{
	"id": "2bf1021d-b7d2-45ee-97ba-7e65c3d14c1c",
	"created_at": "2026-04-06T00:17:44.731997Z",
	"updated_at": "2026-04-10T13:11:58.68624Z",
	"deleted_at": null,
	"sha1_hash": "49c2719eb3f4668ff479cb3ca1ae5ef6b273b42d",
	"title": "Everything You Need to Know about the Notorious Zeus Gameover Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 147860,
	"plain_text": "Everything You Need to Know about the Notorious Zeus Gameover\r\nMalware\r\nBy Morten Kjaersgaard\r\nPublished: 2021-08-27 · Archived: 2026-04-05 13:58:56 UTC\r\nWhen you read the headline you may actually think that this is game over for the Zeus malware, but in fact, we are\r\ntalking about the Zeus Gameover P2P variant. This new variant, where Heimdal was recently involved in a\r\nglobal takedown with FBI and Europol, is the latest evolvement in a piece of highly advanced malware.\r\nTo give you an overview of the problem, we must understand what Zeus P2P does, why it spreads and how\r\nwidespread it is.\r\nHow does Zeus Gameover work?\r\nFirst of all, this variant of the malware poses a real problem, because it constantly looks for data on your network\r\nor PC, which is identified as valuable, either via identification commands or via prefixed algorithms.\r\nTypically, a Zeus infection looks for personal data, credit card information, customer data or secret corporate\r\ninformation.\r\nAfter Zeus P2P finds what it is looking for, it will be able to instantly send that information to other peers in its\r\nnetwork, anywhere in the world. This means that data from your internal network can be shifted out of the\r\nnetwork instantly to another computer, which is also in the Zeus P2P network. This computer can be located\r\nanywhere.\r\nThe illustration below shows a simple overview of Zeus P2P communication.\r\nhttps://heimdalsecurity.com/blog/security-alert-citadel-trojan-resurfaces-atmos-zeus-legacy/\r\nPage 1 of 5\n\nThe blue lines on the illustration indicate incoming traffic and the red lines indicate outgoing traffic.\r\nHow to secure your company from Zeus GameOver?\r\nIf your company uses a Firewall or Proxy, as indicated in the diagram note 1, you have a relatively good\r\nprotection if your proxy is updated and it knows what to look for. Most likely though, it isn’t, because Zeus\r\nGameover communicates with other companies and IP addresses that you probably wouldn’t want to block\r\nbecause it would prohibit your employees from working.\r\nBlocking at proxy level would mean enforcing organization-wide limitations. This will result in less\r\nproductivity for your entire organization, not just the infected computer. Now you might be thinking, “how much\r\nwould we be blocking?”.\r\nWell, honestly, a LOT! Thousands of corporations out there are infected with Zeus P2P and as many as 1.2\r\nmillion computers were infected prior to the takedown of Zeus.\r\nThat number is lower now, but they can easily pick up if the infrastructure is rebuilt and still many computers are\r\ninfected, so you would be blocking widely.\r\nhttps://heimdalsecurity.com/blog/security-alert-citadel-trojan-resurfaces-atmos-zeus-legacy/\r\nPage 2 of 5\n\nThe same problem arises with traffic scanners as per note 2, which work at a corporate level, as they would block\r\nentire IP ranges or DNS ranges.\r\nIf you are a smaller company just using an antivirus solution, gateway or firewall, as per note 3, you are simply\r\nhighly exposed to the Zeus P2P dangers, because it will pass straight through your security measures. See what\r\nthe difference between antivirus and antimalware is and how they should complement each other.\r\nIn relation to note 1 and 2, although not related to Zeus Gameover, I would like to give you an example of a\r\nsimilar problem that antivirus makers are facing, just to give you a picture you could potentially relate to.\r\nSome antivirus manufacturers have a similar problem to corporate-wide blocking, where they block entire\r\nwebsites, instead of just the malicious content that their scanner found on a given website. These “false positives”\r\nresult in your company being blocked from using services on legitimate websites, which could be anything from\r\ngovernment to private enterprises.\r\n[Tweet “Do you know how the most vicious financial malware in history worked? Our CEO explains it:”]\r\nSo why is it so difficult to protect yourself from Zeus P2P Gameover?\r\nWell, first of all it is a highly persistent threat, which infects networks with low detection rates, due to its\r\npolymorphic nature.\r\nSecondly, once infected it is hard to remove the infection from a client, due to the new Gameover version, which\r\ncontains a Necurs rootkit. This often means that the easiest way of getting rid of the problem is to wipe the\r\ninfected client. However, chances are that it will easily get infected again.\r\nThirdly, once Zeus is inside it will easily communicate with other peers or look for new ones if the ones on its\r\ndefault list are unreachable. If that also fails, Zeus will turn to its DGA (Domain generation algorithm) to find\r\npeers.\r\nWhy isn’t it possible to block Zeus traffic then?\r\nWell, as described above, if you block at a corporate level, then you will block all domains or IP addresses, which\r\nare Zeus infected. First of all, obtaining data about who is infected is more than difficult and requires a security\r\nsolution with massive intelligence. Secondly, it’s not viable, because you will be blocking so much that you will\r\nprohibit your organization from working efficiently.\r\nHow can you best relate this problem to the real world?\r\nWell, imagine you live in New York City. You and your family (your PC) live at 5th Avenue and your friend\r\n(wsj.com) lives on Wall Street. You know that someone on your friend’s street is sick with a virus, so you prohibit\r\nyour family from visiting, by blocking the entrance to Wall Street. Then naturally you can’t get in to visit, but your\r\ndaughter needs something from your friend, so the only way to make that happen is to open the roadblock.\r\nJumping back to cyberspace, what you could do is to use client software to block the infection. This way you can\r\nboth prohibit your computer from spreading the infection, and at the same time prohibit your computer from\r\nhttps://heimdalsecurity.com/blog/security-alert-citadel-trojan-resurfaces-atmos-zeus-legacy/\r\nPage 3 of 5\n\nsending and receiving information to and from other peers and the controlling servers.\r\n[Tweet “The Zeus Gameover malware caused millions in financial damage. Here’s how it did it:”]\r\nHow Heimdal can help to protect you from Zeus Gameover?\r\nOne way to do this is using Heimdal Threat Prevention, as it has the intelligence capability to block this. It\r\nworks by prohibiting an infected computer from talking to DGA servers or from talking to known infected\r\nwebsites or addresses. This means that you can even install Heimdal on an infected computer and it would block\r\nthe data trying to be sent from your computer.\r\nHeimdal also offers infection detection by spotting the communication attempts.\r\nWhy can’t you just use your antivirus solution? Well, having a history in the antivirus industry at BullGuard as\r\nCCO, I might be a little biased in what antivirus I would favor. But generally speaking, antivirus solutions focus\r\nmainly on file behavior or behavior on the computer. Some also depend on other heuristic algorithms or\r\nbehavioral engines.\r\nWith morphing viruses such as Zeus that means a low detection rate, because the signature and MD5 hash\r\nchanges all the time. This is also why Zeus is effectively able to spread.\r\nDoes this mean that you should just scrap your antivirus solution? No, absolutely not, but it does mean that you\r\nneed multiple layers of protection on the client.\r\nAntivirus is no longer enough to keep an organization’s systems secure.\r\nHeimdal® DNS Security Solution\r\nIs our next gen proactive DNS-Layer security that stops unknown threats before they reach your endpoints.\r\nMachine learning powered scans for all incoming online traffic;\r\nStops data breaches before sensitive info can be exposed to the outside;\r\nAdvanced DNS, HTTP and HTTPS filtering for all your endpoints;\r\nProtection against data leakage, APTs, ransomware and exploits;\r\nConclusion\r\nReviewing the extent of the Zeus Gameover P2P problem, the latest numbers in our database would estimate that\r\nas many as 1.2 million computers worldwide were infected up until the takedown operation. The worst fears are\r\nthat this number could easily recover if the infrastructure is restored.\r\nhttps://heimdalsecurity.com/blog/security-alert-citadel-trojan-resurfaces-atmos-zeus-legacy/\r\nPage 4 of 5\n\nZeus P2P tried to Gameover the antivirus industry with its latest version and the struggle is still ongoing.\r\nMorten Kjaersgaard is the Founder and Chairman of Heimdal®, a global leader in AI-powered cybersecurity.\r\nUnder his leadership, Heimdal has grown from a startup in Copenhagen to a trusted security partner for over\r\n16,000 organizations and more than 2,000 MSPs worldwide, defending against 260+ million cyber threats\r\nannually. With a sharp focus on unifying cybersecurity operations, Morten is recognized for his ability to align\r\ntechnical innovation with strategic business outcomes. His insights have shaped how organizations and partners\r\nalike approach risk reduction, compliance, and security maturity in an increasingly complex digital world. A\r\nrespected voice in the industry, Morten frequently shares his expertise at international events and through media\r\ncommentary—championing a more proactive, collaborative, and scalable model for cybersecurity success.\r\nSource: https://heimdalsecurity.com/blog/security-alert-citadel-trojan-resurfaces-atmos-zeus-legacy/\r\nhttps://heimdalsecurity.com/blog/security-alert-citadel-trojan-resurfaces-atmos-zeus-legacy/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://heimdalsecurity.com/blog/security-alert-citadel-trojan-resurfaces-atmos-zeus-legacy/"
	],
	"report_names": [
		"security-alert-citadel-trojan-resurfaces-atmos-zeus-legacy"
	],
	"threat_actors": [],
	"ts_created_at": 1775434664,
	"ts_updated_at": 1775826718,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/49c2719eb3f4668ff479cb3ca1ae5ef6b273b42d.pdf",
		"text": "https://archive.orkl.eu/49c2719eb3f4668ff479cb3ca1ae5ef6b273b42d.txt",
		"img": "https://archive.orkl.eu/49c2719eb3f4668ff479cb3ca1ae5ef6b273b42d.jpg"
	}
}