{"id":11599,"date":"2025-02-18T11:42:19","date_gmt":"2025-02-18T11:42:19","guid":{"rendered":"\/cybersecurity-blog\/?p=11599"},"modified":"2025-04-17T05:40:56","modified_gmt":"2025-04-17T05:40:56","slug":"zhong-stealer-malware-analysis","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/zhong-stealer-malware-analysis\/","title":{"rendered":"Zhong Stealer Analysis: New Malware Targeting Fintech and Cryptocurrency"},"content":{"rendered":"\n<p><strong><em>Editor\u2019s note:<\/em><\/strong><em> The current article is authored by Mauro Eldritch, offensive security expert and threat intelligence analyst. You can <\/em><a href=\"https:\/\/x.com\/MauroEldritch\" target=\"_blank\" rel=\"noreferrer noopener\"><em>find Mauro on X<\/em><\/a><em>.<\/em>&nbsp;<\/p>\n\n\n\n<p>From December 20 to 24, 2024, the Quetzal Team identified a phishing campaign targeting the cryptocurrency and fintech sectors. This campaign aimed to distribute a newly discovered stealer malware, which we have named Zhong Stealer, as there were no prior public references to this threat.&nbsp;<\/p>\n\n\n\n<p>The attackers exploited chat support platforms like Zendesk, posing as customers to trick unsuspecting support agents into downloading the malware. <\/p>\n\n\n\n<p>In this article, we\u2019ll use <a href=\"http:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=zhong_stealer_analysis&amp;utm_term=180225&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN&#8217;s real-time malware analysis capabilities<\/a> to cover:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Execution flow<\/strong>: How the malware runs from initial launch to full system infiltration.&nbsp;<\/li>\n\n\n\n<li><strong>Data exfiltration tactics<\/strong>: How Zhong transmits stolen credentials to a C2 server hosted in Hong Kong.&nbsp;<\/li>\n\n\n\n<li><strong>Persistence techniques<\/strong>: How it modifies registry keys and scheduled tasks to survive reboots.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">A Flood of Phishing Attempts&nbsp;<\/h2>\n\n\n\n<p>The attack pattern was simple yet persistent:&nbsp;<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li>Open a new support ticket from a freshly created, empty account.&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li>Use broken language and ask for help in Chinese.&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"3\" class=\"wp-block-list\">\n<li>Attach a ZIP file containing screenshots or additional details.&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"4\" class=\"wp-block-list\">\n<li>Insist that support staff open it, growing frustrated when they refused.&nbsp;<\/li>\n<\/ol>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"724\" height=\"415\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/1.png\" alt=\"\" class=\"wp-image-11606\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/1.png 724w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/1-300x172.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/1-370x212.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/1-270x155.png 270w\" sizes=\"(max-width: 724px) 100vw, 724px\" \/><figcaption class=\"wp-element-caption\"><em>Suspicious ZIP files named with Simplified Chinese characters<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>During this period, we managed to collect several suspicious ZIP file samples, all named with Simplified Chinese characters:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u56fe\u7247_20241224 (2).zip (Image_20241224 (2).zip).&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Android \u81ea\u7531\u622a\u56fe_20241220.zip (Android Free Screenshot_20241220.zip)&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Android &#8211; Screenshots2024122288jpg.zip&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Each ZIP file contained an EXE file inside, which immediately raised red flags:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u56fe\u7247_20241224.exe (Image_20241224.exe &#8211; Simplified Chinese)&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u5716\u72472024122288jpg.exe (Image2024122288jpg.exe &#8211; Traditional Chinese)&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u56fe\u7247_20241220.exe (Image_20241220.exe &#8211; Simplified Chinese)&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"831\" height=\"389\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/2.png\" alt=\"\" class=\"wp-image-11608\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/2.png 831w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/2-300x140.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/2-768x360.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/2-370x173.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/2-270x126.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/2-740x346.png 740w\" sizes=\"(max-width: 831px) 100vw, 831px\" \/><figcaption class=\"wp-element-caption\"><em>Way more suspicious EXE files named with Simplified and Traditional Chinese characters<\/em><\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">The Zhong Stealer Revealed&nbsp;<\/h2>\n\n\n\n<p>Over four days, we received multiple samples of what appeared to be the same malware. Initially, only one global detection flagged it as \u201cUnsafe,\u201d a vague and generic label.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"335\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/3-1024x335.png\" alt=\"\" class=\"wp-image-11610\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/3-1024x335.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/3-300x98.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/3-768x252.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/3-1536x503.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/3-2048x671.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/3-370x121.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/3-270x88.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/3-740x242.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Generic detection, lacking a naming convention or detailed insights<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>As time passed, some samples began to receive more global detections, but with a twist: all of them were either generic or driven by heuristic\/machine learning\/artificial intelligence-powered systems.&nbsp;&nbsp;<\/p>\n\n\n\n<p>However, these detections lacked meaningful naming conventions, making tracking difficult.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"2290\" height=\"1686\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/4-1024x754.png\" alt=\"\" class=\"wp-image-11612\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/4-1024x754.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/4-300x221.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/4-768x565.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/4-1536x1131.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/4-2048x1508.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/4-370x272.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/4-270x199.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/4-740x545.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/4-80x60.png 80w\" sizes=\"(max-width: 2290px) 100vw, 2290px\" \/><figcaption class=\"wp-element-caption\"><em>AI\/ML-based detection with no naming convention or substantial details<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Generic conventions (such as \u201c<em>Win.MSIL<\/em>\u201d, \u201c<em>Detected<\/em>\u201d, or \u201c<em>Unsafe<\/em>\u201d) and AI-generated names (like \u201c<em>AIDetectMalware<\/em>\u201d, \u201c<em>Malware.AI<\/em>\u201d, \u201c<em>ML.Attribute.HighConfidence<\/em>\u201d, \u201c<em>malicious_confidence_90%<\/em>\u201d, \u201c<em>Static AI<\/em>\u201d) may be useful for internal classification or as temporary indicators but their lack of specificity makes it difficult to track malware over time or correlate research findings.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"759\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/5-1024x759.png\" alt=\"\" class=\"wp-image-11614\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/5-1024x759.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/5-300x222.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/5-768x569.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/5-1536x1139.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/5-2048x1518.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/5-370x274.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/5-270x200.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/5-740x549.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/5-80x60.png 80w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>AI\/ML-based detections\u2014hard to follow with these naming conventions<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>To solve this, we decided to give this malware a proper name: <strong>Zhong Stealer<\/strong>, inspired by the email address of the first submitter to hit the ticketing system. From now on, we\u2019ll track all these strains under this family name.&nbsp;<\/p>\n\n\n\n<p>Now that we\u2019ve made a new \u201cfriend\u201d, let\u2019s play with it a little bit.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Dissecting Zhong&nbsp;<\/h2>\n\n\n\n<p>Running Zhong Stealer in ANY.RUN revealed its behavior almost immediately. Upon execution, it queried a C2 server based in Hong Kong, hosted by Alibaba Cloud.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/a84e322a-a5e5-469e-98b3-1235f8069cbb\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=zhong_stealer_analysis&amp;utm_term=180225&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View sandbox analysis<\/a><\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"538\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/6-1024x538.png\" alt=\"\" class=\"wp-image-11616\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/6-1024x538.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/6-300x158.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/6-768x404.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/6-1536x807.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/6-2048x1076.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/6-370x194.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/6-270x142.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/6-740x389.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>First and follow-up contacts with the C2 server in Hong Kong<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Stage 1: Initial Contact&nbsp;<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"629\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/7-1024x629.png\" alt=\"\" class=\"wp-image-11617\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/7-1024x629.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/7-300x184.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/7-768x472.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/7-1536x943.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/7-2048x1258.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/7-370x227.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/7-270x166.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/7-740x454.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Inventory file signalling the malware\u2019s components to download<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>The first action involves reading a TXT file, which serves as an inventory. This file contains links to itself and other components that need to be downloaded.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nSubmit suspicious files and URLs to <span class=\"highlight\">ANY.RUN<\/span> <br>for proactive analysis of threats targeting your company&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=zhong_stealer_analysis&#038;utm_term=180225&#038;utm_content=linktodemo\" rel=\"noopener\" target=\"_blank\">\nGet 14-day free trial\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\">Stage 2: Downloader Execution&nbsp;<\/h3>\n\n\n\n<p>Next, another stage is downloaded: down.exe, a file signed with a previously valid but now revoked certificate from Morning Leap &amp; Cazo Electronics Technology Co., suggesting it was likely stolen. Notably, the file masquerades as a BitDefender Securit<strong>y updater<\/strong>, a deliberate choice that adds an extra layer of deception to evade suspicion.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"667\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/8-1024x667.png\" alt=\"\" class=\"wp-image-11619\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/8-1024x667.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/8-300x195.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/8-768x500.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/8-1536x1001.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/8-370x241.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/8-270x176.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/8-740x482.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/8.png 1894w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Fake signature posing as BitDefender and using a potentially stolen certificate<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Alongside this stage, Zhong downloaded additional components:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>TASLogin.log<\/strong> (a log file)&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>TASLoginBase.dll<\/strong> (a dynamic-link library)&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>These components helped facilitate execution of the next stage.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"535\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/9-1024x535.png\" alt=\"\" class=\"wp-image-11620\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/9-1024x535.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/9-300x157.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/9-768x401.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/9-1536x803.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/9-2048x1071.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/9-370x193.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/9-270x141.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/9-740x387.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Zhong Stealer downloading components and preparing for the next stage<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Stage 3: Persistence &amp; Reconnaissance&nbsp;<\/h3>\n\n\n\n<p>Once active, <em>down.exe<\/em> creates a BAT file with a random 4-digit name in the user\u2019s temporary folder (e.g., <em>4948.bat<\/em> on my setup). This script sets up the environment by invoking system utilities like <em>Conhost.exe<\/em> and <em>Attrib.exe<\/em> to unhide and grant execution permissions to the next step.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"537\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/10-1-1024x537.png\" alt=\"\" class=\"wp-image-11623\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/10-1-1024x537.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/10-1-300x157.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/10-1-768x403.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/10-1-1536x806.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/10-1-2048x1074.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/10-1-370x194.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/10-1-270x142.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/10-1-740x388.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>BAT file preparing the environment for the next stage<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>The stealer then queries the system\u2019s supported languages, a tactic often seen in ransomware. It is used to avoid targeting specific regions. It also schedules itself to run periodically via Task Scheduler, which serves as a fallback persistence method, though not its primary one (more on this later).&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"537\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/11-1024x537.png\" alt=\"\" class=\"wp-image-11625\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/11-1024x537.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/11-300x157.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/11-768x403.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/11-1536x806.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/11-2048x1074.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/11-370x194.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/11-270x142.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/11-740x388.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Zhong scheduling itself via Task Scheduler and checking language properties<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Next, Zhong disables trace logs (point 1 in the image below) and initiates reconnaissance routines.&nbsp;&nbsp;<\/p>\n\n\n\n<p>This includes reading registry keys to collect details such as the machine hostname, GUID, proxies, software policies, and supported languages (points 2 and 3). It also evaluates Internet Explorer\/Edge security settings (point 4).&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"538\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/12-1024x538.png\" alt=\"\" class=\"wp-image-11628\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/12-1024x538.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/12-300x158.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/12-768x404.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/12-1536x807.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/12-2048x1076.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/12-370x194.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/12-270x142.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/12-740x389.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Zhong staging, reconnaissance, and evasion routines in practice<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<!-- CTA Split START -->\n<div class=\"cta-split\">\n<div class=\"cta__split-left\">\n\n<!-- Image -->\n<img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/mcusercontent.com\/663b94f19348582a8dc323efe\/images\/0d88188b-3e89-2314-5a60-cb87e8077326.png\" alt=\"Learn to analyze malware in a sandbox\" class=\"cta__split-icon\" \/>\n<\/div>\n\n<div class=\"cta__split-right\">\n<div>\n\n<!-- Heading -->\n<h3 class=\"cta__split-heading\"><br>Learn to analyze cyber threats<\/h3>\n\n<!-- Text -->\n<p class=\"cta__split-text\">\nSee a detailed guide to using ANY.RUN&#8217;s <span class=\"highlight\">Interactive Sandbox<\/span> for malware and phishing analysis\n<br \/>\n<br \/>\n<\/p>\n<\/div>\n<!-- CTA Link -->\n<a target=\"_blank\" rel=\"noopener\" id=\"article-banner-split\" href=\"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-in-a-sandbox\/\"><div class=\"cta__split-link\">Read full guide<\/div><\/a>\n<\/div>\n<\/div>\n<!-- CTA Split END -->\n<!-- CTA Split Styles START -->\n<style>\n.cta-split {\noverflow: hidden;\nmargin: 3rem 0;\ndisplay: grid;\njustify-items: center;\nborder-radius: 0.5rem;\nwidth: 100%;\nmin-height: 25rem;\ngrid-template-columns: repeat(2, 1fr);\nborder: 1px solid rgba(75, 174, 227, 0.32);\nfont-family: 'Catamaran Bold';\n}\n\n.cta__split-left {\ndisplay: flex;\nalign-items: center;\njustify-content: center;\nheight: 100%;\nwidth: 100%;\nbackground-color: #161c59;\nbackground-position: center center;\nbackground: rgba(32, 168, 241, 0.1);\n}\n\n.cta__split-icon { \nwidth: 100%;\nheight: auto;\nobject-fit: contain;\nmax-width: 100%;\n}\n\n.cta__split-right {\ndisplay: flex;\nflex-direction: column;\njustify-content: space-between;\npadding: 2rem;\n}\n\n.cta__split-heading { font-size: 1.5rem; }\n\n.cta__split-text {\nmargin-top: 1rem;\nfont-family: Lato, Roboto, sans-serif;\n}\n\n.cta__split-link {\npadding: 0.5rem 1rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: white;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\ndisplay: block;\nz-index: 1000;\nposition: relative;\ncursor: pointer !important;\n}\n\n.cta__split-link:hover {\nbackground-color: #68CBFF;\ncolor: white;\ncursor: pointer;\n}\n\n.highlight { color: #ea2526;}\n\n\n\/* Mobile styles START *\/\n@media only screen and (max-width: 768px) {\n\n.cta-split {\ngrid-template-columns: 1fr;\nmin-height: auto;\n}\n\n.cta__split-left {\nheight: auto;\nmin-height: 10rem;\n}\n\n\n.cta__split-left, .cta__split-right {\nheight: auto;\n}\n\n.cta__split-heading { font-size: 1.2rem; }\n\n.cta__split-text { font-size: 1rem; }\n.cta__split-icon {\nmax-height: auto;\nobject-fit: cover;\n}\n\n}\n\/* Mobile styles END *\/\n<\/style>\n<!-- CTA Split Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\">Stage 4: Credential Theft &amp; Data Exfiltration&nbsp;<\/h3>\n\n\n\n<p>With the preparation complete, Zhong moves to its final stage, where it aims to execute a clean attack.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"538\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/13-1-1024x538.png\" alt=\"\" class=\"wp-image-11630\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/13-1-1024x538.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/13-1-300x158.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/13-1-768x403.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/13-1-1536x807.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/13-1-2048x1075.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/13-1-370x194.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/13-1-270x142.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/13-1-740x389.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Specific registry keys read by Zhong before launching the final stage<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Now, the real action starts. Zhong establishes persistence by adding a registry key (point 1 in the image below) at:&nbsp;<\/p>\n\n\n\n<p>HKEY_CURRENT_USER\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN&nbsp;<\/p>\n\n\n\n<p>Next, it harvests browser credentials and extension data (point 2) before connecting to its C2 server on port 1311(point 3) to exfiltrate the stolen information.\u00a0<\/p>\n\n\n\n<p>Let\u2019s break down these actions step by step.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"540\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/14-1-1024x540.png\" alt=\"\" class=\"wp-image-11632\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/14-1-1024x540.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/14-1-300x158.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/14-1-768x405.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/14-1-1536x810.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/14-1-2048x1080.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/14-1-370x195.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/14-1-270x142.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/14-1-740x390.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Routines to gain persistence, steal credentials, and communicate with its C2<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>The registry key serves as Zhong&#8217;s primary persistence mechanism, with the scheduled task acting as a fallback in case the registry entry is removed. Once persistence is secured, Zhong shifts its focus to harvesting credentials and browser extension data.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"720\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/15-1024x720.png\" alt=\"\" class=\"wp-image-11634\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/15-1024x720.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/15-300x211.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/15-768x540.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/15-370x260.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/15-270x190.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/15-740x520.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/15.png 1442w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Persistence mechanisms and exfiltration routines in action<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Next, Zhong scans browser extensions and credentials, starting with Brave Browser on this setup.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"719\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/16-1024x719.png\" alt=\"\" class=\"wp-image-11636\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/16-1024x719.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/16-300x211.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/16-768x539.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/16-370x260.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/16-270x189.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/16-740x519.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/16.png 1442w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Zhong scanning Brave Browser for sensitive data<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>It then moves on to Edge\/Internet Explorer, which comes pre-installed on most Windows systems, making them valuable targets for data theft.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"716\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/17-1024x716.png\" alt=\"\" class=\"wp-image-11638\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/17-1024x716.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/17-300x210.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/17-768x537.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/17-370x259.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/17-270x189.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/17-740x518.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/17.png 1444w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Zhong scanning Edge for sensitive data<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>After collecting sensitive data, Zhong contacts its Hong Kong-based C2 server on port 1311 to exfiltrate relevant information.\u00a0<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"841\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/18-1024x841.png\" alt=\"\" class=\"wp-image-11641\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/18-1024x841.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/18-300x246.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/18-768x631.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/18-370x304.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/18-270x222.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/18-740x608.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/18.png 1076w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Zhong exfiltrating data via its C2 server<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>At this point, the outcome is predictable\u2014Zhong evolves from a mere nuisance into a full-fledged data thief.&nbsp;<\/p>\n\n\n\n<p>Now, let\u2019s break down its techniques into a clear and structured MITRE ATT&amp;CK Matrix to visualize its full attack chain.&nbsp;<\/p>\n\n\n\n<p>Fortunately, ANY.RUN simplifies this process, mapping out the malware\u2019s behavior step by step for better analysis and threat tracking.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Zhong Stealer\u2019s Tactics &amp; Techniques&nbsp;<\/h2>\n\n\n\n<p>This particular piece of malware employs a variety of TTPs which are common, simple, and yet, highly effective:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Disabling Event Logging (T1562)<\/strong>&nbsp;\u2013 Prevents security tools from recording malicious activity, making detection and forensic analysis more difficult.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Gaining Persistence via Registry Keys (T1547)<\/strong>&nbsp;\u2013 Modifies Windows registry settings to ensure the malware automatically runs at startup.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Harvesting Credentials (T1552)<\/strong>&nbsp;\u2013 Extracts saved passwords, browser session data, and authentication tokens from compromised systems.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Scheduling Tasks (T1053)<\/strong>&nbsp;\u2013 Creates scheduled tasks to maintain persistence, ensuring the malware executes even after a system reboot.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Communicating via Non-Standard Ports (T1571)<\/strong>\u00a0\u2013 Uses uncommon network ports, such as port 1311, to avoid detection and transmit stolen data to a command-and-control server.\u00a0<\/li>\n<\/ul>\n\n\n\n<p>You can find more TTPs used by Zhong Stealer in the screenshot below:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"543\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/19-1024x543.png\" alt=\"\" class=\"wp-image-11643\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/19-1024x543.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/19-300x159.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/19-768x407.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/19-1536x814.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/19-2048x1086.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/19-370x196.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/19-270x143.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/02\/19-740x392.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>MITRE ATT&amp;CK Matrix on ANY.RUN detailing the analyzed points<\/em><\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">How to Protect Against Zhong Stealer&nbsp;<\/h2>\n\n\n\n<p>To combat Zhong Stealer and similar social engineering-based malware, security teams must adopt proactive detection and analysis strategies. Traditional antivirus solutions often fail to recognize stealthy threats, but with ANY.RUN\u2019s <a href=\"http:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=zhong_stealer_analysis&amp;utm_term=180225&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">Interactive Sandbox<\/a>, organizations can identify, analyze, and block malicious activity in real time before it causes harm.&nbsp;<\/p>\n\n\n\n<p>Here\u2019s how to protect your organization from Zhong Stealer:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Train customer support teams to recognize phishing tactics and avoid opening suspicious file attachments in support chats.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Restrict ZIP file execution from unverified sources and enforce zero-trust security policies to prevent unauthorized file access.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Monitor outbound network traffic for suspicious C2 connections, especially to non-standard ports like 1311, a key indicator of Zhong Stealer\u2019s activity.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use ANY.RUN\u2019s real-time analysis to safely detonate unknown executables, observe their behavior step by step, and extract critical IOCs before the malware can spread.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>With ANY.RUN\u2019s in-depth behavioral analysis, security teams can stay ahead of evolving threats like Zhong Stealer and prevent cybercriminals from using social engineering to bypass traditional defenses.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Final Thoughts&nbsp;<\/h2>\n\n\n\n<p>Zhong Stealer\u2019s campaign is a prime example of how social engineering and persistent phishing tactics can be used to distribute malware. By targeting customer support teams, the attackers attempted to bypass traditional security measures and exploit human trust.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN<\/h2>\n\n\n\n<p><a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=deepseek_cyber_attack&amp;utm_term=050225&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a> helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, <a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a>, <a href=\"https:\/\/any.run\/cybersecurity-blog\/yara-search\/\" target=\"_blank\" rel=\"noreferrer noopener\">YARA Search<\/a>, and <a href=\"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-feeds\/\" target=\"_blank\" rel=\"noreferrer noopener\">Feeds<\/a>, help you find IOCs or files to learn more about the threats and respond to incidents faster.<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=zhong_stealer_analysis&amp;utm_term=180225&amp;utm_content=linktodemo\" target=\"_blank\" rel=\"noreferrer noopener\">Request free trial of ANY.RUN&#8217;s services \u2192<\/a>&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>IOCs<\/strong>&nbsp;<\/h2>\n\n\n\n<p>FileHash-MD5:778b6521dd2b07d7db0eaeaab9a2f86b&nbsp;<\/p>\n\n\n\n<p>FileHash-SHA1:ce120e922ed4156dbd07de8335c5a632974ec527&nbsp;<\/p>\n\n\n\n<p>FileHash-SHA256:02244934046333f45bc22abe6185e6ddda033342836062afb681a583aa7d827f&nbsp;<\/p>\n\n\n\n<p>FileHash-SHA256:1abffe97aafe9916b366da57458a78338598cab9742c2d9e03e4ad0ba11f29bf&nbsp;<\/p>\n\n\n\n<p>FileHash-SHA256:4eaebd93e23be3427d4c1349d64bef4b5fc455c93aebb9b5b752981e9266488e&nbsp;<\/p>\n\n\n\n<p>FileHash-SHA256:dd44dabff536a1aa9b845dd891ad483162d4f28913344c93e5d59f648a186098<\/p>\n\n\n\n<p>FileHash-SHA256:e46779869c6797b294cb097f47027a5c52466fd11112b6ccd52c569578d4b8cd&nbsp;<\/p>\n\n\n\n<p>FileHash-SHA256:5f422be165e4b6557f45719914f724a4fe1840fa792ecc739861bfdba45c1550<\/p>\n\n\n\n<p>URL:hxxps:\/\/kkuu.oss-cn-hongkong.aliyuncs[.]com\/ss\/TASLogin.log&nbsp;<\/p>\n\n\n\n<p>URL:hxxps:\/\/kkuu.oss-cn-hongkong.aliyuncs[.]com\/ss\/TASLoginBase.dll&nbsp;<\/p>\n\n\n\n<p>URL:hxxps:\/\/kkuu.oss-cn-hongkong.aliyuncs[.]com\/ss\/down.exe&nbsp;<\/p>\n\n\n\n<p>URL:hxxps:\/\/kkuu.oss-cn-hongkong.aliyuncs[.]com\/ss\/uu.txt&nbsp;<\/p>\n\n\n\n<p>email:zhongmaziil992@outlook.com&nbsp;<\/p>\n\n\n\n<p>hostname:kkuu.oss-cn-hongkong.aliyuncs[.]com&nbsp;<\/p>\n\n\n\n<p>IPv4:156.245.23.188&nbsp;<\/p>\n\n\n\n<p>IPv4:47.79.64.228&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Editor\u2019s note: The current article is authored by Mauro Eldritch, offensive security expert and threat intelligence analyst. You can find Mauro on X.&nbsp; From December 20 to 24, 2024, the Quetzal Team identified a phishing campaign targeting the cryptocurrency and fintech sectors. This campaign aimed to distribute a newly discovered stealer malware, which we have [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":11656,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,10,15,34,40],"class_list":["post-11599","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-cybersecurity","tag-malware","tag-malware-analysis","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Zhong Stealer: Technical Analysis of a Threat Targeting FIntech<\/title>\n<meta name=\"description\" content=\"Discover technical analysis of the Zhong stealer, a malware that targets the Fintech industry by abusing support ticket systems.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/zhong-stealer-malware-analysis\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Mauro Eldritch\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"11 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/zhong-stealer-malware-analysis\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/zhong-stealer-malware-analysis\/\"},\"author\":{\"name\":\"Mauro Eldritch\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Zhong Stealer Analysis: New Malware Targeting Fintech and Cryptocurrency\",\"datePublished\":\"2025-02-18T11:42:19+00:00\",\"dateModified\":\"2025-04-17T05:40:56+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/zhong-stealer-malware-analysis\/\"},\"wordCount\":1867,\"commentCount\":2,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware\",\"malware analysis\",\"malware behavior\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/zhong-stealer-malware-analysis\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/zhong-stealer-malware-analysis\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/zhong-stealer-malware-analysis\/\",\"name\":\"Zhong Stealer: Technical Analysis of a Threat Targeting FIntech\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2025-02-18T11:42:19+00:00\",\"dateModified\":\"2025-04-17T05:40:56+00:00\",\"description\":\"Discover technical analysis of the Zhong stealer, a malware that targets the Fintech industry by abusing support ticket systems.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/zhong-stealer-malware-analysis\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/zhong-stealer-malware-analysis\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/zhong-stealer-malware-analysis\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Zhong Stealer Analysis: New Malware Targeting Fintech and Cryptocurrency\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"Mauro Eldritch\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/Mauro-copy.jpeg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/Mauro-copy.jpeg\",\"caption\":\"Mauro Eldritch\"},\"description\":\"Mauro Eldritch is an Argentinian-Uruguayan hacker, founder of BCA LTD and DC5411 (Argentina \/ Uruguay). He has spoken at various events, including DEF CON (12 times). He is passionate about Threat Intelligence and Biohacking.\u00a0He currently leads Bitso\u2019s Quetzal Team, the first in Latin America dedicated to Web3 Threat Research. Follow Mauro on: X LinkedIn GitHub\",\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Zhong Stealer: Technical Analysis of a Threat Targeting FIntech","description":"Discover technical analysis of the Zhong stealer, a malware that targets the Fintech industry by abusing support ticket systems.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/zhong-stealer-malware-analysis\/","twitter_misc":{"Written by":"Mauro Eldritch","Est. reading time":"11 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/zhong-stealer-malware-analysis\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/zhong-stealer-malware-analysis\/"},"author":{"name":"Mauro Eldritch","@id":"https:\/\/any.run\/"},"headline":"Zhong Stealer Analysis: New Malware Targeting Fintech and Cryptocurrency","datePublished":"2025-02-18T11:42:19+00:00","dateModified":"2025-04-17T05:40:56+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/zhong-stealer-malware-analysis\/"},"wordCount":1867,"commentCount":2,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware","malware analysis","malware behavior"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/zhong-stealer-malware-analysis\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/zhong-stealer-malware-analysis\/","url":"https:\/\/any.run\/cybersecurity-blog\/zhong-stealer-malware-analysis\/","name":"Zhong Stealer: Technical Analysis of a Threat Targeting FIntech","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2025-02-18T11:42:19+00:00","dateModified":"2025-04-17T05:40:56+00:00","description":"Discover technical analysis of the Zhong stealer, a malware that targets the Fintech industry by abusing support ticket systems.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/zhong-stealer-malware-analysis\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/zhong-stealer-malware-analysis\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/zhong-stealer-malware-analysis\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"Zhong Stealer Analysis: New Malware Targeting Fintech and Cryptocurrency"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"Mauro Eldritch","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/Mauro-copy.jpeg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/Mauro-copy.jpeg","caption":"Mauro Eldritch"},"description":"Mauro Eldritch is an Argentinian-Uruguayan hacker, founder of BCA LTD and DC5411 (Argentina \/ Uruguay). He has spoken at various events, including DEF CON (12 times). He is passionate about Threat Intelligence and Biohacking.\u00a0He currently leads Bitso\u2019s Quetzal Team, the first in Latin America dedicated to Web3 Threat Research. Follow Mauro on: X LinkedIn GitHub","url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/11599"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=11599"}],"version-history":[{"count":32,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/11599\/revisions"}],"predecessor-version":[{"id":12946,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/11599\/revisions\/12946"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/11656"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=11599"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=11599"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=11599"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}