{
	"id": "e55d8f2e-c75b-4dfc-a8f5-b1174f994f20",
	"created_at": "2026-04-06T00:11:49.457537Z",
	"updated_at": "2026-04-10T13:12:34.674928Z",
	"deleted_at": null,
	"sha1_hash": "fba87fc240675ccab104c3519f468125b7061d67",
	"title": "Zeus Sphinx (Malware Family)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 30509,
	"plain_text": "Zeus Sphinx (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 22:29:02 UTC\r\nThis family describes the vanilla Zeus-variant that includes TOR (and Polipo proxy). It has an almost 90% overlap\r\nwith Zeus v2.0.8.9.\r\nPlease note that IBM X-Force decided to call win.zloader/win.zeus_openssl \"Zeus Sphinx\", after mentioning it as\r\n\"a new version of Zeus Sphinx\" in their initial post in August 2016. Malpedia thus lists the alias \"Zeus XSphinx\"\r\nfor win.zeus_openssl - the X to refer to IBM X-Force.\r\nZeus Sphinx on the one hand has the following versioning (\"slow increase\")\r\n- 2015/09 v1.0.1.0 (Zeus Sphinx size: 1.5 MB)\r\n- 2016/02 v1.0.1.2 (Zeus Sphinx size: 1.5 MB)\r\n- 2016/04 v1.0.2.0 (Zeus Sphinx size: 1.5 MB)\r\nZeus OpenSSL on the other hand has the following versioning (\"fast increase\")\r\n- 2016/05 v1.5.4.0 (Zeus OpenSSL size: 1.2 MB)\r\n- 2017/01 v1.14.8.0 (Zeus OpenSSL size: 1.8 MB)\r\n- 2017/01 v1.15.0.0 (Zeus OpenSSL size: 2.2 MB)\r\n[TLP:WHITE] win_zeus_sphinx_auto (20251219 | Detects win.zeus_sphinx.)\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_sphinx\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_sphinx\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_sphinx"
	],
	"report_names": [
		"win.zeus_sphinx"
	],
	"threat_actors": [
		{
			"id": "e90ec9cb-9959-455d-b558-4bafef64d645",
			"created_at": "2022-10-25T16:07:24.222081Z",
			"updated_at": "2026-04-10T02:00:04.903184Z",
			"deleted_at": null,
			"main_name": "Sphinx",
			"aliases": [
				"APT-C-15"
			],
			"source_name": "ETDA:Sphinx",
			"tools": [
				"AnubisSpy",
				"Backdoor.Oldrea",
				"Bladabindi",
				"Fertger",
				"Havex",
				"Havex RAT",
				"Jorik",
				"Oldrea",
				"PEACEPIPE",
				"njRAT",
				"yellowalbatross"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434309,
	"ts_updated_at": 1775826754,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fba87fc240675ccab104c3519f468125b7061d67.pdf",
		"text": "https://archive.orkl.eu/fba87fc240675ccab104c3519f468125b7061d67.txt",
		"img": "https://archive.orkl.eu/fba87fc240675ccab104c3519f468125b7061d67.jpg"
	}
}