We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Trojan:Win32/Zloader
Aliases: No associated aliases
Summary
Microsoft Defender Antivirus detects and removes this threat.
This threat is a banking trojan that is designed to steal finance-related credentials, deliver other malware, and facilitate human-operated attacks.
In the malware campaigns observed during September 2021, attackers used fake ad campaigns via search engines to deliver ZLoader.
For more information and guidance from Microsoft, read the following blog:
Microsoft Defender Antivirus automatically removes threats as they are detected. If you have cloud-delivered protection, your device gets the latest defenses against new and unknown threats. If you don't have this feature enabled, update your antimalware definitions and run a full scan to remove this threat.
To help reduce the impact of this threat, you can:
- Immediately isolate the affected device. If ZLoader has been launched, it is likely that the device is under complete attacker control.
- Identify the accounts that have been used on the affected device and consider these accounts compromised. Reset passwords or decommission the accounts.
- Investigate the device timeline for indications of lateral movement activities using one of the compromised accounts. Check for additional tools, such as Cobalt Strike, that attackers might have dropped to enable credential access, lateral movement, and other attack activities.
- Contact your incident response team to start the incident response process. If you don't have one, contact Microsoft support for potential forensic analysis and remediation.
You can also visit our advanced troubleshooting page or search the Microsoft community for more help.
