{
	"id": "20148c26-2541-43aa-a791-1ab803378626",
	"created_at": "2026-04-06T00:07:26.414107Z",
	"updated_at": "2026-04-10T13:11:56.013979Z",
	"deleted_at": null,
	"sha1_hash": "536eb548053c058e93f1ec62b7cd1c56e5587009",
	"title": "ZeuS on IRS Scam remains actively exploited",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 95377,
	"plain_text": "ZeuS on IRS Scam remains actively exploited\r\nArchived: 2026-04-05 18:43:16 UTC\r\nMalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security,\r\ncriminology computing and information security in general, always from a perspective closely related to the\r\nfield of intelligence.\r\nZeuS on IRS Scam remains actively exploited\r\nUpdated 19.04.2010\r\nA new wave of domain scam employed by the IRS ZeuS ahead. So far we have detected only a few, but we\r\nbelieve that in the coming hours will begin to appear much more in the crime scene of this old strategy used by\r\nZeuS.\r\nThe domains, as usual, have the following structure:\r\nirs.gov.rewsserr.eu/fraud.applications/application/statement.php\r\nFrom where you try to download the binary ZeuS under the name tax-statement.exe\r\n(6898fb162ceaf75a7f3690d51b0e8967): 36/40 (90.00%)\r\nThe other domains are detected:\r\nirs.gov.rewssert.eu\r\nirs.gov.rewsserx.eu\r\nirs.gov.rewsserz.eu\r\nirs.gov.rewsserr.be\r\nirs.gov.rewsserx.be\r\nirs.gov.rewsserz.be\r\nirs.gov.ryuepoy.eu\r\nirs.gov.ryuepoy.be\r\nirs.gov.ryuepou.eu\r\nirs.gov.ryuepou.be\r\nirs.gov.ryuepoo.eu\r\nirs.gov.ryuepoo.be\r\nirs.gov.ryuepoi.eu\r\nirs.gov.ryuepoi.be\r\nirs.gov.rtadesrw.eu\r\nirs.gov.pexxaz.vg\r\nList of domains used\r\nhttp://malwareint.blogspot.com/2010/02/zeus-on-irs-scam-remains-actively.html\r\nPage 1 of 6\n\nUpdated 31.03.2010\r\nZeuS campaign on the spread of Scam alluding to the IRS, among others, is still very active. New domains are In-the-wild trojan spreading a variant of ZeuS.\r\nirs.gov.eawsqa.pl/fraud.applications/application/statement.php\r\nirs.gov.eawsqy.pl/fraud.applications/application/statement.php\r\nirs.gov.eawsqu.pl/fraud.applications/application/statement.php\r\nirs.gov.ewsqas.be\r\nirs.gov.ewsqaz.be\r\nirs.gov.ewsqaq.be\r\nirs.gov.awsqaa.be\r\nirs.gov.eawsqa.be\r\nirs.gov.rewdpv.be\r\nirs.gov.rewdpw.be\r\nirs.gov.rewdpc.be\r\nirs.gov.rewdpd.be\r\nirs.gov.rewdpe.be\r\nirs.gov.rewdpa.co.uk\r\nirs.gov.rewdpq.co.uk\r\nirs.gov.rewdpx.co.uk\r\nirs.gov.rewdpz.co.uk\r\nirs.gov.eawsqa.co.uk\r\nirs.gov.eawsqe.co.uk\r\nirs.gov.rewdps.co.uk\r\nirs.gov.eawsqw.co.uk\r\nirs.gov.eawsqt.co.uk\r\nirs.gov.eawsqq.co.uk\r\nirs.gov.eawsqr.co.uk\r\nThis variant of the trojan, which spreads under the name tax-statement.exe\r\n(6898fb162ceaf75a7f3690d51b0e8967) has a high detection rate.\r\nhttp://malwareint.blogspot.com/2010/02/zeus-on-irs-scam-remains-actively.html\r\nPage 2 of 6\n\nZeuS IRS Scam update list 31.03.2010\r\nUpdated 27.02.2010\r\nirs.gov.wannafilez.org/fraud.applications/application/statement.php\r\nirs.gov.wannafilez.net/fraud.applications/application/statement.php\r\nirs.gov.wannafiles.org/fraud.applications/application/statement.php\r\nirs.gov.wannafile.org/fraud.applications/application/statement.php\r\nirs.gov.mobfilez.org/fraud.applications/application/statement.php\r\nirs.gov.milesfiles.net/fraud.applications/application/statement.php\r\nirs.gov.mobfiles.org/fraud.applications/application/statement.php\r\nirs.gov.ffilez.org/fraud.applications/application/statement.php\r\nirs.gov.diggafilez.org/fraud.applications/application/statement.php\r\nirs.gov.ffilez.net/fraud.applications/application/statement.php\r\nirs.gov.fastgilez.org/fraud.applications/application/statement.php\r\nirs.gov.diggafilez.net/fraud.applications/application/statement.phpZeuS IRS Scam update list 27.02.2010\r\nUpdated 24.02.2010. More domains used by ZeuS for his company of infection under the IRS logo and the same\r\nDrive-by-Download.\r\nirs.gov.msdrv-v1.tk/fraud.applications/application/statement.php\r\nirs.gov.yrxo.kr/fraud.applications/application/statement.php\r\nirs.gov.yrxo.or.kr/fraud.applications/application/statement.php\r\nirs.gov.yrxo.co.kr/fraud.applications/application/statement.php\r\nirs.gov.yrxo.kr/fraud.applications/application/statement.php\r\nirs.gov.yrxo.ne.kr/fraud.applications/application/statement.php\r\nirs.gov.yrxs.or.kr/fraud.applications/application/statement.php\r\nirs.gov.yrxc.kr/fraud.applications/application/statement.php\r\nirs.gov.yrxc.or.kr/fraud.applications/application/statement.php\r\nirs.gov.yrxc.ne.kr/fraud.applications/application/statement.php\r\nirs.gov.yrxc.co.kr/fraud.applications/application/statement.php\r\nirs.gov.yrxs.co.kr/fraud.applications/application/statement.php\r\nirs.gov.yrxs.kr/fraud.applications/application/statement.php\r\nirs.gov.yrxs.ne.kr/fraud.applications/application/statement.php\r\nUpdated 20.02.2010\r\nZeuS creators have launched a new campaign of infection using as cover a false notification purportedly issued by\r\nthe IRS (Internal Revenue Service) U.S.; through which spreads a variant of the trojan\r\n(MD5:14FBCE4A3F67E46B18308AC6824B2A00) responsible for recruiting zombies . It has a high detection\r\nrate.\r\nhttp://malwareint.blogspot.com/2010/02/zeus-on-irs-scam-remains-actively.html\r\nPage 3 of 6\n\nIn addition, the page's source code, is injected iframe label associated with the address\r\nhxxp://109.95.114.251/usa50/in.php, provoking an attack of Drive-by-Download.\r\nThe domains involved in this new campaign are:\r\nirs.gov.desa.ne.kr/fraud.applications/application/statement.php\r\nirs.gov.desa.or.kr/fraud.applications/application/statement.php\r\nirs.gov.desa.kr/fraud.applications/application/statement.php\r\nirs.gov.desa.co.kr/fraud.applications/application/statement.php\r\nirs.gov.desz.or.kr/fraud.applications/application/statement.php\r\nirs.gov.desz.ne.kr/fraud.applications/application/statement.php\r\nirs.gov.desz.kr/fraud.applications/application/statement.php\r\nirs.gov.desz.co.kr/fraud.applications/application/statement.php\r\nirs.gov.desv.kr/fraud.applications/application/statement.php\r\nirs.gov.deso.or.kr/fraud.applications/application/statement.php\r\nirs.gov.deso.kr/fraud.applications/application/statement.php\r\nirs.gov.desb.or.kr/fraud.applications/application/statement.php\r\nirs.gov.desb.ne.kr/fraud.applications/application/statement.php\r\nirs.gov.desb.kr/fraud.applications/application/statement.php\r\nirs.gov.desb.co.kr/fraud.applications/application/statement.php\r\nirs.gov.edase.kr/fraud.applications/application/statement.php\r\nirs.gov.edasa.kr/fraud.applications/application/statement.php\r\nirs.gov.edasa.co.kr/fraud.applications/application/statement.php\r\nirs.gov.edasa.ne.kr/fraud.applications/application/statement.php\r\nirs.gov.edase.ne.kr/fraud.applications/application/statement.php\r\nirs.gov.edasq.or.kr/fraud.applications/application/statement.php\r\nirs.gov.edasq.co.kr/fraud.applications/application/statement.php\r\nirs.gov.edasq.ne.kr/fraud.applications/application/statement.php\r\nirs.gov.ersm.or.kr/fraud.applications/application/statement.php\r\nirs.gov.edasn.kr/fraud.applications/application/statement.php\r\nirs.gov.ersa.or.kr/fraud.applications/application/statement.php\r\nirs.gov.ersm.co.kr/fraud.applications/application/statement.php\r\nirs.gov.edasq.kr/fraud.applications/application/statement.php\r\nirs.gov.ersq.co.kr/fraud.applications/application/statement.php\r\nirs.gov.edase.co.kr/fraud.applications/application/statement.php\r\nirs.gov.edasn.or.kr/fraud.applications/application/statement.php\r\nirs.gov.ersq.kr/fraud.applications/application/statement.php\r\nirs.gov.edasa.or.kr/fraud.applications/application/statement.php\r\nirs.gov.ersm.ne.kr/fraud.applications/application/statement.php\r\nirs.gov.edase.or.kr/fraud.applications/application/statement.php\r\nirs.gov.ersm.kr/fraud.applications/application/statement.php\r\nirs.gov.edasn.ne.kr/fraud.applications/application/statement.php\r\nirs.gov.ersw.kr/fraud.applications/application/statement.php\r\nhttp://malwareint.blogspot.com/2010/02/zeus-on-irs-scam-remains-actively.html\r\nPage 4 of 6\n\nirs.gov.erst.ne.kr/fraud.applications/application/statement.php\r\nirs.gov.ersw.or.kr/fraud.applications/application/statement.php\r\nirs.gov.erst.kr/fraud.applications/application/statement.php\r\nirs.gov.erst.or.kr/fraud.applications/application/statement.php\r\nirs.gov.ersq.or.kr/fraud.applications/application/statement.php\r\nOriginal 14.02.2010\r\nLast year (2009) met several Scam propagated as a strategy of attack by ZeuS, alluding to the IRS (Internal\r\nRevenue Service), an agency under the Department of the Treasury of the United States, by which it disseminates\r\na variant of the trojan family of ZeuS.\r\nToday, this same strategy is being actively exploited in another campaign of domains registered with false names\r\nsimilar to the actual page from the IRS, which spread a new trojan variant of ZeuS, where it's clear that the aim is\r\nto recruit zombies enabling its extensive network to increase . Here we can see a screenshot of the new Scam.\r\nThe message response to an alleged tax\r\nattached to it, and that according to the same message must be downloaded and run to visualize the statement.\r\nIn this facet of the deception, download a binary called tax-statement.exe\r\n(9F0F75BA042B3CB0471749EC2416945B) which has a very acceptable level of detection by antivirus engines,\r\nbeing detected by 37 of 40.\r\nThe domains involved in this campaign are:\r\nirs.gov.rep073.co.kr/fraud.applications/application/statement.php\r\nirs.gov.rep021.co.kr/fraud.applications/application/statement.php\r\nirs.gov.rep023.co.kr/fraud.applications/application/statement.php\r\nirs.gov.rep022.co.kr/fraud.applications/application/statement.php\r\nirs.gov.rep023.or.kr/fraud.applications/application/statement.php\r\nirs.gov.rep021.or.kr/fraud.applications/application/statement.php\r\nirs.gov.rep022.or.kr/fraud.applications/application/statement.php\r\nirs.gov.rep022.ne.kr/fraud.applications/application/statement.php\r\nirs.gov.rep021.ne.kr/fraud.applications/application/statement.php\r\nirs.gov.rep022.kr/fraud.applications/application/statement.php\r\nirs.gov.rep023.kr/fraud.applications/application/statement.php\r\nhttp://malwareint.blogspot.com/2010/02/zeus-on-irs-scam-remains-actively.html\r\nPage 5 of 6\n\nirs.gov.rep021.kr/fraud.applications/application/statement.php\r\ndatalink.limewebs.com/www.irs.gov.newsroom.article.0.id=204335.00.html.portlet=6/refund.php\r\nYou can download the list of domains used by ZeuS from the IRS on the following link:\r\nZeuS IRS Domains\r\nZeuS presents a wide range of domain names according to their propagation strategies, and throughout his term\r\nunder the nomination \"In-the-Wild\" were many known and used strategies to obtain financial information of all\r\nkinds computers victims.\r\nUndoubtedly, ZeuS is the \"creme de la creme\" of crimeware of his style.\r\nRelated information\r\nZeus and the theft of sensitive information\r\nLeveraging ZeuS to send spam through social networks\r\nZeuS Botnet y su poder de reclutamiento zombi\r\nZeuS, spam y certificados SSL\r\nEficacia de los antivirus frente a ZeuS\r\nSpecial!!! ZeuS Botnet for Dummies\r\nBotnet. Securización en la nueva versión de ZeuS\r\nFusión. Un concepto adoptado por el crimeware actual\r\nZeuS Carding World Template. (...) la cara de la botnet\r\nFinancial institutions targeted by the botnet Zeus. Part two\r\nFinancial institutions targeted by the botnet Zeus. Part one\r\nLuckySploit, the right hand of ZeuS\r\nBotnet Zeus. Mass propagation of his Trojan. Part two\r\nBotnet Zeus. Mass propagation of his Trojan. Part one\r\nJorge Mieres\r\nSource: http://malwareint.blogspot.com/2010/02/zeus-on-irs-scam-remains-actively.html\r\nhttp://malwareint.blogspot.com/2010/02/zeus-on-irs-scam-remains-actively.html\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://malwareint.blogspot.com/2010/02/zeus-on-irs-scam-remains-actively.html"
	],
	"report_names": [
		"zeus-on-irs-scam-remains-actively.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434046,
	"ts_updated_at": 1775826716,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/536eb548053c058e93f1ec62b7cd1c56e5587009.pdf",
		"text": "https://archive.orkl.eu/536eb548053c058e93f1ec62b7cd1c56e5587009.txt",
		"img": "https://archive.orkl.eu/536eb548053c058e93f1ec62b7cd1c56e5587009.jpg"
	}
}