ClickCease Zardoor Backdoor Alert: Threat Actors Target Islamic Charity

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Zardoor Backdoor Alert: Threat Actors Target Islamic Charity

Wajahat Raja

February 21, 2024 - TuxCare expert team

In recent cyber threat intelligence developments, an unnamed Islamic non-profit organization based in Saudi Arabia has fallen victim to a covert cyber-espionage campaign employing a previously unknown backdoor named Zardoor. Discovered by Cisco Talos in May 2023, the Zardoor backdoor attack has likely persisted since March 2021, with only one identified target so far, leaving concerns about potential undiscovered victims.


Zardoor Backdoor – Stealthy Tactics and Prolonged Access

Security researchers Jungsoo An, Wayne Lee, and Vanja Svajcer shed light on the threat actor’s tactics, emphasizing their use of living-off-the-land binaries (LoLBins) to deploy backdoors, establish
command-and-control (C2), and maintain prolonged access without raising suspicion. This raises alarms about the sophisticated nature of such targeted attacks and the threat actor’s ability to remain undetected over an extended period.

Intrusion Details of Zardoor Backdoor

The cyber intrusion on the Islamic charitable organization involved periodic data exfiltration, occurring approximately twice a month. While the exact initial access method remains unknown, the attackers strategically utilized Zardoor for persistence, employing open-source reverse proxy tools like Fast Reverse Proxy (FRP), sSocks, and Venom for establishing command-and-control connections.
Advanced Persistent Threats (APTs) pose significant challenges to cybersecurity professionals due to their stealthy and prolonged nature.

Lateral Movement and Tool Deployment

Upon establishing connections, the threat actor utilized Windows Management Instrumentation (WMI) to move laterally within the compromised environment. The researchers noted the deployment of Zardoor, along with other tools, through processes spawned on the target system, executing commands received from the C2. This method allowed the attacker to navigate through the network while avoiding
malware detection.

Infection Pathway and Backdoor Modules

The infection pathway involves a
dropper component deploying a malicious dynamic-link library (“oci.dll”), responsible for delivering two backdoor modules, namely “zar32.dll” and “zor32.dll.” The former serves as the core backdoor for command-and-control communication, while the latter ensures the deployment of “zar32.dll” with administrator privileges. Zardoor’s capabilities include data exfiltration, remote execution of fetched executables and shellcode, updating C2 IP addresses, and self-deletion from the host. 

Attribution Challenges

The origins of the threat actor remain elusive, displaying no tactical overlaps with known, publicly reported threat actors. Despite this, the campaign is assessed to be the work of an
“advanced threat actor,” emphasizing the sophistication and expertise behind the operation.

Covert Persistence Techniques

For maintaining persistence, the threat actor employed reverse proxies registered as scheduled tasks and established remote port forwarding using SSH. This ingenious approach allowed for a steady, covert connection to the compromised network, enabling data exfiltration approximately twice a month. 

The level of sophistication demonstrated in crafting new tools, adapting existing ones, and leveraging legitimate Windows binaries underscores the proficiency of the unidentified threat actor. Charity sector security is a critical concern in safeguarding sensitive data and maintaining trust with donors and beneficiaries.

The Digital Landscape Warning

As our world becomes more interconnected,
cyber espionage campaigns like Zardoor serve as a stark reminder of the hidden dangers within the digital realm. This narrative of stealth and subterfuge emphasizes the critical need for vigilance and robust cybersecurity measures in today’s rapidly evolving landscape.


The Zardoor cyber-espionage campaign targeting an Islamic charity organization highlights the evolving tactics of advanced threat actors in the digital age. It’s important for users to be cautious of downloading files from untrusted sources, as they may contain
malicious software.

As organizations strive to protect their sensitive data, understanding and adapting to these sophisticated techniques become imperative. Analyzing cyberattack trends is essential for staying ahead of evolving threats in today’s digital landscape. The tale of Zardoor serves as a call to action, urging a collective effort to strengthen cybersecurity defenses and stay one step ahead of unseen cybersecurity threats in the digital shadows.

The sources for this piece include articles in The Hacker News and BNN

Zardoor Backdoor Alert: Threat Actors Target Islamic Charity
Article Name
Zardoor Backdoor Alert: Threat Actors Target Islamic Charity
Discover how threat actors exploit the Zardoor backdoor to target an Islamic charity. Learn about the attack tactics and implications.
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter