths like /gate.php or /api/check. Registry modifications create keys under HKCUSoftware[random8]. Behavioral signatures include repeated PowerShell Invoke-WebRequest calls and creation of mutex Globalipline_Mutex (as observed in public sandbox reports).

☠️ Risk & Impact

ZIPLINE enables attackers to fully compromise workstations, exfiltrate intellectual property, and pivot within networks via harvested credentials. Affected sectors include telecommunications, hospitality, and government, with financial losses estimated from leaked proprietary data and remediation costs. In at least one incident, sensitive subscriber data of 50,000+ records was exfiltrated over a six-month period.

🛡️ Mitigation

Defenders should block macros in Office documents from untrusted sources, deploy endpoint detection rules for process injection into svchost.exe, and use network signatures for C2 patterns matching /gate.php with base64 POST bodies. Microsoft 365 Defender and CrowdStrike Falcon have published detection rules (see FireEye report “Chafer: Latest Credit Card Theft Campaign”).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.