The Stealthy Zardoor Backdoor Targets Saudi Islamic Charity Organizations

February 09, 2024NewsroomCyber ​​Espionage / Threat Intelligence

Hidden Zardoor Backdoor

An unnamed Islamic non-profit organization in Saudi Arabia has been targeted as part of a covert cyber espionage campaign designed to drop the previously undocumented backdoor. Zardoor.

Cisco Talos, which discovered the activity in May 2023, said the campaign had likely been ongoing since March 2021, adding that it had identified only one compromised target so far, although it suspected there were other victims.

“Throughout the campaign, the adversary used off-the-ground live binaries (LoLBins) to deploy backdoors, build command-and-control (C2), and maintain continuity,” security researchers said. Jungsoo An, Wayne Lee, and Vanja Svajcer SAYSwhich invokes the ability of the threat actor to maintain prolonged access to the victim’s environments without attracting attention.


The intrusion that targeted the Islamic charitable organization involved periodic exfiltration of data roughly twice a month. The exact initial access vector used to infiltrate the entity is currently unknown.

Hidden Zardoor Backdoor

The foothold gained, however, was used to drop Zardoor for continuity, followed by establishing connections with C2 using open-source reverse proxy tools such as Fast Reverse Proxy (FRP), Socksand POISON.

“Once a connection is established, the threat actor uses Windows Management Instrumentation (WMI) will act later and spread the attacker’s tools – including Zardoor – by spawning processes on the target system and executing commands received from C2,” the researchers said.


The unspecified infection path paves the way for a dropper component that, in turn, deploys a malicious dynamic-link library (“oci.dll”) responsible for delivering two backdoor modules, “zar32 .dll” and “zor32 .dll.”

While the former is the core element of the backdoor that facilitates C2 communications, the latter ensures that “zar32.dll” is deployed with administrator privileges. Zardoor is capable of exfiltrating data, executing remotely extracted executables and shellcode, updating the C2 IP address, and removing itself from the host.

The origin of the threat actor behind the campaign is unclear, and it does not share any tactical overlap with any known, publicly announced threat actor at this time. As such, it is estimated to be the work of an “advanced threat actor.”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment