{
	"id": "e3710523-6c19-47fb-bdae-f27a72ad7c2e",
	"created_at": "2026-04-06T03:35:56.291502Z",
	"updated_at": "2026-04-10T03:28:40.01026Z",
	"deleted_at": null,
	"sha1_hash": "ae24e82fbb79f6a2b9701108793fea6adc178df9",
	"title": "Zeus OpenSSL (Malware Family)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 30892,
	"plain_text": "Zeus OpenSSL (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-06 03:25:34 UTC\r\nThis family describes the Zeus-variant that includes a version of OpenSSL and usually is downloaded by Zloader.\r\nIn June 2016, the version 1.5.4.0 (PE timestamp: 2016.05.11) appeared, downloaded by Zloader (known as\r\nDEloader at that time). OpenSSL 1.0.1p is statically linked to it, thus its size is roughly 1.2 MB. In subsequent\r\nmonths, that size increased up to 1.6 MB.\r\nIn January 2017, with version 1.14.8.0, OpenSSL 1.0.2j was linked to it, increasing the size to 1.8 MB. Soon after\r\nalso in January 2017, with version v1.15.0.0 the code was obfuscated, blowing up the size of the binary to 2.2\r\nMB.\r\nPlease note that IBM X-Force decided to call win.zloader/win.zeus_openssl \"Zeus Sphinx\", after mentioning it as\r\n\"a new version of Zeus Sphinx\" in their initial post in August 2016. Malpedia thus lists the alias \"Zeus XSphinx\"\r\nfor win.zeus_openssl - the X to refer to IBM X-Force.\r\nZeus Sphinx on the one hand has the following versioning (\"slow increase\")\r\n- 2015/09 v1.0.1.0 (Zeus Sphinx size: 1.5 MB)\r\n- 2016/02 v1.0.1.2 (Zeus Sphinx size: 1.5 MB)\r\n- 2016/04 v1.0.2.0 (Zeus Sphinx size: 1.5 MB)\r\nZeus OpenSSL on the other hand has the following versioning (\"fast increase\")\r\n- 2016/05 v1.5.4.0 (Zeus OpenSSL size: 1.2 MB)\r\n- 2017/01 v1.14.8.0 (Zeus OpenSSL size: 1.8 MB)\r\n- 2017/01 v1.15.0.0 (Zeus OpenSSL size: 2.2 MB)\r\n[TLP:WHITE] win_zeus_openssl_auto (20251219 | Detects win.zeus_openssl.)\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_openssl\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_openssl\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_openssl"
	],
	"report_names": [
		"win.zeus_openssl"
	],
	"threat_actors": [
		{
			"id": "e90ec9cb-9959-455d-b558-4bafef64d645",
			"created_at": "2022-10-25T16:07:24.222081Z",
			"updated_at": "2026-04-10T02:00:04.903184Z",
			"deleted_at": null,
			"main_name": "Sphinx",
			"aliases": [
				"APT-C-15"
			],
			"source_name": "ETDA:Sphinx",
			"tools": [
				"AnubisSpy",
				"Backdoor.Oldrea",
				"Bladabindi",
				"Fertger",
				"Havex",
				"Havex RAT",
				"Jorik",
				"Oldrea",
				"PEACEPIPE",
				"njRAT",
				"yellowalbatross"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775446556,
	"ts_updated_at": 1775791720,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ae24e82fbb79f6a2b9701108793fea6adc178df9.pdf",
		"text": "https://archive.orkl.eu/ae24e82fbb79f6a2b9701108793fea6adc178df9.txt",
		"img": "https://archive.orkl.eu/ae24e82fbb79f6a2b9701108793fea6adc178df9.jpg"
	}
}