ZLoader is being delivered through malvertising campaigns, leveraging compromised websites to distribute malicious payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromises early in the attack lifecycle.
KQL Query
DeviceNetworkEvents
| where InitiatingProcessFileName =~ 'powershell.exe'
and InitiatingProcessCommandLine has('Invoke-WebRequest') and InitiatingProcessCommandLine endswith '-OutFile tim.EXE'
id: 8d2ad279-7111-49d9-af9a-815ecb9ee4a4
name: Payload Delivery
description: |
ZLoader was delivered in a campaign in summer 2021 via malvertising. This campaign was tweeted about by @MsftSecIntel on twitter.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
tactics:
- Execution
query: |
DeviceNetworkEvents
| where InitiatingProcessFileName =~ 'powershell.exe'
and InitiatingProcessCommandLine has('Invoke-WebRequest') and InitiatingProcessCommandLine endswith '-OutFile tim.EXE'
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job Using ZLoader Binary
Description: A system administrator schedules a legitimate maintenance task that uses a binary named zloader.exe for log parsing or system cleanup.
Filter/Exclusion: Exclude processes where the binary path contains C:\Windows\System32\ or where the parent process is schtasks.exe or task scheduler.
Scenario: Security Tool or EDR Agent Using ZLoader Signature
Description: A security tool or endpoint detection and response (EDR) agent uses a signature named ZLoader for threat detection, triggering the rule due to the name match.
Filter/Exclusion: Exclude processes where the parent process is a known security tool (e.g., Microsoft Defender, Windows Defender, Microsoft Monitoring Agent).
Scenario: Admin Task to Decompress Encrypted Files
Description: An administrator uses a script or tool like 7-Zip or WinRAR to decompress encrypted files that happen to have a filename or content matching ZLoaderās signature.
Filter/Exclusion: Exclude processes where the command line includes 7z, WinRAR, or unzip, or where the file extension is .zip, .rar, or .7z.
Scenario: Legitimate Software Update with Similar Name
Description: A legitimate software update or patch (e.g., from a vendor like Symantec or McAfee) has a filename similar to ZLoader, causing a false positive.
Filter/Exclusion: Exclude processes where the file path contains known vendor directories (e.g., C:\Program Files\Symantec\, C:\Program Files\McAfee\).
Scenario: Malvertising Campaign Mimicking Legitimate Ad Server
Description: A legitimate ad server or marketing tool (e