Zegost

Category: trojan · Aliases: RAT.Zegost, Backdoor.Zegost, Trojan.Win32.Zegost · Sample count (EMBER 2018): 441 · Enrichment: documented_reference_only · Updated: 2026-07-02T09:03:09Z

Overview

Executive Summary

Zegost is a sophisticated Remote Access Trojan (RAT) and backdoor that has been widely utilized by cyber-espionage groups, most notably Chinese Advanced Persistent Threat (APT) actors. Unlike commercially available MaaS RATs, Zegost is typically deployed in highly targeted, long-term espionage campaigns against government agencies, defense contractors, and high-value corporate targets. Its primary function is to establish deep, stealthy persistence and facilitate the continuous exfiltration of highly classified intellectual property.

Infection Vector and Technical Capabilities

Zegost is almost exclusively distributed via highly customized spear-phishing campaigns. These emails use precise, socially engineered lures tailored to the target, containing weaponized Office documents that exploit zero-day or recently patched vulnerabilities to silently execute the RAT. Its technical architecture is built for extreme stealth and long-term surveillance:

Threat Assessment

A Zegost detection is a catastrophic "Code Red" event indicating an active, highly sophisticated APT breach. It implies that a nation-state level actor has compromised the network and is actively conducting targeted espionage. If Zegost is found, the organization must assume that sensitive intellectual property has already been exfiltrated.

Incident Response and Remediation

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

This family has been observed using the following ATT&CK techniques: T1014 T1071.001 T1056.001 T1055

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_ZEGOST {
    meta:
        description = "Detects Zegost (trojan)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "zegost" ascii wide nocase
        $s2 = "rat.zegost" ascii wide nocase
        $s3 = "backdoor.zegost" ascii wide nocase
        $s4 = "trojan.win32.zegost" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Zegost Activity
id: befab2294aa149ed71c98c55b5957039
status: experimental
description: Detects generic indicators of the zegost malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*zegost*"
            - "*rat.zegost*"
            - "*backdoor.zegost*"
            - "*trojan.win32.zegost*"
    condition: selection
level: medium

References & External Analysis

Frequently Asked Questions

Where can I learn more about zegost?

Refer to the linked MITRE ATT&CK technique pages, which document the behaviors associated with this family.

Related Families (Category: trojan)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/zegost.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.