An ongoing Zloader campaign uses a new infection chain to disable Microsoft Defender Antivirus to evade detection.

The attackers have also changed the malware delivery vector from spam or phishing emails to TeamViewer Google ads published through Google Adwords, redirecting the targets to fake download sites.Users are tricked into downloading signed and malicious MSI installers designed to install Zloader malware payloads on their computers.

The attack chain analyzed in shows the complexity of the attack has grown in order to reach a higher level of stealthiness. The first stage dropper has been changed from the classic malicious document to a stealthy, signed MSI payload. It uses backdoored binaries and a series of LOLBAS to impair defenses and proxy the execution of their payloads.

Like Zeus Panda and Floki Bot, this malware is almost entirely based on the Zeus v2 Trojan’s source code leaked online more than a decade ago.

The banking trojan targeted banks worldwide, from Australia and Brazil to North America, attempting to harvest financial data via web injections that use social engineering to convince infected customers to hand out auth codes and credentials.Zloader also comes with backdoor and remote access capabilities, and it can also be used as a malware loader to drop further payloads on infected devices.

Zloader also comes with backdoor and remote access capabilities, and it can also be used as a malware loader to drop further payloads on infected devices.