S0230: ZeroT
Analyst context for executives and security teams
ZeroT matters because ATT&CK describes it as a Windows Trojan associated with TA459 and often used with PlugX. Even without an official ATT&CK detection note, its mapped behaviors point to a practical defense problem: a Windows endpoint may show a mix of stealthy file obfuscation, discovery activity, web-based or encrypted command-and-control, tool transfer, service-based persistence, UAC bypass attempts, and DLL abuse. For leaders, the value is not only identifying “ZeroT,” but validating whether Windows endpoint, network, and incident response evidence would let the organization recognize and contain this behavior chain.
Executive priority
Treat ZeroT as a coverage-validation use case for Windows malware resilience rather than as a standalone signature problem. Security leaders should ask whether SOC and IR teams can correlate endpoint persistence, privilege escalation, discovery, inbound tool transfer, and suspicious web C2 activity into one investigation narrative. This supports business continuity and audit readiness by showing whether logging, EDR retention, network visibility, and Windows hardening controls can produce defensible evidence when malware uses obfuscation and common web protocols to blend in.
Technical view
ATT&CK lists ZeroT as Windows malware and maps it to techniques including Steganography, System Network Configuration Discovery, Software Packing, Encrypted/Encoded File, Junk Code Insertion, Web Protocols, System Information Discovery, Ingress Tool Transfer, Deobfuscate/Decode Files or Information, Windows Service, Bypass User Account Control, Symmetric Cryptography, and DLL abuse. SOC teams should validate detections around Windows service creation or modification, unexpected DLL loading patterns, suspicious privilege elevation behavior, host/network discovery commands or API activity, downloaded tools or payloads, and outbound web traffic with unusual destinations, content patterns, or encrypted application behavior. Because the official object has no detection guidance, local baselining and relationship-driven ATT&CK technique coverage are essential.
Likely telemetry
- Windows endpoint process creation and parent/child process relationships
- Windows service creation, modification, start, and registry-backed service configuration evidence
- DLL load and image/module telemetry from EDR or equivalent endpoint tooling
- User Account Control elevation and high-integrity process activity where available
- File creation, modification, unpacking/deobfuscation, encoded/encrypted artifact, and suspicious executable metadata evidence
Detection direction
- Do not rely only on static malware signatures; ATT&CK relationships indicate obfuscation through packing, encoding/encryption, junk code, and deobfuscation behavior.
- Correlate Windows persistence and privilege signals, especially new or modified services, UAC bypass-like elevation patterns, and DLL abuse, with discovery and outbound network activity.
- Tune web C2 analytics carefully because HTTP/S traffic is common; prioritize rare destinations, abnormal user-agent or request patterns, suspicious beacon-like behavior, and endpoint context rather than protocol use alone.
- Validate that discovery activity on Windows hosts is not dismissed as routine administration without checking account, host role, timing, and subsequent network or file-transfer behavior.
- Use the TA459 and PlugX relationship context as threat-intelligence enrichment only; do not treat it as attribution without additional incident evidence.
Mitigation priorities
- Prioritize Windows hardening around service creation/modification permissions, least privilege, and administrative control paths relevant to UAC elevation risk.
- Maintain endpoint controls that can inspect or record suspicious executable behavior even when files are packed, encoded, or otherwise obfuscated.
- Strengthen egress monitoring and proxy/DNS visibility for web-protocol C2 investigation, with retention sufficient for incident reconstruction.
- Control and monitor inbound tool transfer paths, including downloads from external systems and unexpected executable staging on endpoints.
- Ensure IR playbooks connect host persistence, privilege escalation, discovery, file-transfer, and network C2 evidence into one containment workflow instead of treating them as isolated alerts.
Analyst notes and limits
The most useful defensive reading of this object comes from its ATT&CK relationships. ZeroT is described as a Trojan used by TA459 and often in conjunction with PlugX, with Windows as the supplied platform. The object itself does not specify tactics, but related techniques cover command-and-control, discovery, stealth, persistence, privilege escalation, and execution. This makes it a good test case for ATT&CK-based detection engineering and incident response evidence mapping.
Official ATT&CK detection text is not provided for ZeroT, and the supplied object does not include aliases, labels, hashes, infrastructure, campaigns, or active exploitation claims. The related technique descriptions include platforms beyond Windows, but the supplied ZeroT platform is Windows; local validation should focus on Windows unless separate evidence supports additional scope. Any attribution to TA459 or linkage to PlugX should be treated as contextual intelligence, not proof in a specific incident.
ZeroT
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | ZeroT shellcode decrypts and decompresses its RC4-encrypted payload.CitationProofpoint ZeroT Feb 2017 |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | Many ZeroT samples can perform UAC bypass by using eventvwr.exe to execute a malicious file.CitationProofpoint ZeroT Feb 2017 |
| Enterprise | T1543.003 | Windows Service Sub-technique | |
| Enterprise | T1027.016 | Junk Code Insertion Sub-technique | ZeroT has obfuscated DLLs and functions using dummy API calls inserted between real instructions.CitationProofpoint ZeroT Feb 2017 |
| Enterprise | T1574.001 | DLL Sub-technique | ZeroT has used DLL side-loading to load malicious payloads.CitationProofpoint TA459 April 2017CitationProofpoint ZeroT Feb 2017 |
| Enterprise | T1016 | System Network Configuration Discovery | ZeroT gathers the victim's IP address and domain information, and then sends it to its C2 server.CitationProofpoint ZeroT Feb 2017 |
| Enterprise | T1082 | System Information Discovery | ZeroT gathers the victim's computer name, Windows version, and system language, and then sends it to its C2 server.CitationProofpoint ZeroT Feb 2017 |
| Enterprise | T1001.002 | Steganography Sub-technique | ZeroT has retrieved stage 2 payloads as Bitmap images that use Least Significant Bit (LSB) steganography.CitationProofpoint TA459 April 2017CitationProofpoint ZeroT Feb 2017 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | ZeroT has used HTTP for C2.CitationProofpoint TA459 April 2017CitationProofpoint ZeroT Feb 2017 |
| Enterprise | T1027.002 | Software Packing Sub-technique | Some ZeroT DLL files have been packed with UPX.CitationProofpoint ZeroT Feb 2017 |
| Enterprise | T1105 | Ingress Tool Transfer | ZeroT can download additional payloads onto the victim.CitationProofpoint ZeroT Feb 2017 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | ZeroT has used RC4 to encrypt C2 traffic.CitationProofpoint TA459 April 2017CitationProofpoint ZeroT Feb 2017 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | ZeroT has encrypted its payload with RC4.CitationProofpoint ZeroT Feb 2017 |
Groups, software, and campaigns
G0062: TA459
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | b5989ee718a5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Proofpoint TA459 April 2017
Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018.
Open source URL -
[2]
Proofpoint ZeroT Feb 2017
Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.
Open source URL -
[3]
ZeroT
(Citation: Proofpoint TA459 April 2017) (Citation: Proofpoint ZeroT Feb 2017)
-
[4]
mitre-attack S0230Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.