ZOHOMURK is a sophisticated C/C++ DLL implant that turns a legitimate cloud service—Zoho WorkDrive—into a covert command-and-control channel. Unlike traditional malware that relies on its own network infrastructure, ZOHOMURK hides its traffic inside an enterprise file-sharing platform millions of businesses use every day. It arrives via DLL side-loading, typically delivered by the SHARDLOADER malware family, and embeds itself quietly through signed Citrix binaries to evade detection. Once active, it grants attackers a remote shell, file-transfer capabilities, and persistent access to your machine—all while blending into normal cloud-storage traffic.
This threat represents a growing trend: adversaries weaponizing trusted SaaS platforms to bypass network monitoring and endpoint defenses. Because the malware communicates through Zoho's legitimate API endpoints, traditional firewall rules and domain blacklists won't stop it. For home users and small businesses in Roswell running outdated antivirus or relying solely on Windows Defender, ZOHOMURK can operate undetected for weeks or months, exfiltrating documents, credentials, and business records without raising alarms.
Threat Profile
| Attribute | Value |
|---|---|
| Threat Name | ZOHOMURK |
| Classification | DLL Implant / Backdoor |
| Platform | Windows (PE executable) |
| Language | C/C++ |
| Primary C2 Channel | Zoho WorkDrive cloud storage API |
| Delivery Mechanism | DLL side-loading via signed Citrix Receiver binaries |
| Parent Dropper | SHARDLOADER |
| Evasion Techniques | Timing-based anti-debug checks, legitimate binary abuse, cloud-based C2 |
| Core Capabilities | Interactive shell (named pipe), file upload/download, opcode-driven task dispatcher |
| Typical Targets | Enterprise networks, small-to-medium businesses using Zoho services |
| First Documented | 2025 (Acronis research) |
| Last Intelligence Update | 2026-07-01 (Malpedia) |
How It Spreads
ZOHOMURK does not spread through mass phishing or exploit kits. Instead, it's delivered as part of a targeted intrusion, almost always following an initial compromise by SHARDLOADER. Attackers first gain a foothold—typically through spear-phishing emails with malicious Office macros, fake software installers, or supply-chain attacks—then deploy SHARDLOADER to establish persistence. Once SHARDLOADER is running, it drops the ZOHOMURK DLL alongside a legitimate, digitally signed Citrix Receiver binary. When the Citrix executable runs, it automatically loads the malicious DLL from the same directory—a technique called DLL side-loading or search-order hijacking—bypassing application whitelisting and code-signing checks.
This two-stage deployment model means victims rarely encounter ZOHOMURK in isolation. By the time it's active, the attacker already has administrative access and may have disabled endpoint protection, harvested credentials, or moved laterally across the network. For small-business owners in Roswell, the initial infection often comes from clicking a "DocuSign" or "invoice" link in an email that looked identical to routine correspondence. For home users, it can arrive bundled with pirated software, cracked license generators, or fake codec packs downloaded from torrent sites.
Common distribution vectors include:
- Spear-phishing attachments: Weaponized Word or Excel documents with macros that download SHARDLOADER, which then fetches ZOHOMURK
- Trojanized installers: Fake VPN clients, system utilities, or productivity apps that include the dropper payload
- Software supply-chain compromise: Malicious updates pushed through compromised third-party software vendors
- Lateral movement: SHARDLOADER spreading from an already-infected machine via SMB shares, scheduled tasks, or WMI commands
- Drive-by downloads: Exploit kits on compromised websites that silently install the dropper when visitors land on the page
What It Does On Your Machine
Once side-loaded, ZOHOMURK executes through a single exported function—effectively disguising itself as a plugin or add-on to the Citrix binary. It immediately performs timing-based anti-debug checks: the malware measures how long certain operations take and aborts if it detects a debugger or sandbox slowing execution. If the coast is clear, it writes registry keys to maintain persistence across reboots, then initiates its first beacon to Zoho WorkDrive. Because the malware uses Zoho's official cloud API, the traffic appears as normal file-sync activity to network monitoring tools. No suspicious IPs. No known-bad domains. Just HTTPS requests to zoho.com.
After establishing communication, ZOHOMURK enters a polling loop: it checks for new "tasks" uploaded by the attacker to a specific Zoho WorkDrive folder. These tasks are small binary blobs interpreted by an opcode-driven dispatcher inside the malware. An opcode might instruct the implant to execute a shell command, upload a file, download a payload, or enumerate local user accounts. Results are packaged as files and uploaded back to the same cloud folder, creating a bidirectional command channel that leaves almost no forensic trace on the local disk.
The most dangerous capability is the interactive shell. ZOHOMURK creates a named pipe and routes cmd.exe input/output through it, allowing the attacker to run arbitrary commands as if sitting at your keyboard. This means credential harvesting (via Mimikatz or LaZagne), registry tampering, service manipulation, firewall rule changes—anything a local administrator could do. For small businesses, attackers commonly exfiltrate QuickBooks files, customer databases, email PST archives, and tax documents. For home users, the targets are saved passwords, browser autofill data, cryptocurrency wallets, and personal photos.
Manual Removal — Step by Step
Disconnect and Boot to Safe Mode
Unplug the Ethernet cable and disable Wi-Fi. Reboot the computer and press F8 (or Shift+F8 on newer systems) during startup to enter Safe Mode with Networking. This prevents ZOHOMURK from auto-starting via the registry Run key and limits its ability to communicate with the Zoho C2 channel.
Check Installed Programs for Citrix Receiver or Unknown Entries
Open Settings → Apps and look for Citrix Receiver, Citrix Workspace, or any unfamiliar entries installed around the same time you noticed performance issues. If you don't use Citrix products, uninstall them immediately. Note the installation date—it helps correlate with attacker activity.
Delete the Malicious DLL
Navigate to C:\Program Files (x86)\Citrix\ICA Client\Receiver\ (or wherever Citrix is installed). Look for msvcr120.dll or other DLLs with recent modification dates that don't match the rest of the folder. Right-click, select Properties, and check the Digital Signature tab—ZOHOMURK's DLL will have no signature or a mismatched publisher. Delete the file and empty the Recycle Bin.
Remove Registry Persistence Entries
Press Win+R, type regedit, and navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. Look for entries named "CitrixUpdater" or pointing to executables in the Citrix directory. Delete any suspicious Run keys. Also check HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run for system-wide entries.
Scan for SHARDLOADER Remnants
Because ZOHOMURK is always dropped by SHARDLOADER, the parent malware may still be present. Check C:\Users\[YourName]\AppData\Local\Temp and C:\ProgramData for recently modified executables or DLLs. Run a full scan with Malwarebytes (free trial available) or Microsoft Safety Scanner to catch the dropper. If either tool flags additional threats, remove them before proceeding.
Clear Scheduled Tasks
Open Task Scheduler (search from Start menu) and review all active tasks under "Task Scheduler Library." Look for tasks created by "Citrix" or with random alphanumeric names that run executables from non-standard locations. Right-click and delete any task that references the Citrix Receiver folder or unknown scripts.
Revoke Zoho WorkDrive OAuth Tokens
If your organization uses Zoho services, the attacker may have generated OAuth tokens tied to a real or fake Zoho account. Log into the Zoho admin console (or contact your IT administrator) and review connected applications. Revoke any third-party apps or API clients you don't recognize. Change passwords for all Zoho accounts and enable two-factor authentication.
Inspect Browser Extensions and Saved Passwords
ZOHOMURK often exfiltrates browser data. Open Chrome/Edge/Firefox, go to Extensions, and remove anything unfamiliar. Then navigate to Settings → Passwords and look for saved credentials you didn't add. Export your legitimate passwords to a text file (or use a password manager), then clear the entire saved-password database. Change critical passwords—email, banking, social media—from a clean device.
Verify Firewall and Antivirus Status
Check Windows Defender (or your installed antivirus) to confirm it's running and definitions are up to date. ZOHOMURK sometimes disables real-time protection. Re-enable it, run a full system scan, and review the quarantine log. Update your firewall rules to block outbound connections from non-standard application directories (like C:\ProgramData).
Reboot and Monitor for 48 Hours
Restart the computer normally (not Safe Mode). Monitor Task Manager for unusual CPU spikes, check the Citrix folder to confirm the malicious DLL hasn't reappeared, and watch outbound network traffic using Windows Resource Monitor. If you see new connections to zoho.com from unexpected processes, the infection persists—bring the machine to our shop for professional remediation.
Prevention
- Disable macros by default in Office applications. Go to File → Options → Trust Center → Trust Center Settings → Macro Settings and select "Disable all macros with notification." This blocks the primary delivery mechanism for SHARDLOADER.
- Implement application whitelisting. Use Windows AppLocker or third-party tools to prevent executables from running out of user-writable directories like
AppData,Temp, andDownloads. This stops most droppers before they execute. - Audit and remove unnecessary software. If you don't use Citrix products, uninstall them. The fewer legitimate binaries on your system, the harder it is for attackers to find side-loading targets.
- Monitor cloud-service API usage. For businesses using Zoho WorkDrive, enable audit logging in the admin console and review API access logs weekly. Look for unusual upload volumes, off-hours activity, or connections from unexpected IP addresses.
- Deploy endpoint detection and response (EDR) tools. Consumer antivirus won't catch ZOHOMURK's DLL side-loading or cloud C2 traffic. Consider SentinelOne, CrowdStrike, or Microsoft Defender for Endpoint (commercial version) for behavioral analysis and process monitoring.
- Keep Windows and all applications fully patched. SHARDLOADER often exploits known vulnerabilities in outdated software. Enable automatic updates and run Windows Update at least weekly.
- Train employees and family members to recognize phishing. ZOHOMURK's infection chain starts with a human click. Teach users to verify sender addresses, hover over links before clicking, and never enable macros in unsolicited documents.
- Restrict local admin privileges. Run daily tasks with a standard user account. DLL side-loading and registry writes require elevated permissions—limiting admin access shrinks the attack surface significantly.
Bring It In
ZOHOMURK is not a DIY removal candidate for most home users or small-business owners. Its use of DLL side-loading, timing-based evasion, and cloud-based C2 makes it difficult to detect with standard tools, and incomplete removal can leave backdoors or credential-harvesting scripts active on your machine. If you've seen unfamiliar Citrix processes, unexplained cloud uploads, or performance degradation since opening an email attachment, don't wait for the next payroll file or tax return to disappear into an attacker's Zoho folder.
Bring your PC or laptop to Computer Repair Roswell at 1955 Cliff Valley Way NE, Suite 103, Atlanta, GA 30329 (we serve Roswell, Alpharetta, Sandy Springs, and surrounding areas). Our certified technicians will run forensic scans, isolate the implant, verify exfiltration activity, scrub the infection, and harden your system against reinfection—all with same-day turnaround in most cases. Call us at (770) 856-1992 or stop by Monday through Saturday, 9 AM to 6 PM. We'll get you back online safely, with a written warranty and a clear explanation of what happened and how to prevent it next time.