{
	"id": "25bff3fe-2db4-45a7-80b3-d748810b6a10",
	"created_at": "2026-04-06T00:17:06.753066Z",
	"updated_at": "2026-04-10T03:21:48.974262Z",
	"deleted_at": null,
	"sha1_hash": "11a4a22f7be8336a4073fd45c77798786b197d06",
	"title": "Citadel: a cyber-criminal’s ultimate weapon? | Malwarebytes Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1196241,
	"plain_text": "Citadel: a cyber-criminal’s ultimate weapon? | Malwarebytes Labs\r\nBy Jérôme Segura\r\nPublished: 2012-11-04 · Archived: 2026-04-05 18:00:05 UTC\r\nIn old times, a citadel was a fortress used as the last line of defense. For cyber criminals it is a powerful and state-of-the-art toolkit to both distribute malware and manage infected computers (bots). Citadel is an offspring of the\r\n(too) popular Zeus crimekit whose main goal is to steal banking credentials by capturing keystrokes and taking\r\nscreenshots/videos of victims’ computers. Citadel came out circa January 2012 in the online forums and quickly\r\nbecame a popular choice for criminals. A version of Citadel (1.3.4.5) was leaked in late October and although it is\r\nnot the latest (1.3.5.1), it gives us a good insight into what tools the bad guys are using to make money.\r\nIn this post, I will show you how criminals operate a botnet. This is not meant as a tutorial and I do want to stress\r\nthat running a botnet is illegal and could send you to jail.\r\nA nice home\r\nIn order to get into business the bad guys need a server that is hosted at a company that will turn a blind eye on\r\ntheir activities and also guarantee them some anonymity. Such companies are called Bulletproof hosting and can\r\nbe found in most underground forums (Figure 1).\r\nhttps://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/\r\nPage 1 of 11\n\nFigure 1: an ad for Bulletproof hosting\r\nThose hosting firms are for the most part located in countries like China or Russia and therefore in their own\r\njurisdiction where so long as you don’t commit crimes against your own people not a whole lot can happen to you.\r\nTo cover their tracks even more, the bad guys use proxy or VPN services that disguise their own IP address.\r\nA shiny new toy\r\nOnce set up with a server, it is time to install what will be the mastermind program to create and organize an entire\r\narray (botnet) of infected computers worldwide. A variety of crimekits exist but in this post we will concentrate on\r\nCitadel.\r\nOnce again, the core installation files can be found in the underground community or through your own\r\nconnections. Recently, the Citadel kit was withdrawn from forums to prevent too much exposure and attention. It\r\ncosts around $3000 USD.\r\nhttps://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/\r\nPage 2 of 11\n\nFigure 2 shows what the package looks like. An instruction manual in both Russian and English is provided. The\r\nkit requires server software such as Apache, and PHP with a MySQL database to work properly.\r\nFigure 2: the citadel package\r\n To install Citadel, you simply browse to the install folder with your browser (Figure 3) and set up the main access\r\nusername and password as well as database information.\r\nhttps://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/\r\nPage 3 of 11\n\nFigure 3: Citadel’s installation screen\r\nIn this testing, the installer did not automatically create the database but you can do so by hand (Figure 4):\r\nFigure 4: creating a database for Citadel’s exploit pack\r\nTo finally access the login page, you need to browse to the cp.php file (Figure 5):\r\nhttps://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/\r\nPage 4 of 11\n\nFigure 5: Citadel’s login page\r\n Before logging in, I want to show you the other component that makes this package complete. It is called the\r\nbuilder (Figure 6) and is essentially used to create the piece of malware that criminals will distribute (forced\r\ninstalls through infected websites) and that links to their crimekit.\r\nFigure 6: creating the Citadel bot with the builder\r\n The malware is built to avoid AV detection and is tested with online virus scanners like Scan4You, an equivalent\r\nto the popular VirusTotal except this one is totally anonymous and does not share uploaded samples with antivirus\r\nvendors. Speaking of which, once installed on the victim’s machine, the malware will prevent access to security\r\nsites (Figure 7).\r\nhttps://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/\r\nPage 5 of 11\n\nFigure 7: a list of antivirus vendors that are blocked by Citadel’s malware\r\nHere is an example of an infection from a Citadel Trojan.\r\nInfected PCs all report to the mothership and wait for orders. This is where it gets interesting because making\r\nmalware is one thing but actually managing your own campaigns is the key to success. The Citadel control panel\r\nis well designed and puts a lot of features at your fingertips (Figure 8).\r\nhttps://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/\r\nPage 6 of 11\n\nFigure 8: Citadel’s Control Panel\r\nEach feature is actually a module written in PHP as seen on Figure 9. The control panel gives you an overview of\r\nthe machines that have been infected. It’s a sort of Malware Analytics with stats by country, Operating System,\r\netc…\r\nhttps://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/\r\nPage 7 of 11\n\nFigure 9: Citadel’s modules\r\n The main purpose of Citadel is to steal banking credentials and so it’s no big surprise to see advanced search\r\nfeatures to specifically look for financial institutions (Figure 10).\r\nFigure 10: Citadel’s advanced search features\r\nA password is a password whether it’d be for a bank or something more common like a Facebook or Gmail\r\naccount. In fact, you can customize any site that is of interest to you and capture the credentials.  Notifications of\r\nsuccessfully stolen passwords can be sent via Instant Message through the Jabber protocol (Figure 11).\r\nFigure 11: Citadel’s custom rules and notifications\r\nStolen credentials are harvested by various means:\r\nhttps://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/\r\nPage 8 of 11\n\nKeystroke logging\r\nScreenshot capture\r\nVideo capture\r\nA powerful feature used to trick users into revealing confidential information is dubbed WebInject. It is powerful\r\nbecause it happens in real time and is completely seamless. A WebInject is a piece of code that contains HTML\r\nand JavaScript which creates a fake pop-up that asks the victim for personal information within the context of\r\nlogging into a site. The bad guys can trigger it in two ways: either automatically when a site of interest is opened\r\nby the victim, or manually on the fly.\r\nIt is the ultimate phishing tool because it does not go against any known proper precautions a user would normally\r\ntake. For instance, the site’s URL is unchanged and shows the secure pad lock with the financial institution’s SSL\r\ncertificate (Figure 12). This type of hack is also called a man-in-the-middle attack.\r\nFigure 12: Man-in-the-middle attack through webinject\r\nIn case this method does not work (some people might get suspicious), the bad guys can always revert to a more\r\ndirect approach with some ransomware. Citadel is also involved in the distribution of the FBI Moneypak (also\r\nknown as Reveton) malware which locks the user out of his computer and demands $200 (Figure 13). It is\r\ncustomized based on the victim’s country of origin.\r\nhttps://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/\r\nPage 9 of 11\n\nFigure 13: Reveton ransomware distributed by Citadel Trojan\r\nSince a lot of people download music and movies from torrents or other shady sites, the message tricks them into\r\nthinking they have been caught by the local authorities. It’s a very smart scare tactic which works quite well,\r\nunfortunately. To add to the drama, the malware will attempt to turn on the user’s webcam as if they were already\r\nunder surveillance.\r\nThe FBI has posted an article regarding this scam (http://www.fbi.gov/news/stories/2012/august/new-internet-scam) and urges people to not pay any money as it could get you into even more troubles.\r\nMalwarebytes users are protected against the FBI Moneypak malware. If you aren’t one of them and are already\r\ninfected you can remove this ransomware by following these 3 steps:\r\n1. Reboot your computer into Safe Mode with Networking. (Instructions from Microsoft here)\r\n2. Download Malwarebytes Anti-Malware.\r\n3. Run Malwarebytes Anti-Malware and remove all malware (Figure 14)\r\nThat’s it!\r\nhttps://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/\r\nPage 10 of 11\n\nFigure 14: Reveton ransomware Trojan detected by Malwarebytes Anti-Malware.\r\nWhat’s next for Citadel?\r\nThe latest version (1.3.5.1) whose code name is Rain Edition is getting pricey at $3931 but it includes a lot of\r\nvaluable features (advanced support for Chrome and Firefox, improved WebInjects, smarter ‘on-the-fly’ updates to\r\nthe Trojan, etc…).\r\nThe makers of Citadel are trying to keep a low enough profile to avoid gathering too much attention which could\r\nresult in efforts to go after them (as we have seen with Zeus). Getting your hands on Citadel is more difficult\r\nbecause of a stricter validation process within the Russian underground.\r\nHow to protect yourself\r\nWhen seeing such technically advanced crimekits it puts a lot of things into perspective. The methods used to steal\r\npersonal information are so advanced and sneaky that even the most cautious user may get fooled. It is best to\r\navoid infection in the first place by using a solution such as Malwarebytes Anti-Malware PRO that constantly\r\nprotects your computer by blocking malicious sites and files. Using a combination of both safe online practices (if\r\nyou ever feel uncomfortable disclosing personal information, give your bank a call or ask a friend) and a good anti\r\nmalware solution will keep you safe(r).\r\nSource: https://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/\r\nhttps://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/"
	],
	"report_names": [
		"citadel-a-cyber-criminals-ultimate-weapon"
	],
	"threat_actors": [],
	"ts_created_at": 1775434626,
	"ts_updated_at": 1775791308,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/11a4a22f7be8336a4073fd45c77798786b197d06.pdf",
		"text": "https://archive.orkl.eu/11a4a22f7be8336a4073fd45c77798786b197d06.txt",
		"img": "https://archive.orkl.eu/11a4a22f7be8336a4073fd45c77798786b197d06.jpg"
	}
}