Threat Report: PZChao May Signal the Return of Iron Tiger APT

What Is It?

Recently, researchers at Bitdefender have released the results of their analysis of a sophisticated piece of custom written malware. They have named this malware PZChao, based on the domains it uses for its infrastructure. Each domain is used for a specific purpose, such as downloading or controlling malware components.

The attackers have targeted government sector, education and technology/telecommunications organizations in the U.S., Canada, Australia and throughout Asia since July 2017.

It has been observed that once compromised, three payloads are installed on an infected system. The first is a bitcoin miner, secondly both 32-bit and 64-bit versions of the Mimikatz tool are installed, uploading harvested passwords to a command and control (C2) server later. Finally, a close variant of the Gh0st RAT remote access trojan (RAT) is installed. The RAT component effectively gives the attackers full control over an infected machine including keystroke logging, eavesdropping utilizing the web cam or microphone, full access to the file system and remote shell.


When analyzed, the RAT samples were found to be very similar to those used by the Iron Tiger Advanced Persistent Threat (APT) group. Believed to have been active since 2010, the group is thought to be based in China and previously considered to have initiated successful attacks on U.S. contractors, resulting in significant theft of data.

How Does It Propagate?

As is common with APTs, PZChao attacks begin with highly targeted spam e-mails containing a malicious VisualBasic Script (VBS) attachment which then downloads further malicious components.

When/How Did BluVector Detect It?

BluVector’s patented Machine Learning Engine (MLE) detects PZChao components as malicious. Regression testing on various samples has shown they would have been detected by BluVector between 19 and 25 months prior to their release, with one sample detected 45 months prior.

About Threat Report

BluVector’s Threat Report is written by BluVector’s expert security team, tasked with identifying the latest cybersecurity threats in the wild and when our solution would protect customers from those threats. Read more Threat Reports here.

Leave a Reply

Your email address will not be published. Required fields are marked *

Interested in learning about BluVector?Contact Us >