Researchers have identified a new version (2.9.4.0) of the ZLoader malware, which now leverages DNS tunneling for command-and-control (C2) communications, enhancing its stealth and resilience against detection. ZLoader, also known as Terdot or Silent Night, is a malware loader capable of deploying various payloads and is increasingly linked to Black Basta ransomware attacks. The malware incorporates anti-analysis techniques, a domain generation algorithm (DGA), and a newly added interactive shell for executing commands, exfiltrating data, and evading security measures. Distribution methods include remote desktop sessions masquerading as tech support interactions. The improvements highlight its role as a key initial access broker for ransomware operations.