Zloader, another botnet, bites the dust

Zloader, another botnet, bites the dust

Microsoft has announcedthat its Digital Crimes Unit (DCU) has taken legal and technical action to disrupt a malicious botnet called Zloader.

Zloader or Zbot are common names used to refer to any malware related to the ZeuS family. There are a lot of those because the ZeuS banking Trojan source code was leaked in 2011, and so there’s been plenty of time for several new variants to emerge.

The Zloader at hand is a botnet made up of computing devices in businesses, hospitals, schools, and homes around the world which is run by a global internet-based organized crime gang operating malware as a service that is designed to steal and extort money.

Legal action

Microsoft obtained a court order from the United States District Court for the Northern District of Georgia, allowing it to take control of 65 domains that the Zloader gang had been using to grow, control and communicate with its botnet. These domains are now directed to a Microsoft sinkhole so they can no longer be used by the botnet operators.

A sinkhole is a way of redirecting malicious internet traffic so that it can be captured and analyzed by security professionals, and are often used to seize control of botnets. We also saw this method recentlyused against the Strontium group.

Domain Generating Algorithm

Zloader has a Domain Generating Algorithm (DGA)embedded within the malware that creates additional domains as a fallback or backup communication channel for the botnet. In addition to the hardcoded domains, the court order allowed Microsoft to take control of an additional 319 currently registered DGA domains. Microsoft is working on a method to block the future registration of DGA domains.


The primary goal of Zloader was originally financial theft, stealing account login IDs, passwords and other information to take money from people’s accounts. This makes sense, knowing the source code it started from was a banking Trojan. But Zloader also includes a component that disables popular security and antivirus software, thereby preventing victims from detecting the Zloader infection on their systems.

Over time, those behind Zloader began offering malware as a service, acting as a delivery platform to distribute ransomware such as Ryuk, DarkSide, and BlackMatter.

Zloader is a malware family known for its flexibility and the ability to evolve and change from campaign to campaign. As such, it has undergone a lot of development since its inception. The evolution has been worked on at many fronts, since several groups started working from the original ZeuS source code.

For those looking for a technical analysis of Zloader, in 2020 Malwarebytes published a reportwith an analysis of the “Silent Night” Zloader variant that demonstrates some of the botnet features developed for Zloader. And Microsoft provided some insighton the techniques and tactics used by this particular Zloader group.


Microsoft worked with telecommunications providers around the world to disrupt key Zloader infrastructure. It is expected to see some attempts to revive the operations, but these attempts will be monitored closely. If the method to prevent new DGA domains is successful, it will take a fresh restart to build out another botnet.


Given the tactics used by this Zloader group, the general rules of internet hygiene apply, starting with some that are more specific for this group:

  • Be careful with email attachments
  • Don’t click on sponsored Google results
  • Secure authentication methods
  • Patch management
  • Network segmentation
  • A backup strategy in case prevention measures fail

Stay safe, everyone!


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.