Zupdax

Zupdax is a type of malware that infiltrates systems through suspicious downloads, emails, or websites. Once installed, it can steal personal information, disrupt operations, or hold data hostage for ransom. The payload in Zupdax is a backdoor, allowing unauthorized remote access to the infected system. Some Zupdax samples are signed with stolen certificates, notably by a group known as Space Pirates. A standard dropper (data1.dat) is used to extract the payload from resources, according to an ESET report and additional research. The malicious activities associated with Zupdax have been linked to multiple cybercriminal groups, including Bronze Union (also known as LuckyMouse or APT27) and TA428. These groups appear to operate jointly, using both Zupdax and another malware, RtlShare, in their attacks. Notably, the criminals behind an attack on Able Desktop users were found to have access to both HyperBro and Zupdax. ESET's report "Operation StealthyTrident: corporate software under attack" notes the presence of HyperBro and Zupdax backdoors, along with Tmanger and ShadowPad, as part of a single cybercriminal operation. Additional connections between these groups and Zupdax have been identified. For instance, both the Zupdax sample and the FF-RAT samples use playdr2.com and gamepoer7.com subdomains as command and control servers (C2). Furthermore, some Zupdax samples have been found to possess valid digital signatures, suggesting sophisticated methods of evasion and legitimacy mimicry. Overall, Zupdax represents a significant cybersecurity threat due to its stealthy infiltration methods, disruptive capabilities, and associations with organized cybercriminal groups.