S0412: ZxShell
Analyst context for executives and security teams
ZxShell matters because it represents a Windows remote administration/backdoor capability with a long public history and ATT&CK relationships to discovery, credential collection, lateral movement, command-and-control, proxying, tool transfer, and cleanup behaviors. For leaders, the practical issue is not the malware name alone; it is whether Windows endpoint, identity, remote access, and network monitoring can prove what happened after a backdoor is present.
Executive priority
Prioritize ZxShell-related readiness where Windows systems support sensitive operations, regulated data, or remote administration pathways. The ATT&CK relationships point to business-impacting questions: can the organization detect unauthorized RDP/VNC use, credential capture attempts, registry changes, local discovery, inbound tool transfer, and web/file-transfer based command-and-control? This is useful for incident response planning, audit evidence around privileged access and endpoint monitoring, and control prioritization for remote access and Windows hardening.
Technical view
Treat ZxShell as a Windows backdoor/RAT profile with relationship-driven validation across execution, discovery, credential access, lateral movement, command-and-control, persistence/defense impairment, and stealth. ATT&CK does not provide official detection text for this software, so SOC teams should map detections to the linked techniques: Windows command shell execution, Native API behavior, DLL injection, keylogging/API hooking indicators, registry query and modification, service/process/user/system/file discovery, RDP and VNC activity, proxy behavior, web and file-transfer C2 patterns, ingress tool transfer, and file deletion. Group relationships to Axiom, Threat Group-3390, and APT41 provide threat-intelligence context, but local evidence is required before making attribution or exposure claims.
Likely telemetry
- Windows endpoint process creation and command-line telemetry, especially cmd.exe and discovery utilities
- Windows registry access and modification events
- EDR telemetry for DLL injection, suspicious API usage, credential API hooking, and keylogging-like behavior
- Windows service, process, user, system, file, and directory enumeration events
- Authentication and remote access logs for RDP and VNC sessions
Detection direction
- Because ATT&CK provides no official detection guidance for ZxShell, build coverage from the related techniques rather than relying on a malware-specific signature alone.
- Validate that Windows endpoint detections correlate discovery sequences, registry activity, command-shell execution, and network connections from the same host or user context.
- Tune remote access monitoring for unusual RDP or VNC use, especially new source/destination pairs, atypical times, or sessions inconsistent with normal administration.
- Review C2-oriented detections for web and file-transfer protocols, but account for high false-positive potential because these protocols are common in enterprise environments.
- Look for proxy or relay behavior that may hide direct infrastructure connections, including unexpected internal-to-external forwarding patterns.
Mitigation priorities
- Start with remote access governance: restrict and monitor RDP and VNC, require strong authentication, and ensure administrative access is limited and reviewable.
- Harden Windows endpoints against persistence and defense impairment by controlling registry modification paths, privileged execution, and unauthorized administrative tooling.
- Ensure endpoint protection and EDR policies are configured to observe injection, credential capture, suspicious command execution, and file deletion behaviors.
- Strengthen egress controls and logging for web, proxy, and file-transfer protocols so command-and-control and tool transfer activity has reviewable evidence.
- Maintain incident response procedures for Windows backdoor cases, including host isolation, credential reset decisions, registry and filesystem review, and scoping of lateral movement.
Analyst notes and limits
Official ATT&CK identifies ZxShell as a remote administration tool and backdoor downloadable from the Internet, particularly from Chinese hacker websites, and states it has been used since at least 2004. ATT&CK relationships associate it with Axiom, Threat Group-3390, and APT41, and with numerous techniques spanning discovery, execution, credential access, lateral movement, command-and-control, persistence/defense impairment, stealth, and collection. The object platform is Windows; some related technique platform lists are broader because they describe the general ATT&CK technique, not necessarily this malware instance.
No official ATT&CK detection text, aliases, labels, or malware-level tactics are supplied. The summary is based only on the provided STIX fields, external references, and relationships. It does not assert current exploitation, customer exposure, guaranteed detection, or attribution. Local telemetry, binaries, network indicators, and case evidence are required for operational conclusions.
ZxShell
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1021.005 | VNC Sub-technique | ZxShell supports functionality for VNC sessions.CitationTalos ZxShell Oct 2014 |
| Enterprise | T1082 | System Information Discovery | ZxShell can collect the local hostname, operating system details, CPU speed, and total physical memory.CitationTalos ZxShell Oct 2014 |
| Enterprise | T1090 | Proxy | ZxShell can set up an HTTP or SOCKS proxy.CitationFireEye APT41 Aug 2019CitationTalos ZxShell Oct 2014 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | ZxShell has used HTTP for C2 connections.CitationTalos ZxShell Oct 2014 |
| Enterprise | T1571 | Non-Standard Port | ZxShell can use ports 1985 and 1986 in HTTP/S communication.CitationTalos ZxShell Oct 2014 |
| Enterprise | T1056.004 | Credential API Hooking Sub-technique | ZxShell hooks several API functions to spawn system threads.CitationTalos ZxShell Oct 2014 |
| Enterprise | T1083 | File and Directory Discovery | ZxShell has a command to open a file manager and explorer on the system.CitationTalos ZxShell Oct 2014 |
| Enterprise | T1113 | Screen Capture | ZxShell can capture screenshots.CitationFireEye APT41 Aug 2019 |
| Enterprise | T1012 | Query Registry | ZxShell can query the netsvc group value data located in the svchost group Registry key.CitationTalos ZxShell Oct 2014 |
| Enterprise | T1005 | Data from Local System | ZxShell can transfer files from a compromised host.CitationTalos ZxShell Oct 2014 |
| Enterprise | T1033 | System Owner/User Discovery | ZxShell can collect the owner and organization information from the target workstation.CitationTalos ZxShell Oct 2014 |
| Enterprise | T1190 | Exploit Public-Facing Application | ZxShell has been dropped through exploitation of CVE-2011-2462, CVE-2013-3163, and CVE-2014-0322.CitationTalos ZxShell Oct 2014 |
| Enterprise | T1057 | Process Discovery | ZxShell has a command, ps, to obtain a listing of processes on the system.CitationTalos ZxShell Oct 2014 |
| Enterprise | T1046 | Network Service Discovery | ZxShell can launch port scans.CitationFireEye APT41 Aug 2019CitationTalos ZxShell Oct 2014 |
| Enterprise | T1112 | Modify Registry | ZxShell can create Registry entries to enable services to run.CitationTalos ZxShell Oct 2014 |
| Enterprise | T1070.004 | File Deletion Sub-technique | ZxShell can delete files from the system.CitationFireEye APT41 Aug 2019CitationTalos ZxShell Oct 2014 |
| Enterprise | T1543.003 | Windows Service Sub-technique | ZxShell can create a new service using the service parser function ProcessScCommand.CitationTalos ZxShell Oct 2014 |
| Enterprise | T1685 | Disable or Modify Tools | ZxShell can kill AV products' processes.CitationTalos ZxShell Oct 2014 |
| Enterprise | T1071.002 | File Transfer Protocols Sub-technique | ZxShell has used FTP for C2 connections.CitationTalos ZxShell Oct 2014 |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | ZxShell is injected into a shared SVCHOST process.CitationTalos ZxShell Oct 2014 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | ZxShell can launch a reverse command shell.CitationFireEye APT41 Aug 2019CitationTalos ZxShell Oct 2014CitationSecureworks BRONZEUNION Feb 2019 |
| Enterprise | T1686 | Disable or Modify System Firewall | ZxShell can disable the firewall by modifying the registry key |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | ZxShell has remote desktop functionality.CitationTalos ZxShell Oct 2014 |
| Enterprise | T1134.002 | Create Process with Token Sub-technique | ZxShell has a command called RunAs, which creates a new process as another user or process context.CitationTalos ZxShell Oct 2014 |
| Enterprise | T1125 | Video Capture | ZxShell has a command to perform video device spying.CitationTalos ZxShell Oct 2014 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | ZxShell has used rundll32.exe to execute other DLLs and named pipes.CitationTalos ZxShell Oct 2014 |
| Enterprise | T1136.001 | Local Account Sub-technique | ZxShell has a feature to create local user accounts.CitationTalos ZxShell Oct 2014 |
| Enterprise | T1499 | Endpoint Denial of Service | ZxShell has a feature to perform SYN flood attack on a host.CitationFireEye APT41 Aug 2019CitationTalos ZxShell Oct 2014 |
| Enterprise | T1106 | Native API | ZxShell can leverage native API including |
| Enterprise | T1569.002 | Service Execution Sub-technique | ZxShell can create a new service for execution.CitationTalos ZxShell Oct 2014 |
| Enterprise | T1685.005 | Clear Windows Event Logs Sub-technique | ZxShell has a command to clear system event logs.CitationTalos ZxShell Oct 2014 |
| Enterprise | T1056.001 | Keylogging Sub-technique | ZxShell has a feature to capture a remote computer's keystrokes using a keylogger.CitationFireEye APT41 Aug 2019CitationTalos ZxShell Oct 2014 |
| Enterprise | T1007 | System Service Discovery | ZxShell can check the services on the system.CitationTalos ZxShell Oct 2014 |
| Enterprise | T1105 | Ingress Tool Transfer | ZxShell has a command to transfer files from a remote host.CitationTalos ZxShell Oct 2014 |
Groups, software, and campaigns
G0001: Axiom
Axiom is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. Some reporting suggests a degree of overlap between Axiom and Winnti Group but the two groups appear to be distinct based on differences in reporting on TTPs and targeting.[1][2][3]
G0096: APT41
APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.[1] Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.[2][3]
G0027: Threat Group-3390
Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.[1] The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.[2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | a37cc1a95112… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye APT41 Aug 2019
Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
Open source URL -
[2]
Talos ZxShell Oct 2014
Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
Open source URL -
[3]
Sensocode
(Citation: Talos ZxShell Oct 2014)
-
[4]
ZxShell
(Citation: FireEye APT41 Aug 2019)(Citation: Talos ZxShell Oct 2014)
-
[5]
mitre-attack S0412Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.