Zardoor Backdoor Discovered In A Campaign Targeting An Islamic Organization Since 2021

An espionage campaign believed to be active since March 2021 was identified targeting an Islamic non-profit organization along with a malware called Zardoor. The threat actor uses custom backdoors and modified reverse proxy tools to evade detection as well as employ living-off-the-land binaries (LoLBins) to carry out automated tasks like C2 communication and establishing and maintaining persistence. The Zardoor malware is deployed through a multi-stage process using a dropper and a loader that are additionally responsible for ensuring persistence via scheduled tasks and utilizing reverse proxy tools like Fast Reverse Proxy (FRP) to bypass security measures and set communication with the C2 server. Zardoors functionalities extend to gaining remote system access execution of additional payloads and execution of shellcode. To date one victim has been identified however prolonged undetected access suggests that there may be more victims.