Anti-Malware Research Whitepapers

Six Years and Counting: Inside the Complex Zacinlo Ad Fraud Operation


For more than a decade, adware has helped software creators earn money while bringing free applications to the masses. Headliner games and applications have become widely available to computer and mobile users the world over, with no financial strings attached.

While generating untold revenue for the companies that run these programs, adware has witnessed constant improvements over the years in both data collection and resilience to removal. The line between adware and spyware has become increasingly fuzzy during recent years as modern adware combines aggressive opt-outs with confusing legal and marketing terms as well as extremely sophisticated persistence mechanisms aimed at taking control away from the user. This whitepaper details an extremely sophisticated piece of rootkit-based spyware that has been running covertly since early 2012, generating revenue for its operators and compromising the privacy of its victims.

Download the whitepaper below for a complete analysis of the malware’s components, its internal structure and a list of associated samples and IoCs.

Download the Zacinlo whitepaper here

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as director of threat research. When he is not documenting sophisticated strains of malware or planning removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.


Click here to post a comment

    • Why would you think that? We have had detection for this strain of malware since second zero, so we've done our fair share of helping people out. We are trying to document attacks whenever time allows us, but our main focus is developing technologies and threat intelligence to protect people from such attacks. This is where most of our efforts go, the rest is provided on a "best effort" basis.

  • You guys did an outstanding job with this report.

    A few questions:
    1. Approximately how many machines were infected with this malware?
    2. Is there a link to the IOCs in a format other than PDF? (example: as text files or CSVs on GitHub or elsewhere) … The PDF format makes it difficult to use these IOCs "as is".
    3. What has your interaction been with Microsoft (or others) to invalidate these certificates in use, and remove this malware from all Windows systems?

  • Any chance can you guys share the latest hash of "Main Downloader"? There are 691 hashes. Not sure which one is working.

    May I know when this research is done? Whatever hash I test, it's not even making 1 http request.

  • What is most effective tool(s) for determining if this or any other RAT/root kit is active on a machine?

    Currently, occasionally I boot from a live CD to run a series of scanners. Will this method detect this malware?