{
	"id": "3f4682e2-a8f7-4867-8120-c484bc69ecf3",
	"created_at": "2026-04-06T15:53:19.877143Z",
	"updated_at": "2026-04-10T03:20:26.920449Z",
	"deleted_at": null,
	"sha1_hash": "74441e2083b75a750e20a210f930ca7aa8283b51",
	"title": "Hesperbot – A New, Advanced Banking Trojan in the Wild",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 656087,
	"plain_text": "Hesperbot – A New, Advanced Banking Trojan in the Wild\r\nBy Robert Lipovsky\r\nArchived: 2026-04-06 15:34:26 UTC\r\nMalware\r\nA new and effective banking trojan has been discovered targeting online banking users in Turkey, the Czech\r\nRepublic, Portugal and the United Kingdom. It uses very credible-looking phishing-like campaigns, related to\r\ntrustworthy organizations, to lure victims into running the malware.\r\n04 Sep 2013  •  , 5 min. read\r\nA new and effective banking trojan has been discovered targeting online banking users in Turkey, the\r\nCzech Republic, Portugal and the United Kingdom. It uses very credible-looking phishing-like campaigns,\r\nrelated to trustworthy organizations, to lure victims into running the malware.\r\nFor technical analysis of the Win32/Spy.Hesperbot binaries see our three blog posts: Hesperbot - A New\r\nAdvanced Banking Trojan in the Wild, Hesperbot Technical Analysis Part 1/2 and Hesperbot Technical\r\nAnalysis Part 2/2. You can download the comprehensive whitepaper here.\r\nThe Story\r\nIn the middle of August we discovered a malware-spreading campaign in the Czech Republic. Our interest was\r\nfirst kindled by the site that the malware was hosted on – a domain that passed itself off as belonging to the Czech\r\nPostal Service – but more interesting findings followed.\r\nAnalysis of the threat revealed that we were dealing with a banking trojan, with similar functionality and identical\r\ngoals to the infamous Zeus and SpyEye, but significant implementation differences indicated that this is a new\r\nmalware family, not a variant of a previously known trojan.\r\nDespite being a “new kid on the block”, it appears that Win32/Spy.Hesperbot is a very potent banking trojan\r\nwhich features common functionalities, such as keystroke logging, creation of screenshots and video capture, and\r\nsetting up a remote proxy, but also includes some more advanced tricks, such as creating a hidden VNC server on\r\nthe infected system. And of course the banking trojan feature list wouldn’t be complete without network traffic\r\ninterception and HTML injection capabilities. Win32/Spy.Hesperbot does all this in quite a sophisticated manner.\r\nWhen comparing the Czech sample to known malware in our collection, we discovered that we had already been\r\ndetecting earlier variants generically as Win32/Agent.UXO for some time and that online banking users in the\r\nCzech Republic weren’t the only ones targeted by this malware. Banking institutions in Turkey and Portugal were\r\nalso being targeted.\r\nThe aim of the attackers is to obtain login credentials giving access to the victim’s bank account and to get them to\r\ninstall a mobile component of the malware on their Symbian, Blackberry or Android phone. Keep reading for\r\nhttps://www.welivesecurity.com/2013/09/04/hesperbot-a-new-advanced-banking-trojan-in-the-wild/\r\nPage 1 of 7\n\ndetails on the malware spreading campaigns, their targets and for technical details on the trojan.\r\nThe Campaigns Timeline\r\nThe Czech malware-spreading campaign started on August 8, 2013. The perpetrators have registered the domain\r\nwww.ceskaposta.net, which is very close to the real website of the Czech Postal Service, www.ceskaposta.cz.\r\nFigure 1 - Registration date of ceskaposta.net\r\nFigure 2 - Compilation timestamp of malware used in the Czech campaign\r\nThe domain was registered on August 7, 2013 and the first malware Hesperbot binaries (detected as\r\nWin32/Agent.UXO at first) distributed in the Czech Republic were compiled on the morning of August 8, 2013\r\nhttps://www.welivesecurity.com/2013/09/04/hesperbot-a-new-advanced-banking-trojan-in-the-wild/\r\nPage 2 of 7\n\nand picked up by our LiveGrid® system moments later.\r\nIt’s probably not surprising that the attackers tried to lure potential victims into opening the malware by sending\r\nemails which looked as parcel tracking information from the Postal Service. Similar techniques have been used\r\nmany times before (e.g. here and here). The filename used was zasilka.pdf.exe: “zasilka” means mail in Czech.\r\nThe link in the email showed the legitimate www.ceskaposta.cz domain while pointing to www.ceskaposta.net,\r\nwhich many victims hadn’t noticed. Interestingly enough, the fake domain actually redirected to the real website\r\nwhen opened directly.\r\nIt should be noted that the Czech Postal Service responded very quickly by issuing a warning about the scam on\r\ntheir website.\r\nhttps://www.welivesecurity.com/2013/09/04/hesperbot-a-new-advanced-banking-trojan-in-the-wild/\r\nPage 3 of 7\n\nFigure 3 - Warning about the fraudulent e-mails issued by the Czech Postal Service\r\nWhile the Czech campaign was the one that caught our attention, the country most affected by this banking trojan\r\nis Turkey and Hesperbot detections in Turkey are dated even earlier than August 8.\r\nRecent peaks in botnet activity were observed in Turkey in July 2013, but we have also found older samples that\r\ngo back at least as far back as April 2013. During the analysis of the samples we found that they were sending\r\ndebugging information to the C\u0026C – an indicator that these variants were in the early stages of development.\r\nAdditional research revealed that Turkey has been facing Hesperbot infections for some time now.\r\nThe campaigns used in Turkey are of a similar nature to the Czech campaign. The phish-like e-mail that was sent\r\nto potential victims purported to be an invoice (the file name is fatura in Turkish) from TTNET (the largest ISP in\r\nTurkey). A malicious file with a double extension – .PDF.EXE – was used here too. An analysis of this campaign\r\nhas been published on the website of the Turkish National Information Security Program.\r\nOnly later in our research did we find that the malware operators have shifted their sights towards Portugal.\r\nSimilarly to the Turkish campaign, the malicious files were disguised as an invoice from a local service provider\r\nwith a very large market share, Portugal Telecom.\r\nA variant designated to target computer users in the United Kingdom has also been found in the wild, but we\r\ncannot provide further details about its spreading campaign at the time of writing.\r\nIn the course of our research, we also stumbled upon an additional component used by Win32/Spy.Hesperbot. This\r\nmalware, detected by ESET as Win32/Spy.Agent.OEC, harvests e-mail addresses from the infected system and\r\nsends them to a remote server. It is possible that these collected addresses were also targeted by the malware-spreading campaigns.\r\nTargeted Banks and Victims\r\nThe configuration files used by the malware’s HTTP interception and injection module specify which online\r\nbanking websites are to be targeted by each botnet.\r\nCzech Republic\r\nFigure 4 - Czech banks targeted by Hesperbot\r\nhttps://www.welivesecurity.com/2013/09/04/hesperbot-a-new-advanced-banking-trojan-in-the-wild/\r\nPage 4 of 7\n\nTurkey\r\nFigure 5 - Turkish banks targeted by Hesperbot\r\nPortugal\r\nFigure 6 - Portuguese banks targeted by Hesperbot\r\nIn the case of the Turkish and Portuguese botnets, the configuration files also included web-injects, i.e. pieces of\r\nHTML code that the trojan would insert into the banks’ web-pages when viewed on the infected PC. This was not\r\npresent in the Czech configuration file that we found, so most probably only simple form-grabbing and\r\nkeylogging functionality was used in that instance.\r\nhttps://www.welivesecurity.com/2013/09/04/hesperbot-a-new-advanced-banking-trojan-in-the-wild/\r\nPage 5 of 7\n\nFigure 7 - Malicious scripts injected into Portuguese bank website. Notice that the URL address is legitimate,\r\nincluding the HTTPS protocol.\r\nAccording to our ESET LiveGrid® telemetry, as well as our hands-on research into the malware operation, we\r\nestimate that the number of people that may have fallen victim to the Hesperbot banking trojan is in the scale of\r\ntens in the Czech Republic and Portugal (respectively) and in the scale of several hundred in Turkey.\r\nDetection statistics per country are shown in the figure below. It has also come to our attention that victims in the\r\nCzech Republic have lost significant amounts of money as a result of infection by this malware. It’s quite possible\r\nthat there are similarly unfortunate victims in Turkey and Portugal as well.\r\nhttps://www.welivesecurity.com/2013/09/04/hesperbot-a-new-advanced-banking-trojan-in-the-wild/\r\nPage 6 of 7\n\nFigure 8 - Detection statistics of Win32/Spy.Hesperbot according to ESET LiveGrid\r\nOur thorough technical analysis of the Win32/Spy.Hesperbot binaries can be found here and here. Refer to the\r\ncomprehensive whitepaper for full details.\r\nSource: https://www.welivesecurity.com/2013/09/04/hesperbot-a-new-advanced-banking-trojan-in-the-wild/\r\nhttps://www.welivesecurity.com/2013/09/04/hesperbot-a-new-advanced-banking-trojan-in-the-wild/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.welivesecurity.com/2013/09/04/hesperbot-a-new-advanced-banking-trojan-in-the-wild/"
	],
	"report_names": [
		"hesperbot-a-new-advanced-banking-trojan-in-the-wild"
	],
	"threat_actors": [],
	"ts_created_at": 1775490799,
	"ts_updated_at": 1775791226,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/74441e2083b75a750e20a210f930ca7aa8283b51.pdf",
		"text": "https://archive.orkl.eu/74441e2083b75a750e20a210f930ca7aa8283b51.txt",
		"img": "https://archive.orkl.eu/74441e2083b75a750e20a210f930ca7aa8283b51.jpg"
	}
}