{
	"id": "18e1b948-24f5-4b7a-91c7-c5e9a9b2d466",
	"created_at": "2026-04-06T00:22:21.335682Z",
	"updated_at": "2026-04-10T03:28:40.028419Z",
	"deleted_at": null,
	"sha1_hash": "4941d55e63df64165b3b140207e716d1228247f2",
	"title": "Sphinx: New Zeus Variant for Sale on the Black Market - Darkmatters",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 56021,
	"plain_text": "Sphinx: New Zeus Variant for Sale on the Black Market -\r\nDarkmatters\r\nBy By Bev Robb\r\nPublished: 2015-08-24 · Archived: 2026-04-02 12:16:34 UTC\r\nThe 0Day marketplace was a busy beaver this weekend. I’ve been waiting and watching Sphinx for the past 10\r\ndays to see if the 0Day admin would verify this new threat:\r\nNew Zeus Variant\r\nOn Sunday evening, Sphinx, a new variant of the Zeus banking trojan was admin-verified. Sphinx is coded in C++\r\nand based on ZeuS source code and operates fully through the Tor network using a Tor hidden service. This\r\nvariant is listed as being immune to sinkholing, blacklisting, and the ZeuS tracker.\r\nThe seller claims that you do not need bulletproof hosting (generally immune from takedown requests) when\r\noperating a Sphinx botnet, though he still recommends it.\r\nSphinx Features (as listed in the forum with minor edits):\r\nMalware:\r\nFormgrabber and Webinjects for latest Internet Explorer, Mozilla.\r\nFirefox and Tor Browser with cookie grabber and transparent page redirect(Webfakes).\r\nBackconnect SOCKS, VNC.\r\nSocks 4/4a/5 with UDP and IPv6 support.\r\nFTP, POP3 grabber.\r\nCertificate grabber.\r\nKeylogger.\r\nCertificate grabber:\r\nBy intercepting windows functions, Sphinx is able to intercept certificates when they are in use. For example: for\r\nsigning a file – this is useful for getting file-signing certificates for signing your\r\nmalware to bypass all anti-virus\r\nBackconnect VNC:\r\nThis is the most essential feature of a banking trojan. It allows you to make money transfers from the victims\r\ncomputer. Your VNC is done on a different desktop than the victim’s desktop, so its completely hidden.\r\nhttps://web.archive.org/web/20160130165709/http://darkmatters.norsecorp.com/2015/08/24/sphinx-new-zeus-variant-for-sale-on-the-black-market/\r\nPage 1 of 4\n\nYou can steal money from the bank while the victim is playing multiplayer games or watching movies. Forget\r\nabout configuring the browser, because when carding with Sphinx you don’t need to.\r\nWith Backconnect VNC you can also remove anti-virus/rapport software from the victim’s computer. Port-forwarding for the victim is not required due to the use of Reverse connection.\r\nBackconnect SOCKS:\r\nUse your victims as a SOCKS proxy. Port-forwarding is not required due to use of Reverse connection.\r\nWebinjects:\r\nUsed for speeding up report gathering. With Webinjects you can change the content of a website and ask for more\r\ninformation. You can do such things as asking for credit-card data from victims PayPal/Amazon/Ebay/Facebook \r\nfor successful login.\r\nWebinjects use ZeuS format. You have to create your own web injects or use those that are publicly available.\r\nSphinx uses ZeuS format so all released webinjects for Zeus/Spyeye/Citadel are compatible.\r\nWebfakes:\r\nUsed to do phishing attacks without having to trick the victim into going in to a fake domain. For example: When\r\nconfigured for bankofamerica, the user is transparently redirected to your phishing site without changing the url.\r\nInstallation:\r\nAt the moment, the bot is primarily designed to work under Windows Vista/Seven, with enabled UAC, and\r\nwithout the use of local exploits. Therefore, the bot is designed to work with minimal privileges (including the\r\nuser “Guest”).\r\nIn this regard the bot is always working within sessions-per-user.  The bot can be set for each user in the OS, and\r\nthe bots do not know about each other. When you run the bot as a “LocalSystem” user it will attempt to infect all\r\nusers on the system.\r\nWhen you install Sphinx, the bot creates its copy in the user’s home directory. This copy is tied to the current user\r\nand OS, and cannot be run by another user. The original copy of the same bot  that was used for installation, will\r\nbe automatically deleted, regardless of the installation success.\r\nCommunication:\r\nSession with the server through a variety of processes from an internal “white list” that allows you to bypass most\r\nfirewalls. During the session, the bot can get the configuration to send the accumulated reports, report their\r\ncondition to the server, and receive commands to execute on the computer.\r\nThe session takes place via HTTP-protocol, all data sent by a bot and received from the server is encrypted with\r\na unique key for each botnet.\r\nWebpanel:\r\nhttps://web.archive.org/web/20160130165709/http://darkmatters.norsecorp.com/2015/08/24/sphinx-new-zeus-variant-for-sale-on-the-black-market/\r\nPage 2 of 4\n\nSphinx command and control (C\u0026C) has not changed from ZeuS. Old ZeuS fans will be pleased to use this\r\ncomfortable bot network control system again. Its coded in PHP using extensions mbstring and mysql.\r\nFeatures:\r\nXMPP notification.\r\nStatistics.\r\nBotlist.\r\nScripts\r\nXMPP notification:\r\nYou can receive notifications from the Control Panel in a Jabber-account.\r\nAt the moment there is the possibility of receiving notifications about a user entering defined HTTP/HTTPS-resources. For example: it is used to capture a user session at an online bank.\r\nScripts:\r\nYou can control the bots by creating a script for them. Currently, syntax and scripting capabilities, are very\r\nprimitive.\r\nBotlist:\r\nFiltering the list by country, botnets, IP-addresses, NAT-status, etc.\r\nDisplaying desktop screenshots in real time (only for bots outside NAT).\r\nMass inspection of the Socks-servers state.\r\nDisplays detailed information about the bots:\r\nWindows version, user language and time zone.\r\nLocation and computer IP-address (not for local).\r\nInternet connection speed (measured by calculating the load time of a predetermined HTTP-resource).\r\nThe first and last time of communication with the server.\r\nTime online.\r\nAbility to set comment for each bot.\r\nStatistics:\r\nNumber of infected computers.\r\nCurrent number of bots in the online.\r\nThe number of new bots.\r\nDaily activity of bots.\r\nCountry statistics.\r\nStatistics by OS.\r\nhttps://web.archive.org/web/20160130165709/http://darkmatters.norsecorp.com/2015/08/24/sphinx-new-zeus-variant-for-sale-on-the-black-market/\r\nPage 3 of 4\n\nThe seller recommends “using Internet Explorer traffic for the exploit-kit in order to get maximal profit while\r\nusing Sphinx.”\r\nThe Sphinx kit is currently selling for $500 USD per binary, with Bitcoin and DASH as the only accepted method\r\nof payment. To purchase: the seller has you register on a website where an address for both BTC and DASH are\r\ngenerated.\r\nAfter the payment is received the buyer account is automatically validated and rights to edit the config and request\r\na build are granted. Upon finalization of the purchase, all wheeling and dealing is handled via XMPP. The seller\r\nalso includes escrow.\r\nNo further activity has been noted regarding Sphinx since the admin verified this new malware. Though there was\r\nsome rattling of bones when someone made mention of security researchers possibly discovering it and blogging\r\nabout it – all transactions appear to be occurring behind closed doors now.\r\nSource: https://web.archive.org/web/20160130165709/http://darkmatters.norsecorp.com/2015/08/24/sphinx-new-zeus-variant-for-sale-on-the-b\r\nlack-market/\r\nhttps://web.archive.org/web/20160130165709/http://darkmatters.norsecorp.com/2015/08/24/sphinx-new-zeus-variant-for-sale-on-the-black-market/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://web.archive.org/web/20160130165709/http://darkmatters.norsecorp.com/2015/08/24/sphinx-new-zeus-variant-for-sale-on-the-black-market/"
	],
	"report_names": [
		"sphinx-new-zeus-variant-for-sale-on-the-black-market"
	],
	"threat_actors": [
		{
			"id": "e90ec9cb-9959-455d-b558-4bafef64d645",
			"created_at": "2022-10-25T16:07:24.222081Z",
			"updated_at": "2026-04-10T02:00:04.903184Z",
			"deleted_at": null,
			"main_name": "Sphinx",
			"aliases": [
				"APT-C-15"
			],
			"source_name": "ETDA:Sphinx",
			"tools": [
				"AnubisSpy",
				"Backdoor.Oldrea",
				"Bladabindi",
				"Fertger",
				"Havex",
				"Havex RAT",
				"Jorik",
				"Oldrea",
				"PEACEPIPE",
				"njRAT",
				"yellowalbatross"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434941,
	"ts_updated_at": 1775791720,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4941d55e63df64165b3b140207e716d1228247f2.pdf",
		"text": "https://archive.orkl.eu/4941d55e63df64165b3b140207e716d1228247f2.txt",
		"img": "https://archive.orkl.eu/4941d55e63df64165b3b140207e716d1228247f2.jpg"
	}
}