Threat hunters have identified a new campaign that delivers the ZLoader malware, resurfacing nearly two years after the botnet’s infrastructure was dismantled in April 2022.

A new variant of the malware is said to have been in development since September 2023, Zscaler ThreatLabz said in an analysis published this month.

“The new version of ZLoader made significant changes to the loader module, which added RSA encryption, updated the domain generation algorithm, and is now compiled for 64-bit Windows operating systems for the first time,” researchers Santiago Vicente and Ismael Garcia Perez said.

ZLoader, also known by the names Terdot, DELoader, or Silent Night, is an offshoot of the Zeus banking trojan that first surfaced in 2015, before pivoting to functioning as a loader for next-stage payloads, including ransomware.

Typically distributed via phishing emails and malicious search engine ads, ZLoader suffered a huge blow after a group of companies led by Microsoft’s Digital Crimes Unit (DCU) seized control of 65 domains that were used to control and communicate with the infected hosts.

The latest versions of the malware, tracked as 2.1.6.0 and 2.1.7.0, incorporate junk code and string obfuscation to resist analysis efforts. Each ZLoader artifact is also expected to have a specific filename for it to be executed on the compromised host.

“This could evade malware sandboxes that rename sample files,” the researchers noted.

In addition to encrypting the static configuration using RC4 with a hard-coded alphanumeric key to conceal information related to the campaign name and the command-and-control (C2) servers, the malware has been observed relying on an updated version of the domain generation algorithm as a fallback measure in the event the primary C2 servers are inaccessible.

The backup communications method was first discovered in ZLoader version 1.1.22.0, which was propagated as part of phishing campaigns detected in March 2020.

“Zloader was a significant threat for many years and its comeback will likely result in new ransomware attacks,” the researchers said. “The operational takedown temporarily stopped the activity, but not the threat group behind it.”

The development comes as Red Canary warned of an increase in the volume of campaigns leveraging MSIX files to deliver malware such as NetSupport RAT, ZLoader, and FakeBat (aka EugenLoader), since July 2023, prompting Microsoft to disable the protocol handler by default in late December 2023.

It also follows the emergence of new stealer malware families such as Rage Stealer and Monster Stealer that are being used as an initial access pathway for information theft and as a launching pad for more severe cyber attacks.