{
	"id": "da27990a-6107-4b79-ba3f-fcb4d7c36dbd",
	"created_at": "2026-04-06T00:06:10.217243Z",
	"updated_at": "2026-04-10T13:11:42.94109Z",
	"deleted_at": null,
	"sha1_hash": "681d24ea9cb4ad5ec9b9dd7fd0c7c848bdbdd48e",
	"title": "Zeus OpenSSL - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 52513,
	"plain_text": "Zeus OpenSSL - Threat Group Cards: A Threat Actor\nEncyclopedia\nArchived: 2026-04-05 17:43:40 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Zeus OpenSSL\n Tool: Zeus OpenSSL\nNames\nZeus OpenSSL\nZeus Sphinx\nXSphinx\nCategory Malware\nType Banking trojan, Credential stealer, Botnet, Downloader\nDescription\n(Malpedia) In June 2016, the version 1.5.4.0 (PE timestamp: 2016.05.11) appeared,\ndownloaded by ZLoader (known as DEloader at that time). OpenSSL 1.0.1p is statically linked\nto it, thus its size is roughly 1.2 MB. In subsequent months, that size increased up to 1.6 MB.\nIn January 2017, with version 1.14.8.0, OpenSSL 1.0.2j was linked to it, increasing the size to\n1.8 MB. Soon after also in January 2017, with version v1.15.0.0 the code was obfuscated,\nblowing up the size of the binary to 2.2 MB.\nPlease note that IBM X-Force decided to call win.zloader/win.zeus_openssl 'Zeus Sphinx',\nafter mentioning it as 'a new version of Zeus Sphinx' in their initial post in August 2016.\nMalpedia thus lists the alias 'Zeus XSphinx' for win.zeus_openssl - the X to refer to IBM X-Force.\nZeus Sphinx on the one hand has the following versioning ('slow increase')\n- 2015/09 v1.0.1.0 (Zeus Sphinx size: 1.5 MB)\n- 2016/02 v1.0.1.2 (Zeus Sphinx size: 1.5 MB)\n- 2016/04 v1.0.2.0 (Zeus Sphinx size: 1.5 MB)\nZeus OpenSSL on the other hand has the following versioning ('fast increase')\n- 2016/05 v1.5.4.0 (Zeus OpenSSL size: 1.2 MB)\n- 2017/01 v1.14.8.0 (Zeus OpenSSL size: 1.8 MB)\n- 2017/01 v1.15.0.0 (Zeus OpenSSL size: 2.2 MB)\nInformation https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0e1c08c2-3e35-4ad7-bb51-3c135b5065d8\nPage 1 of 2\n\nMalpedia\nLast change to this tool card: 24 May 2020\nDownload this tool card in JSON format\nAll groups using tool Zeus OpenSSL\nChanged Name Country Observed\nOther groups\n Bamboo Spider, TA544 [Unknown] 2016-Apr 2022\n1 group listed (0 APT, 1 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0e1c08c2-3e35-4ad7-bb51-3c135b5065d8\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0e1c08c2-3e35-4ad7-bb51-3c135b5065d8\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0e1c08c2-3e35-4ad7-bb51-3c135b5065d8"
	],
	"report_names": [
		"listgroups.cgi?u=0e1c08c2-3e35-4ad7-bb51-3c135b5065d8"
	],
	"threat_actors": [
		{
			"id": "c91f7778-69aa-45fa-be0e-4ee33daf8fbd",
			"created_at": "2023-01-06T13:46:39.110148Z",
			"updated_at": "2026-04-10T02:00:03.216613Z",
			"deleted_at": null,
			"main_name": "NARWHAL SPIDER",
			"aliases": [
				"GOLD ESSEX",
				"TA544",
				"Storm-0302"
			],
			"source_name": "MISPGALAXY:NARWHAL SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "03a8107a-f669-41af-ba79-41b1cbdc4654",
			"created_at": "2023-01-06T13:46:39.228649Z",
			"updated_at": "2026-04-10T02:00:03.25247Z",
			"deleted_at": null,
			"main_name": "BAMBOO SPIDER",
			"aliases": [],
			"source_name": "MISPGALAXY:BAMBOO SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e90ec9cb-9959-455d-b558-4bafef64d645",
			"created_at": "2022-10-25T16:07:24.222081Z",
			"updated_at": "2026-04-10T02:00:04.903184Z",
			"deleted_at": null,
			"main_name": "Sphinx",
			"aliases": [
				"APT-C-15"
			],
			"source_name": "ETDA:Sphinx",
			"tools": [
				"AnubisSpy",
				"Backdoor.Oldrea",
				"Bladabindi",
				"Fertger",
				"Havex",
				"Havex RAT",
				"Jorik",
				"Oldrea",
				"PEACEPIPE",
				"njRAT",
				"yellowalbatross"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "956fc691-b6c6-4b09-b69d-8f007c189839",
			"created_at": "2025-08-07T02:03:24.860251Z",
			"updated_at": "2026-04-10T02:00:03.656547Z",
			"deleted_at": null,
			"main_name": "GOLD ESSEX",
			"aliases": [
				"Narwhal Spider ",
				"Storm-0302 ",
				"TA544 "
			],
			"source_name": "Secureworks:GOLD ESSEX",
			"tools": [
				"Cutwail",
				"Pony",
				"Pushdo"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "1f679d2e-c5c9-49e9-b854-2eca06a870e4",
			"created_at": "2022-10-25T16:07:24.453427Z",
			"updated_at": "2026-04-10T02:00:04.997515Z",
			"deleted_at": null,
			"main_name": "Bamboo Spider",
			"aliases": [
				"Bamboo Spider",
				"TA544"
			],
			"source_name": "ETDA:Bamboo Spider",
			"tools": [
				"AndroKINS",
				"Bebloh",
				"Chthonic",
				"DELoader",
				"Dofoil",
				"GozNym",
				"Gozi ISFB",
				"ISFB",
				"Nymaim",
				"PandaBanker",
				"Pandemyia",
				"Sharik",
				"Shiotob",
				"Smoke Loader",
				"SmokeLoader",
				"Terdot",
				"URLZone",
				"XSphinx",
				"ZLoader",
				"Zeus OpenSSL",
				"Zeus Panda",
				"Zeus Sphinx",
				"ZeusPanda",
				"nymain"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775433970,
	"ts_updated_at": 1775826702,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/681d24ea9cb4ad5ec9b9dd7fd0c7c848bdbdd48e.pdf",
		"text": "https://archive.orkl.eu/681d24ea9cb4ad5ec9b9dd7fd0c7c848bdbdd48e.txt",
		"img": "https://archive.orkl.eu/681d24ea9cb4ad5ec9b9dd7fd0c7c848bdbdd48e.jpg"
	}
}