{ "id": "deb137e9-707c-44b3-a391-d18dc38bf920", "created_at": "2026-04-06T00:17:39.248047Z", "updated_at": "2026-04-10T13:11:35.14742Z", "deleted_at": null, "sha1_hash": "d7d5553160ccad382af367fd6db4ac906261a418", "title": "Endpoint Protection - Symantec Enterprise", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48727, "plain_text": "Endpoint Protection - Symantec Enterprise\r\nArchived: 2026-04-05 16:07:25 UTC\r\nThe Zeus crimeware toolkit has been around now for a while and has grown over time to be the most established\r\ncrimeware toolkit in the underground economy. In late December 2009 a new crimeware toolkit emanating from\r\nRussia—known as SpyEye V1.0—started to appear for sale on Russian underground forums. Retailing at $500, it\r\nis looking to take a chunk of the Zeus crimeware toolkit market. Symantec detects this threat as Trojan.Spyeye.\r\nSince it is relatively new, we are not seeing a lot of SpyEye activity yet. However, given some time and the\r\nobserved rate of development for this crimeware toolkit, SpyEye could be a future contender for king of the\r\ncrimeware toolkits.\r\nSpyEyeLogo.JPG\r\nThe SpyEye toolkit is similar to Zeus in a lot of ways. It contains a builder module for creating the Trojan bot\r\nexecutable with config file and a Web control panel for command and control (C\u0026C) of a bot net. Some of the\r\nadvertised features online are:\r\n•    Formgrabber (Keylogger)\r\n•    Autofill credit card modules\r\n•    Daily email backup\r\n•    Encrypted config file\r\n•    Ftp protocol grabber\r\n•    Pop3 grabber\r\n•    Http basic access authorization grabber\r\n•    Zeus killer\r\nNew revisions of SpyEye, with additional features, are being released on a regular basis. The latest version\r\n(V1.0.7) contains an interesting new feature called “Kill Zeus” that we have yet to substantiate. SpyEye hooks the\r\nsame Wininet API (Wininet.dll) HttpSendRequestA as used by Zeus for communications. If a compromised\r\nsystem infected with SpyEye was also infected with Zeus, this in turn would allow SpyEye to grab and report on\r\nhttp requests sent to the Zeus C\u0026C server.\r\nZeusCommReport.JPG\r\nAn example of Zeus C\u0026C server report taken from underground forum\r\nThe new Kill Zeus feature is optional during the Trojan build process, but it supposedly goes as far as allowing\r\nyou to delete Zeus from an infected system—meaning only SpyEye should remain running on the compromised\r\nsystem. If the use of SpyEye takes off, it could dent Zeus bot herds and lead to retaliation from the creators of the\r\nZeus crimeware toolkit. This, in turn, could lead to another bot war such as we have seen in the past with Beagle,\r\nNetsky, and Mydoom.\r\nSpyEyeBuilder.JPG\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=6aa65e05-2a44-4dd3-be3d-6dbb06cc94ad\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 1 of 2\n\nAn example of the SpyEye Trojan builder control panel\r\nAnother feature of SpyEye is the ability to load additional threats onto infected SpyEye systems, by country, using\r\nthe SpyEye control panel GUI as shown below:\r\nSpyEyeCountryPanel.JPG\r\nSymantec will continue to monitor the progression of this toolkit and update detection as necessary. Remember to\r\nkeep your definitions up to date to ensure you have the best protection against new threats.  \r\nSpecial thanks to Mario Ballano Barcena for his analysis.\r\nSource: https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey\r\n=6aa65e05-2a44-4dd3-be3d-6dbb06cc94ad\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=6aa65e05-2a44-4dd3-be3d-6dbb06cc94ad\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=6aa65e05-2a44-4dd3-be3d-6dbb06cc94ad\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments" ], "report_names": [ "viewdocument?DocumentKey=6aa65e05-2a44-4dd3-be3d-6dbb06cc94ad\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68\u0026tab=librarydocuments" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434659, "ts_updated_at": 1775826695, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d7d5553160ccad382af367fd6db4ac906261a418.pdf", "text": "https://archive.orkl.eu/d7d5553160ccad382af367fd6db4ac906261a418.txt", "img": "https://archive.orkl.eu/d7d5553160ccad382af367fd6db4ac906261a418.jpg" } }