The malware evolved to thieve the focused victim’s information that resides in the compromised network with the potential to leverage a couple of exploits. Researchers accept as true with that the malware best focuses on the Chinese government community, however, it became uncertain why threat actors concentrated on handiest government agencies. Most of the exploits are often utilized by Italian offensive security employers that turned into furnished hacking gear to regulation enforcement and government agencies.

Zegost exposed returned to 2011 for the reason that then attackers updated with diverse new functionalities and introduced new patience capabilities, exploits to maintain the access. Attackers behind the Zegost malware using weaponized Microsoft PowerPoint document and infect the victims after they open the malicious file.

Researchers also discovered that one of these updates consists of using COM programming. As with most of the other uncommon techniques it uses, COM usage in malware is also not typically seen.

Zegost Malware Infection Process

Initially, malicious focused on sufferers through spear-phishing emails with an attachment of malicious file and trick sufferers to open it.

Zegost consists of numerous functionalities designed to clear the Application, Security, and System occasion logs after the infection to fly below the radar to steer clear of the detection.

The main purpose of Zegost is to thieve and exfiltrate records. Here is a list of its facts collection methods and functions.

It starts by identifying the focused machine’s OS version number and the number and pace of processors.

It then tests to see if any of the following methods are going for walks and sends the list out to the C2 server:

READ  MegaCortex Ransomware

360tray.Exe, 360sd.Exe, avp.Exe, KvMonXP.Exe, RavMonD.Exe, Mcshield.Exe, egui.Exe, NOD32, kxetray.Exe, avcenter.Exe, ashDisp.Exe, rtvscan.Exe, ksafe.Exe, QQPCRTP.Exe, K7TSecurity.Exe, QQ.Exe, QQ, knsdtray.Exe, TMBMSRV.Exe, Miner.Exe, AYAgent.Exe, patray.Exe, V3Svc.Exe, QUHLPSVC.EXE, QUICK HEAL, mssecess.Exe, S.Exe, 1433.Exe, DUB.Exe, ServUDaemon.Exe, BaiduSdSvc.Exe, vmtoolsd.Exe, usysdiag.Exe

Connection State – Zegost checks to peer which of the following connections are walking and then sends the list out to the C2 server:


RDP port quantity – Zegost collects this information after which sends it out to the C2 server

QQ login variety – Zegost collects this data and then sends it out to the C2 server

Keystroke Recorder: This variant data keystroke, saves a log of them to %CSIDL_SYSTEM%MODIf.Html within the following translated format, and then sends that fact out to the C2 server:

[Title:] window title

[Time:] year-month-date hour:min: sec

[Content:] pressed keys including unique keys like SHIFT, INSERT, F1-12 keys, etc.

All of the statistics accrued above is despatched to the subsequent C2 servers:



According to Fortinet analysis, “Our observations for this stylish run, however, reveal that multiple subdomains that act because of the command and manipulate area unit based on Dynamic DNS domains (DDNS), and area unit coming back from different places past China, consisting of Singapore, Taiwan, and also u. s..”

For any Cyber Security information contact us at  help@theweborion.Com