{
	"id": "b5d845ce-5568-4282-b369-c670c26999ff",
	"created_at": "2026-04-06T00:21:03.721683Z",
	"updated_at": "2026-04-10T03:36:37.054402Z",
	"deleted_at": null,
	"sha1_hash": "089a49b44cabba6c225638b1e30ea6c060087f56",
	"title": "Zeus (malware)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 139088,
	"plain_text": "Zeus (malware)\r\nBy Contributors to Wikimedia projects\r\nPublished: 2009-11-19 · Archived: 2026-04-05 21:46:01 UTC\r\nFrom Wikipedia, the free encyclopedia\r\n\"Zbot\" redirects here. For the action figures, see Zbots.\r\nZeus\r\nMalware details\r\nType Trojan Horse\r\nOrigin July 2007\r\nZeus is a Trojan horse malware package that runs on versions of Microsoft Windows. It is often used to steal\r\nbanking information by man-in-the-browser keystroke logging and form grabbing.\r\n[1]\r\n Zeus is spread mainly\r\nthrough drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal\r\ninformation from the United States Department of Transportation,\r\n[2]\r\n it became more widespread in March 2009.\r\nIn June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on\r\nwebsites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco,\r\nAmazon, and BusinessWeek.\r\n[3]\r\n Similarly to Koobface, Zeus has also been used to trick victims of technical\r\nsupport scams into giving the scam artists money through pop-up messages that claim the user has a virus, when\r\nin reality they might have no viruses at all. The scammers may use programs such as Command prompt or Event\r\nviewer to make the user believe that their computer is infected.[4]\r\nZeus is very difficult to detect even with up-to-date antivirus and other security software as it hides itself using\r\nstealth techniques.\r\n[5]\r\n It is considered that this is the primary reason why the Zeus malware then had become the\r\nlargest botnet on the Internet: Damballa estimated that the malware infected 3.6 million PCs in the U.S. in 2009.[6]\r\nSecurity experts are advising that businesses continue to offer training to users to teach them not to click on\r\nhostile or suspicious links in emails or Web sites, and to keep antivirus protection up to date. Antivirus software\r\ndoes not claim to reliably prevent infection; for example Symantec's Browser Protection says that it can prevent\r\n\"some infection attempts\".[7]\r\nhttps://en.wikipedia.org/wiki/Zeus_(malware)\r\nPage 1 of 4\n\nFBI: The Zeus Fraud Scheme\r\nIn October 2010 the US FBI announced that hackers in Eastern Europe had managed to infect computers around\r\nthe world using Zeus.[8] The virus was distributed in an e-mail, and when targeted individuals at businesses and\r\nmunicipalities opened the e-mail, the trojan software installed itself on the victimized computer, secretly capturing\r\npasswords, account numbers, and other data used to log into online banking accounts.\r\nThe hackers then used this information to take over the victims’ bank accounts and make unauthorized transfers of\r\nthousands of dollars at a time, often routing the funds to other accounts controlled by a network of money mules,\r\npaid a commission. Many of the U.S. money mules were recruited from overseas. They created bank accounts\r\nusing fake documents and false names. Once the money was in the accounts, the mules would either wire it back\r\nto their bosses in Eastern Europe, or withdraw it in cash and smuggle it out of the country.\r\n[9]\r\nMore than 100 people were arrested on charges of conspiracy to commit bank fraud and money laundering, over\r\n90 in the US, and the others in the UK and Ukraine.\r\n[10]\r\n Members of the ring had stolen $70 million.\r\nIn 2013 Hamza Bendelladj, known as Bx1 online, was arrested in Thailand[11] and deported to Atlanta, Georgia,\r\nUSA. Early reports said that he was the mastermind behind ZeuS. He was accused of operating SpyEye (a bot\r\nfunctionally similar to ZeuS) botnets, and suspected of also operating ZeuS botnets. He was charged with several\r\ncounts of wire fraud and computer fraud and abuse.[12] Court papers allege that from 2009 to 2011 Bendelladj and\r\nothers \"developed, marketed, and sold various versions of the SpyEye virus and component parts on the Internet\r\nand allowed cybercriminals to customize their purchases to include tailor-made methods of obtaining victims’\r\npersonal and financial information\". It was also alleged that Bendelladj advertised SpyEye on Internet forums\r\nhttps://en.wikipedia.org/wiki/Zeus_(malware)\r\nPage 2 of 4\n\ndevoted to cyber- and other crimes and operated Command and Control servers.[13]\r\n The charges in Georgia relate\r\nonly to SpyEye, as a SpyEye botnet control server was based in Atlanta.\r\nPossible retirement of creator\r\n[edit]\r\nIn late 2010, a number of Internet security vendors including McAfee and Internet Identity claimed that the creator\r\nof Zeus had said that he was retiring and had given the source code and rights to sell Zeus to his biggest\r\ncompetitor, the creator of the SpyEye trojan. However, those same experts warned the retirement was a ruse and\r\nexpect the developer to return with new tricks.[14][15]\r\nConficker\r\nCommand and control (malware)\r\nGameover ZeuS, the successor to ZeuS\r\nJabber Zeus\r\nOperation Tovar\r\nTimeline of computer viruses and worms\r\nTiny Banker Trojan\r\nTorpig\r\nZombie (computer science)\r\n1. ^ Abrams, Lawrence. \"CryptoLocker Ransomware Information Guide and FAQ\". Bleeping Computer.\r\nRetrieved 25 October 2013.\r\n2. ^ Jim Finkle (17 July 2007). \"Hackers steal U.S. government, corporate data from PCs\". Reuters.\r\nRetrieved 17 November 2009.\r\n3. ^ Steve Ragan (29 June 2009). \"ZBot data dump discovered with over 74,000 FTP credentials\". The Tech\r\nHerald. Archived from the original on 25 November 2009. Retrieved 17 November 2009.\r\n4. ^ \"How to Recognize a Fake Virus Warning\". Retrieved 28 July 2016.\r\n5. ^ \"ZeuS Banking Trojan Report\". Dell SecuWorks. 10 March 2010. Retrieved 2 March 2016.\r\n6. ^ \"The Hunt for the Financial Industry's Most-Wanted Hacker\". Bloomberg. Bloomberg Business. 18 June\r\n2015. Retrieved 2 March 2016.\r\n7. ^ \"Trojan.Zbot\". Symantec. Archived from the original on 30 January 2010. Retrieved 19 February 2010.\r\n8. ^ \"Cyber Banking Fraud\". The Federal Bureau of Investigation. Retrieved 2 March 2016.\r\n9. ^ FBI (1 October 2010). \"CYBER BANKING FRAUD Global Partnerships Lead to Major Arrests\".\r\nArchived from the original on 3 October 2010. Retrieved 2 October 2010.\r\n10. ^ BBC (1 October 2010). \"More than 100 arrests, as FBI uncovers cyber crime ring\". BBC News.\r\nRetrieved 2 October 2010.\r\n11. ^ Al Jazeera (21 September 2015). \"Hamza Bendelladj: Is the Algerian hacker a hero?\". AJE News.\r\nRetrieved 21 March 2016.\r\n12. ^ Zetter, Kim. \"Alleged 'SpyEye' Botmaster Ends Up in America, Handcuffs, Kim Zetter, Wired, 3 May\r\n2013\". Wired. Wired.com. Retrieved 30 January 2014.\r\nhttps://en.wikipedia.org/wiki/Zeus_(malware)\r\nPage 3 of 4\n\n13. ^ \"Alleged \"SpyEye\" mastermind extradited to US, Lisa Vaas, 7 May 2013, Sophos nakedsecurity\".\r\nNakedsecurity.sophos.com. 7 May 2013. Archived from the original on 21 April 2022. Retrieved 30\r\nJanuary 2014.\r\n14. ^ Diane Bartz (29 October 2010). \"Top hacker \"retires\"; experts brace for his return\". Reuters. Retrieved\r\n16 December 2010.\r\n15. ^ Internet Identity (6 December 2010). \"Growth in Social Networking, Mobile and Infrastructure Attacks\r\nThreaten Corporate Security in 2011\". Yahoo! Finance. Retrieved 16 December 2010.\r\n\"Measuring the in-the-wild effectiveness of Antivirus against Zeus\" Study by Internet security firm\r\nTrusteer.\r\n\"A summary of the ZeuS Bot\" A summary of ZeuS as a Trojan and Botnet, plus vector of attacks.\r\n\"The Kneber BotNet\" by Alex Cox Archived 21 April 2022 at the Wayback Machine NetWitness\r\nWhitepaper on the Kneber botnet.\r\n\"België legt fraude met onlinebankieren bloot\" Dutch news article about a banking trojan\r\n\"Indications in affected systems\" Archived 8 January 2018 at the Wayback Machine Files and registry keys\r\ncreated by different versions of Zeus Trojan.\r\nZeus, le dieu des virus contre les banques Archived 27 January 2022 at the Wayback Machine (in French)\r\nZeus Bot's User Guide\r\nZeus source code at GitHub\r\nBotnet Bust - SpyEye Malware Mastermind Pleads Guilty, FBI\r\nSource: https://en.wikipedia.org/wiki/Zeus_(malware)\r\nhttps://en.wikipedia.org/wiki/Zeus_(malware)\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://en.wikipedia.org/wiki/Zeus_(malware)"
	],
	"report_names": [
		"Zeus_(malware)"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "e447d393-c259-46e2-9932-19be2ba67149",
			"created_at": "2022-10-25T16:07:24.28282Z",
			"updated_at": "2026-04-10T02:00:04.921616Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"ATK 103",
				"Chimborazo",
				"G0092",
				"Gold Evergreen",
				"Gold Tahoe",
				"Graceful Spider",
				"Hive0065",
				"Operation Tovar",
				"Operation Trident Breach",
				"SectorJ04",
				"Spandex Tempest",
				"TA505",
				"TEMP.Warlock"
			],
			"source_name": "ETDA:TA505",
			"tools": [
				"Amadey",
				"AmmyyRAT",
				"AndroMut",
				"Azer",
				"Bart",
				"Bugat v5",
				"CryptFile2",
				"CryptoLocker",
				"CryptoMix",
				"CryptoShield",
				"Dridex",
				"Dudear",
				"EmailStealer",
				"FRIENDSPEAK",
				"Fake Globe",
				"Fareit",
				"FlawedAmmyy",
				"FlawedGrace",
				"FlowerPippi",
				"GOZ",
				"GameOver Zeus",
				"GazGolder",
				"Gelup",
				"Get2",
				"GetandGo",
				"GlobeImposter",
				"Gorhax",
				"GraceWire",
				"Gussdoor",
				"Jaff",
				"Kasidet",
				"Kegotip",
				"Kneber",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Locky",
				"MINEBRIDGE",
				"MINEBRIDGE RAT",
				"MirrorBlast",
				"Neutrino Bot",
				"Neutrino Exploit Kit",
				"P2P Zeus",
				"Peer-to-Peer Zeus",
				"Philadelphia",
				"Philadephia Ransom",
				"Pony Loader",
				"Rakhni",
				"ReflectiveGnome",
				"Remote Manipulator System",
				"RockLoader",
				"RuRAT",
				"SDBbot",
				"ServHelper",
				"Shifu",
				"Siplog",
				"TeslaGun",
				"TiniMet",
				"TinyMet",
				"Trojan.Zbot",
				"Wsnpoem",
				"Zbot",
				"Zeta",
				"ZeuS",
				"Zeus"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434863,
	"ts_updated_at": 1775792197,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/089a49b44cabba6c225638b1e30ea6c060087f56.pdf",
		"text": "https://archive.orkl.eu/089a49b44cabba6c225638b1e30ea6c060087f56.txt",
		"img": "https://archive.orkl.eu/089a49b44cabba6c225638b1e30ea6c060087f56.jpg"
	}
}