{ "id": "78636bc9-a33a-4627-8686-ef424ad795e2", "created_at": "2026-04-06T01:29:38.652582Z", "updated_at": "2026-04-10T03:36:36.953684Z", "deleted_at": null, "sha1_hash": "958e0c9dcb4e7fd8e0bc0f62f2067f665bf724e5", "title": "Zeus (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 122895, "plain_text": "Zeus (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-06 00:51:27 UTC\r\nAccording to CrowdStrike, The two primary goals of the Zeus trojan horse virus are stealing people's financial\r\ninformation and adding machines to a botnet. Unlike many types of malware, most Zeus variants try to avoid\r\ndoing long-term damage to the devices they infect. Their aim is to avoid detection from antivirus software.\r\n2024-02-15 ⋅ Bleeping Computer ⋅ Sergiu Gatlan\r\nZeus, IcedID malware gangs leader pleads guilty, faces 40 years in prison\r\nEgregor IcedID Maze Zeus 2024-02-15 ⋅ Department of Justice ⋅ Office of Public Affairs\r\nForeign National Pleads Guilty to Role in Cybercrime Schemes Involving Tens of Millions of Dollars in Losses\r\nEgregor IcedID Maze Zeus 2023-03-14 ⋅ CrowdStrike ⋅ CrowdStrike\r\nThe Zeus Trojan Malware - Definition and Prevention\r\nZeus 2022-11-15 ⋅ KrebsOnSecurity ⋅ Brian Krebs\r\nTop Zeus Botnet Suspect “Tank” Arrested in Geneva\r\nZeus 2022-10-31 ⋅ paloalto Netoworks: Unit42 ⋅ Or Chechik\r\nBanking Trojan Techniques: How Financially Motivated Malware Became Infrastructure\r\nDridex Kronos TrickBot Zeus 2022-04-15 ⋅ Center for Internet Security ⋅ CIS\r\nTop 10 Malware March 2022\r\nMirai Shlayer Agent Tesla Ghost RAT Nanocore RAT SectopRAT solarmarker Zeus 2022-02-11 ⋅ Cisco Talos ⋅ Talos\r\nThreat Roundup for February 4 to February 11\r\nDarkComet Ghost RAT Loki Password Stealer (PWS) Tinba Tofsee Zeus 2021-09-09 ⋅ Recorded Future ⋅ Insikt Group\r\nDark Covenant: Connections Between the Russian State and Criminal Actors\r\nBlackEnergy EternalPetya Gameover P2P Zeus 2021-09-03 ⋅ Trend Micro ⋅ Mohamad Mokbel\r\nThe State of SSL/TLS Certificate Usage in Malware C\u0026C Communications\r\nAdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex\r\nFindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT\r\nRockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader 2021-07-21 ⋅ Malwarebytes ⋅\r\nMalwarebytes\r\nThe life and death of the ZeuS Trojan\r\nZeus 2021-07-01 ⋅ Kryptos Logic ⋅ Kryptos Logic Vantage Team\r\nTrickBot and Zeus\r\nTrickBot Zeus 2021-05-07 ⋅ Department of Justice ⋅ Office of Public Affairs\r\nFour Individuals Plead Guilty to RICO Conspiracy Involving “Bulletproof Hosting” for Cybercriminals\r\nCitadel SpyEye Zeus 2021-04-02 ⋅ NRC Handelsblad ⋅ Carola Houtekamer, Rik Wassens\r\nThe cesspool of the internet is to be found in a village in North Holland\r\nZeus 2021-03-31 ⋅ Kaspersky ⋅ Kaspersky\r\nFinancial Cyberthreats in 2020\r\nBetaBot DanaBot Emotet Gozi Ramnit RTM SpyEye TrickBot Zeus 2021-01-01 ⋅ Secureworks ⋅ SecureWorks\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zeus\r\nPage 1 of 3\n\nThreat Profile: GOLD EVERGREEN\r\nCryptoLocker Pony Zeus GOLD EVERGREEN 2020-12-10 ⋅ US-CERT ⋅ FBI, MS-ISAC, US-CERT\r\nAlert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data\r\nPerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim\r\nREvil Ryuk Zeus 2020-08-09 ⋅ F5 Labs ⋅ Debbie Walkowski, Remi Cohen\r\nBanking Trojans: A Reference Guide to the Malware Family Tree\r\nBackSwap Carberp Citadel DanaBot Dridex Dyre Emotet Gozi Kronos PandaBanker Ramnit Shylock SpyEye\r\nTinba TrickBot Vawtrak Zeus 2020-07-17 ⋅ CERT-FR ⋅ CERT-FR\r\nThe Malware Dridex: Origins and Uses\r\nAndromeda CryptoLocker Cutwail DoppelPaymer Dridex Emotet FriedEx Gameover P2P Gandcrab ISFB\r\nMurofet Necurs Predator The Thief Zeus 2020-02-25 ⋅ RSA Conference ⋅ Joel DeCapua\r\nFeds Fighting Ransomware: How the FBI Investigates and How You Can Help\r\nFastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Rapid Ransom REvil Ryuk\r\nSamSam Zeus 2020-01-01 ⋅ Secureworks ⋅ SecureWorks\r\nBRONZE WOODLAND\r\nPlugX Zeus Roaming Tiger 2020-01-01 ⋅ Secureworks ⋅ SecureWorks\r\nGOLD EVERGREEN\r\nCryptoLocker Pony Zeus 2019-12-19 ⋅ KrebsOnSecurity ⋅ Brian Krebs\r\nInside ‘Evil Corp,’ a $100M Cybercrime Menace\r\nDridex Gameover P2P Zeus Evil Corp 2017-11-02 ⋅ Anomali ⋅ Anomali\r\nCountry Profile: Russian Federation\r\nZeus 2017-05-15 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam\r\nEvolution of the GOLD EVERGREEN Threat Group\r\nCryptoLocker Dridex Dyre Gameover P2P Murofet TrickBot Zeus GOLD EVERGREEN 2017-03-21 ⋅ Wired ⋅ Chad\r\nHagen, Garrett M. Graff\r\nInside the Hunt for Russia’s Most Notorious Hacker\r\nGameover P2P Murofet Zeus 2014-07-02 ⋅ Trend Micro ⋅ Kervin Alintanahin, Ronnie Giagone\r\nKIVARS With Venom: Targeted Attacks Upgrade with 64-bit “Support”\r\nFakeWord KIVARS PLEAD Poison RAT Zeus 2012-12-24 ⋅ Contagio Dump ⋅ Mila Parkour\r\nDec 2012 Linux.Chapro - trojan Apache iframer\r\nChapro Zeus 2010-09-07 ⋅ S21sec ⋅ Mikel Gastesi\r\nZeuS: The missing link\r\nZeus 2010-08-01 ⋅ Contagio Dump ⋅ Mila Parkour\r\nZeus Trojan Research Links\r\nZeus 2010-07-24 ⋅ Sophos ⋅ James Wyke\r\nWhy won’t my sample run?\r\nZeus 2010-07-14 ⋅ Contagiodump Blog ⋅ Mila Parkour\r\nZeuS Version scheme by the trojan author\r\nZeus 2010-05-03 ⋅ Symantec ⋅ Karthik Selvaraj\r\nA Brief Look at Zeus/Zbot 2.0\r\nZeus 2010-04-26 ⋅ Symantec ⋅ Peter Coogan\r\nSpyEye’s \"Kill Zeus\" Bark is Worse Than its Bite\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zeus\r\nPage 2 of 3\n\nZeus 2010-04-19 ⋅ MalwareIntelligence ⋅ Jorge Mieres\r\nZeuS on IRS Scam remains actively exploited\r\nZeus 2010-03-15 ⋅ MalwareIntelligence ⋅ MalwareIntelligence\r\nNew phishing campaign against Facebook led by Zeus\r\nZeus 2010-03-10 ⋅ Secureworks ⋅ Don Jackson, Kevin Stevens\r\nZeuS Banking Trojan Report\r\nZeus 2010-02-20 ⋅ MalwareIntelligence ⋅ Jorge Mieres\r\nFacebook \u0026 VISA phishing campaign proposed by ZeuS\r\nZeus 2010-02-02 ⋅ EternalTODO Blog ⋅ Jose Miguel Esparza\r\nZeuS spreading via Facebook\r\nZeus 2010-01-25 ⋅ Ernesto Martin\r\nLeveraging ZeuS to send spam through social networks\r\nZeus 2010-01-01 ⋅ Mandiant ⋅ Ero Carrera, Peter Silberman\r\nState of Malware: Family Ties\r\nBredolab Conficker Cutwail KoobFace Oderoor Poison Ivy Rustock Sinowal Szribi Zeus 2009-11-06 ⋅ Eternal Todo ⋅\r\nJose Miguel Esparza\r\nNew ZeuS binary\r\nZeus 2009-10-01 ⋅ Eternal Todo ⋅ Jose Miguel Esparza\r\nDetecting ZeuS\r\nZeus 2009-07-11 ⋅ MalwareIntelligence ⋅ MalwareIntelligence\r\nSpecial!!! ZeuS Botnet for Dummies\r\nZeus 2009-01-01 ⋅ Symantec ⋅ Eric Chien, Nicolas Falliere\r\nZeus: King of the Bots\r\nZeus 2006-11-13 ⋅ Secure Science Corporation ⋅ Micael Ligh\r\nMalware Case Study - ZeusMalware\r\nZeus\r\n[TLP:WHITE] win_zeus_auto (20251219 | Detects win.zeus.)\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zeus\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus" ], "report_names": [ "win.zeus" ], "threat_actors": [ { "id": "91ff2504-6c1a-4eaa-832b-2c5e297426c5", "created_at": "2022-10-25T16:47:55.740817Z", "updated_at": "2026-04-10T02:00:03.678203Z", "deleted_at": null, "main_name": "GOLD EVERGREEN", "aliases": [ "The Business Club" ], "source_name": "Secureworks:GOLD EVERGREEN", "tools": [ "CryptoLocker", "JabberZeus", "Pony", "Zeus" ], "source_id": "Secureworks", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "866c0c21-8de3-4ad5-9887-cecd44feb788", "created_at": "2022-10-25T16:07:24.130298Z", "updated_at": "2026-04-10T02:00:04.875929Z", "deleted_at": null, "main_name": "Roaming Tiger", "aliases": [ "Bronze Woodland", "CTG-7273", "Rotten Tomato" ], "source_name": "ETDA:Roaming Tiger", "tools": [ "Agent.dhwf", "AngryRebel", "BBSRAT", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "Kaba", "Korplug", "Moudour", "Mydoor", "PCRat", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav" ], "source_id": "ETDA", "reports": null }, { "id": "679e335a-38a4-4db9-8fdf-a48c17a1f5e6", "created_at": "2023-01-06T13:46:38.820429Z", "updated_at": "2026-04-10T02:00:03.112131Z", "deleted_at": null, "main_name": "FASTCash", "aliases": [], "source_name": "MISPGALAXY:FASTCash", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "8ada819f-dec0-4de4-97eb-0a8aff899c56", "created_at": "2023-01-06T13:46:39.225531Z", "updated_at": "2026-04-10T02:00:03.251546Z", "deleted_at": null, "main_name": "GOLD EVERGREEN", "aliases": [], "source_name": "MISPGALAXY:GOLD EVERGREEN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5afe7b81-e99a-4c24-8fcc-250fb0cf40a3", "created_at": "2023-01-06T13:46:38.324616Z", "updated_at": "2026-04-10T02:00:02.928697Z", "deleted_at": null, "main_name": "Roaming Tiger", "aliases": [ "BRONZE WOODLAND", "Rotten Tomato" ], "source_name": "MISPGALAXY:Roaming Tiger", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ee9a20b1-c6d6-42da-909d-66e7699723d1", "created_at": "2025-08-07T02:03:24.704306Z", "updated_at": "2026-04-10T02:00:03.722506Z", "deleted_at": null, "main_name": "BRONZE WOODLAND", "aliases": [ "CTG-7273 ", "Roaming Tiger ", "Rotten Tomato " ], "source_name": "Secureworks:BRONZE WOODLAND", "tools": [ "Appat", "BbsRAT", "PlugX", "Zbot" ], "source_id": "Secureworks", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775438978, "ts_updated_at": 1775792196, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/958e0c9dcb4e7fd8e0bc0f62f2067f665bf724e5.pdf", "text": "https://archive.orkl.eu/958e0c9dcb4e7fd8e0bc0f62f2067f665bf724e5.txt", "img": "https://archive.orkl.eu/958e0c9dcb4e7fd8e0bc0f62f2067f665bf724e5.jpg" } }