HOMETHREATSZOHOMURK
APT / THREAT GROUP

ZOHOMURK

2
aliases
Last seen:Jul 3, 2026

Intelligence Profile

According to Acronis, ZOHOMURK is a newly identified DLL implant written in C/C++ that abuses the legitimate Zoho WorkDrive cloud storage service for command-and-control, data exfiltration and remote task execution. It is sideloaded via a signed Citrix Receiver binary dropped by its SHARDLOADER parent, with a single export function serving as the implant's entry point and timing-based anti-debug checks guarding key steps such as registry writes and initial beaconing. Capabilities include an interactive shell via a pipe, file upload/download handled through a small opcode-driven dispatcher, victim registration by creating folders on the operator's WorkDrive account, OAuth-based authentication with hardcoded credentials, a heartbeat/re-registration thread, and Run-key persistence established only after passing environment and timing checks

Threat Analysis

ZOHOMURK is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

External References

Quick Facts

TypeAPT / Threat Group
Aliases2

Also Known As

ZOHOMURKwin.zohomurk

External Intelligence

Malpedia: win.zohomurk

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.