S0086: ZLib
ZLib is a full-featured backdoor that was used as a second-stage implant during Operation Dust Storm since at least 2014. ZLib is malware and should not be confused with the legitimate compression library from which its name is derived.[1]
Analyst context for executives and security teams
ZLib matters because it is described by ATT&CK as a full-featured Windows backdoor used as a second-stage implant in Operation Dust Storm. For leaders, the practical issue is not the name itself—especially because it can be confused with a legitimate compression library—but the post-compromise capability set: discovery, command execution, persistence through Windows services, screen capture, tool transfer, compression/archiving, and exfiltration over command-and-control. This makes it relevant to incident response readiness and to validating whether Windows endpoint, service, process, file, and network telemetry can reconstruct activity after an intrusion.
Executive priority
Treat this as a post-compromise resilience and evidence-readiness concern. The ATT&CK relationships show behaviors that can support reconnaissance, persistence, collection, and exfiltration, so executives and risk owners should ask whether the organization can quickly answer: which Windows systems ran unusual command shells or services, what data may have been collected or archived, whether external web-based C2-like traffic occurred, and whether screenshots or files were transferred. Because ATT&CK provides no official detection text for ZLib, priority should be on validating coverage for the related techniques rather than assuming malware-name-based detection is sufficient.
Technical view
ZLib is a Windows malware object with no ATT&CK-provided detection guidance. SOC and IR teams should validate detection and investigation workflows around the mapped behaviors: Windows Command Shell execution, Windows service creation or modification, system/service/file discovery, ingress tool transfer, screen capture, archive via library, web-protocol command-and-control, and exfiltration over C2. Practical validation should focus on correlating endpoint process lineage, service-control activity, file creation/modification, archive/compression behavior, and outbound web traffic from compromised hosts. The relationship to Operation Dust Storm provides campaign context, but local triage should remain behavior-led unless environment-specific indicators are available.
Likely telemetry
- Windows endpoint process creation and command-line telemetry, especially cmd.exe and child process activity
- Windows service creation, modification, startup configuration, and related Registry/service-control events
- Host discovery commands and outputs related to system information, services, files, and directories
- File system telemetry for newly introduced tools, staged files, archives, and unusual compression activity
- Network telemetry for outbound HTTP/S or other web-protocol communications from endpoints
Detection direction
- Do not rely only on the malware name “ZLib,” since the ATT&CK description warns it should not be confused with the legitimate compression library.
- Build detection logic around mapped behaviors: suspicious Windows service persistence, command shell execution, discovery activity, file/archive staging, inbound tool transfer, and outbound web-protocol communications.
- Correlate host and network evidence: command execution followed by discovery, staging/compression, and outbound traffic is more meaningful than any single event alone.
- Tune for administrative false positives, especially service management, command shell use, compression libraries, and web traffic that may be normal in IT operations.
- Validate whether endpoint and network logging can preserve enough detail for investigation when ATT&CK provides no object-specific detection text.
Mitigation priorities
- Prioritize Windows endpoint visibility and retention for process, service, file, and network activity so IR teams can reconstruct second-stage backdoor behavior.
- Harden and monitor Windows service creation/modification paths, including restricting who can install or alter services.
- Apply least privilege and administrative control review to reduce the ability of malware to persist, discover broadly, or execute commands with elevated rights.
- Strengthen egress monitoring and filtering for unusual endpoint web-protocol traffic, while ensuring proxy/DNS/firewall logs are available for investigation.
- Validate controls for data staging and exfiltration scenarios, including detection of unusual archive creation and outbound transfer patterns.
Analyst notes and limits
ATT&CK identifies ZLib as a full-featured backdoor and second-stage implant associated through relationship context with Operation Dust Storm. The most useful defensive value comes from the related ATT&CK techniques rather than from object-specific detection text, which is not provided. The malware platform is supplied as Windows; several related techniques list broader platforms, but this take applies them only as behavior context for the ZLib relationship.
The supplied ATT&CK object does not include official detection guidance, aliases, labels, tactics for the malware object, indicators, hashes, command examples, infrastructure, or current exploitation claims. Any assessment of exposure, detection coverage, or incident relevance requires local telemetry, environment baselines, and organization-specific threat intelligence.
ZLib
ZLib is a full-featured backdoor that was used as a second-stage implant during Operation Dust Storm since at least 2014. ZLib is malware and should not be confused with the legitimate compression library from which its name is derived.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1105 | Ingress Tool Transfer | ZLib has the ability to download files.CitationCylance Dust Storm |
| Enterprise | T1082 | System Information Discovery | ZLib has the ability to enumerate system information.CitationCylance Dust Storm |
| Enterprise | T1560.002 | Archive via Library Sub-technique | The ZLib backdoor compresses communications using the standard Zlib compression library.CitationCylance Dust Storm |
| Enterprise | T1543.003 | Windows Service Sub-technique | ZLib creates Registry keys to allow itself to run as various services.CitationCylance Dust Storm |
| Enterprise | T1083 | File and Directory Discovery | ZLib has the ability to enumerate files and drives.CitationCylance Dust Storm |
| Enterprise | T1113 | Screen Capture | ZLib has the ability to obtain screenshots of the compromised system.CitationCylance Dust Storm |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | ZLib has the ability to execute shell commands.CitationCylance Dust Storm |
| Enterprise | T1007 | System Service Discovery | ZLib has the ability to discover and manipulate Windows services.CitationCylance Dust Storm |
| Enterprise | T1041 | Exfiltration Over C2 Channel | ZLib has sent data and files from a compromised host to its C2 servers.CitationCylance Dust Storm |
| Enterprise | T1071.001 | Web Protocols Sub-technique | ZLib communicates over HTTP for C2.CitationCylance Dust Storm |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | ZLib mimics the resource version information of legitimate Realtek Semiconductor, Nvidia, or Synaptics modules.CitationCylance Dust Storm |
Groups, software, and campaigns
C0016: Operation Dust Storm
Operation Dust Storm was a long-standing persistent cyber espionage campaign that targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. By 2015, the Operation Dust Storm threat actors shifted from government and defense-related intelligence targets to Japanese companies or Japanese subdivisions of larger foreign organizations supporting Japan's critical infrastructure, including electricity generation, oil and natural gas, finance, transportation, and construction.[1]
Operation Dust Storm threat actors also began to use Android backdoors in their operations by 2015, with all identified victims at the time residing in Japan or South Korea.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | d67b412c118d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cylance Dust Storm
Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
Open source URL -
[2]
mitre-attack S0086Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.