{
	"id": "08a9d3ab-2c38-4fe3-8cf8-98b8bd8e93a9",
	"created_at": "2026-04-06T01:30:01.242937Z",
	"updated_at": "2026-04-10T13:12:26.29485Z",
	"deleted_at": null,
	"sha1_hash": "0b09f6020c70adc02e6cb9668faa3d75b925a0e9",
	"title": "Osiris banking trojan shuts down as new Ares variant emerges",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 528585,
	"plain_text": "Osiris banking trojan shuts down as new Ares variant emerges\r\nBy Catalin Cimpanu\r\nPublished: 2022-12-09 · Archived: 2026-04-06 00:59:39 UTC\r\nThe creator of the Osiris banking trojan has shut down its operation in March, citing a lack of interest for banking\r\ntrojans in the cybercriminal underground.\r\nThe shutdown announcement was posted in a hacking forum thread where the Osiris author, an individual named\r\nAnubi, initially started advertising the trojan back in April 2018.\r\nFor the past three years, Anubi has been providing copies of the Osiris banker to cybercrime groups, which have\r\nbeen distributing them using email spam campaigns to victims all over the world.\r\nThe trojan, which is a revamped and improved version of the Kronos malware (2014), is a classic banking trojan\r\nthat infects Windows computers and then injects malicious code in web browsers to steal e-banking credentials\r\nand alter banking transactions.\r\nAccording to an analysis by security firm Check Point, the trojan also employed advanced rootkits to get a\r\npermanent foothold inside infected hosts and could also steal credentials from multiple local apps, data that it later\r\nsent to a command and control (C\u0026C) server via the Tor protocol.\r\nhttps://therecord.media/osiris-banking-trojan-shuts-down-as-new-ares-variant-emerges/\r\nPage 1 of 3\n\nBut in an interview today with The Record, malware analyst 3xp0rt, who spotted the Osiris retirement post, said\r\nthe shutdown announcement comes as the banking trojan has been seeing less and less usage among cybercriminal\r\ngroups.\r\nThe last major spam campaign distributing a version of the Osiris trojan was spotted in January this year, targeting\r\nGerman users, the researcher said.\r\nSince then, new Osiris campaigns have been rare, although some of Anubi's former customers appear to continue\r\nusing it in some smaller-scale operations.\r\nWhile the Osiris source code has not been leaked online, 3xp0rt told The Record that they believe that some of the\r\nmalware's former clients will eventually resell it in second-market backroom deals as they stop using it for their\r\nown attacks and move to newer codebases.\r\nNew Kronos-variant spotted as Osiris died\r\nBut just as Anubi was announcing the Osiris retirement, security firm Zscaler also reported about a new banking\r\ntrojan named Ares that was based on the old Kronos codebase and shared different components and similarities\r\nwith the Osiris trojan.\r\nCurrently, it is unclear if Anubi is involved in the creation of this new trojan or if they handed over the codebase to\r\na new developer who has now put their own spin on this dangerous malware.\r\nEither way, the connections between the three malware strains are more than evident, although, according to\r\nZscaler researchers, the Ares code is in early stages of development.\r\nhttps://therecord.media/osiris-banking-trojan-shuts-down-as-new-ares-variant-emerges/\r\nPage 2 of 3\n\n\"The code contains several bugs and unreferenced code segments that are likely used for debugging purposes,\"\r\nthey said. \"The threat actor has invested significant resources in building DarkCrypter, BMPack, Ares, and Ares\r\nStealer. Therefore, activity related to this threat is likely to increase as the malware continues to mature.\"\r\nFeatured image via Rob Koopman, CC BY-ND 2.0\r\nNo previous article\r\nNo new articles\r\nCatalin Cimpanu\r\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nactions against hackers.\r\nSource: https://therecord.media/osiris-banking-trojan-shuts-down-as-new-ares-variant-emerges/\r\nhttps://therecord.media/osiris-banking-trojan-shuts-down-as-new-ares-variant-emerges/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://therecord.media/osiris-banking-trojan-shuts-down-as-new-ares-variant-emerges/"
	],
	"report_names": [
		"osiris-banking-trojan-shuts-down-as-new-ares-variant-emerges"
	],
	"threat_actors": [],
	"ts_created_at": 1775439001,
	"ts_updated_at": 1775826746,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0b09f6020c70adc02e6cb9668faa3d75b925a0e9.pdf",
		"text": "https://archive.orkl.eu/0b09f6020c70adc02e6cb9668faa3d75b925a0e9.txt",
		"img": "https://archive.orkl.eu/0b09f6020c70adc02e6cb9668faa3d75b925a0e9.jpg"
	}
}