Trojan Horse Program

Episode 244: ZuoRAT brings APT Tactics to Home Networks

In this episode of the Security Ledger podcast, brought to you by ReversingLabs, we interview Danny Adamitis (@dadamitis) of Black Lotus Labs about the discovery of ZuoRAT, malware that targets SOHO routers – and is outfitted with APT-style tools for attacking the devices connected to home networks.

As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and Spotify. Or, check us out on Google PodcastsStitcherRadio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to to get notified whenever a new podcast is posted. 


Cyber attacks on small office and home office (or SOHO) routers aren’t new. Back in 2016, the malware known as Mirai made headlines across the world by infecting hundreds of thousands of weekly protected SOHO routers and DVR devices and stringing them into a potent botnet that could be leased out to distribute spam and launch crippling denial of service attacks. 

But for all its bluster, Mirai and the IoT botnets that followed it were pretty simple creatures. They infected SOHO routers by exploiting default passwords (mostly). The goal was to own the router itself. The goal was to build  a platform for future, external attacks – not probing the home and small business networks the routers fronted.  

New Rapidly-Spreading Hide and Seek IoT Botnet Identified by Bitdefender

ZuoRAT: sniffing around home networks

Danny Adamitis is a researcher at Lumen’s Black Lotus Labs.
Danny Adamitis is a researcher at Lumen’s Black Lotus Labs.

That’s not the case with ZuoRAT, a mysterious Mirai variant uncovered by researchers at Lumen’s Black Lotus Labs. According to Lumen researcher Danny Adamitis (@dadamitis), ZuoRAT looked like earlier IoT botnets, but behaved very differently: with an intense interest in the devices connected to home networks and the ability to launch extremely targeted attacks on home devices that could steal data, redirect web searches and, potentially, install malware on devices that used the router. Another interesting tidbit: ZuoRAT’s targets, which include Higher Muslims and Hong Kong residents and, apparently, homes and small businesses here in the U.S. 

ZuoRAT was the subject of a presentation Danny gave at the recent LabsCon conference. I spoke with him after his talk and, In this interview, he describes how he stumbled upon ZuoRAT (spoiler alert: holiday season-induced insomnia); the many curious features of the malware that his research has uncovered; and the larger problem of vulnerable SOHO routers, whose care, maintenance and security often is overlooked. 

To listen to the interview, use the player above or download the MP3 using the button below.

(*) Disclosure: This podcast was sponsored by ReversingLabs. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.