TOP STORY

CXO Monthly Roundup, May 2025: StealC V2, TransferLoader, and DanaBot disruption

Deepen Desai

Contributor

Zscaler

Jun 3, 2025

Highlights from the Zscaler ThreatLabz team's May 2025 research.

The CXO Monthly Roundup provides the latest threat research from the ThreatLabz team, along with insights on other cyber-related subjects that matter to technology executives. In May, the team published a technical analysis of StealC V2, TransferLoader, and DanaBot, which contributed to law enforcement’s ongoing efforts during Operation Endgame, leading to the disruption of DanaBot's infrastructure. Additionally, ThreatLabz uncovered a new variant of Rhadamanthys malware being distributed via CoffeeLoader.

I StealC You: Tracking the Rapid Changes To StealC

StealC, an information stealer and malware downloader first introduced in January 2023, received a significant overhaul with the release of StealC V2 in March 2025. Zscaler ThreatLabz published a technical analysis that highlights the malware’s latest updates, which include enhanced communication protocols and support for additional payload formats.

One of StealC V2’s key enhancements is its streamlined command-and-control (C2) communication, which uses a JSON-based network protocol. This protocol simplifies data exchange between the infected machine and the C2 server while ensuring security. In addition, the integration of RC4 encryption in recent variants fortifies communications by encrypting transmitted data and preventing detection by security solutions. These updates allow StealC V2 to maintain stable, secure communication channels. The figure below illustrates the workflow of the C2 communication process.

Figure 1: Shows StealC V2’s communications workflow.

Another notable improvement in StealC V2 is its expanded support for various payload delivery formats. In addition to executing traditional executable (EXE) files, the malware now supports Microsoft Software Installer (MSI) packages and PowerShell scripts. EXE files are launched using the Windows ShellExecuteEx function, while MSI packages are installed silently via msiexec.exe, ensuring minimal user interaction. PowerShell scripts are executed remotely, leveraging the powershell.exe command with no retry attempts after failure.

To learn more about the differences between StealC V1 and StealC V2 and about its features like control panel, check out I StealC You: Tracking the Rapid Changes To StealC.

Zscaler Zero Trust Exchange Coverage – Zscaler Internet Access (Advanced Cloud Sandbox, Advanced Threat Protection, Advanced Cloud Firewall, SSL Inspection)

Technical Analysis of TransferLoader

ThreatLabz discovered a new malware we named TransferLoader, which has been active since February 2025. ThreatLabz published a technical analysis of Transferloader and three of its components: its downloader, backdoor loader, and backdoor. ThreatLabz believes all of these components are written by the same malware author due to shared similarities.

The downloader fetches additional malicious payloads from a C2 server and executes them on the victim’s system. It initiates communication by sending HTTPS GET requests, and using custom headers for authentication and payload retrieval. Upon receiving the payload, the downloader decrypts it using a bitwise-XOR operation with a hardcoded key and executes it. The downloader may also open decoy files (e.g., PDF documents) embedded in its binary to distract users. In cases where the payload fails to execute, the downloader attempts to restart the Windows Explorer instance.

The backdoor loader acts as the facilitator for the transfer and operation of the backdoor module and is responsible for the backdoor’s configuration and deployment. The backdoor loader resides within trusted processes like explorer.exe or wordpad.exe, using evasion techniques such as API hooking and COM hijacking for persistence. The loader communicates with the backdoor through encrypted named pipes, handling commands related to configuration data, including the C2 server address and encryption keys. The backdoor loader can update the backdoor configuration and even deploy executable files directly from registry keys. If any condition for execution (e.g., creation of a specific temporary file) is not met, the backdoor loader stops its operations.

Command ID	Description
0	Do nothing.
1	Executes a remote shell command and sends the output to the C2 server.
2	Reads a file from the compromised host.
3	Writes a file to the compromised host.
4	Executes a command/file without storing any output of the operation.
5	Updates the C2 server.
6	Updates the timeout/sleep value of the configuration.
7	Updates the network encryption key.
8	Collects information about the compromised host. This includes the username, hostname, NETBIOS name, Windows version and the access rights of the current user. The representative structure is: struct host_info { uint8_t username[100]; uint8_t hostname[100]; uint8_t netbios_name[100]; uint8_t windows_version[16]; uint8_t user_rights; };
9	Stops execution and starts the self-remove process from the backdoor loader side.

Table 1: TransferLoader backdoor network commands.

The backdoor is the primary orchestrator used by attackers to control compromised systems. It connects to the C2 server and provides a range of functionality (table above), including executing remote shell commands and uploading and downloading files. The backdoor supports both HTTPS and raw TCP communication, and in the event of a C2 takedown, it uses the InterPlanetary File System (IPFS) as a fallback to retrieve a new C2 address. The backdoor employs custom encryption for network communication.

To learn more about TransferLoader and the anti-analysis methods it employs, visit Technical Analysis of TransferLoader.

Zscaler Zero Trust Exchange Coverage – Zscaler Internet Access (Advanced Cloud Sandbox, Advanced Threat Protection, Advanced Cloud Firewall, SSL Inspection)

Operation Endgame 2.0: DanaBusted

On May 22, 2025, law enforcement announced new actions under Operation Endgame, an initiative targeting cybercriminal organizations, including those behind DanaBot. Following efforts in May 2024 that disrupted malware like SmokeLoader, IcedID, and Bumblebee, ThreatLabz provided critical technical insights aiding investigations in the most recent law enforcement actions.

First discovered in 2018, DanaBot serves as a Malware-as-a-Service (MaaS) platform used by both cybercriminals and nation-state actors for activities such as online fraud, espionage, and deploying ransomware like GlobeImposter. Leased monthly on underground forums, DanaBot offers capabilities like:

Keylogging and espionage: Stealing files, clipboard hijacking, and capturing screenshots or video from compromised systems.
Web manipulation: Injecting or modifying content in browsers and redirecting users to malicious sites.
Malware deployment: Distributing additional payloads such as Lumma or Cactus ransomware.

DanaBot has been linked to targeted espionage attacks in Eastern Europe and the Middle East, and played a role in DDoS attacks against Ukrainian defense systems in early 2022.

DanaBot’s recent builds, including version 4006 (compiled March 2025), feature a custom binary protocol encrypted with 1,024-bit RSA and 256-bit AES for secure C2 communication. DanaBot’s modular architecture includes a loader, main module, and third-party tools like Tor for stealth.

While Operation Endgame has disrupted DanaBot, similar cases have shown that such malware often persists by rebranding as a new entity with a new name and logo.

Zscaler Zero Trust Exchange Coverage – Zscaler Internet Access (Advanced Cloud Sandbox, Advanced Threat Protection, Advanced Cloud Firewall, SSL Inspection)

Prevalent Threat Update

ThreatLabz has uncovered a new version of the Rhadamanthys malware being distributed through CoffeeLoader, featuring substantial updates to its configuration structure. Notable changes include the implementation of FastLZ compression for storing C2 URL data and the use of a customized Base64 character set to enhance obfuscation and evade detection.

Sample hash: 07a9f78963c300ef09481ab597fbd6251cd7d5ca6b1c83056f1747300650bc4c
C2 URLs: https://107.189.28[.]160:4096/HbTaQwW5z38xHKTdU6J2SRpwSzq9kzhg/5dw66tsl.h19u5

Zscaler Zero Trust Exchange Coverage – Zscaler Internet Access (Advanced Cloud Sandbox, Advanced Threat Protection, Advanced Cloud Firewall, SSL Inspection)

Looking forward: Zenith Live 2025

Join us at Zenith Live 2025, Zscaler’s flagship conference, happening June 2–5 in Las Vegas, Nevada (AMER) and June 16–19 in Prague, Czech Republic (EMEA). Zenith Live is the premier learning conference where experts converge to share the latest in zero trust networking and security to protect and enable organizations to thrive.

If you are interested, I will deliver a mainstage keynote on Cyber and AI innovations at 8:30am June 4 in Las Vegas and June 18 in Prague. I’ll be covering how innovations are reshaping cybersecurity strategies to help organizations stay ahead of today’s threats in a talk titled, “Harnessing Zero Trust and AI to Outpace Cyberthreats.”

I look forward to seeing you there as we delve into the future of secure digital transformation.

About ThreatLabz

ThreatLabz is the embedded research team at Zscaler. This global team includes security experts, researchers, and network engineers responsible for analyzing and eliminating threats across the Zscaler security cloud and investigating the global threat landscape. The team shares its research and cloud data with the industry at large to help promote a safer internet.

The Zscaler Zero Trust Exchange

Zscaler manages the world’s largest security cloud. Each day, Zscaler blocks over 150 million threats to its more than 9,000 customers, securing over 500 billion web transactions daily. The Zscaler ThreatLabz security research team uses state-of-the-art AI/ML and machine-learning technology to analyze Zscaler Zero Trust Exchange traffic and share its findings.

Explore more insights

Recommended