Zeus
ZeuS is a banking Trojan first introduced in 2007 and widely recognized as an early precursor to the modern infostealer ecosystem. Its original purpose was to covertly steal victims’ financial information, especially online banking credentials, account numbers, passwords, PINs, and related banking data. The malware was commonly delivered through phishing emails, spam campaigns, links to compromised websites, and drive-by download activity; multiple reports in the content specifically describe phishing emails carrying ZeuS or directing victims to compromised sites that infected them. ZeuS was also distributed at scale through infrastructure such as Avalanche and was used in attacks against businesses, municipalities, churches, and other organizations, with particular emphasis on small- and mid-sized businesses in the United States and Europe.
The malware is repeatedly described as a banking Trojan and credential stealer. Reported capabilities include theft of banking credentials, financial information, and other sensitive data; browser-focused interception techniques such as memory-injection/man-in-the-browser style keylogging; and use in account takeover fraud that enabled unauthorized ACH and wire transfers. The content also states that ZeuS was used in large-scale online banking heists and that botnets powered by ZeuS contributed to losses exceeding $100 million, while other reporting cited roughly $70 million stolen in one major multinational case and more than $200 million attributed collectively to crime rings using Bogachev’s ZeuS banking Trojan.
ZeuS is strongly associated in the content with Russian-speaking cybercrime actors. Multiple sources link it to Evil Corp, described as a Russian cybercrime group active since 2007 and also associated with Dridex and later ransomware operations. The malware is also closely tied to Evgeniy Mikhailovich Bogachev, identified by aliases including slavik and lucky12345, whom U.S. authorities and the FBI accuse of building and distributing the ZeuS banking Trojan. The content further references the JabberZeuS crew and the Business Club/Gameover ZeuS ecosystem, indicating ZeuS was used by organized criminal groups with money mule networks and international cash-out operations.
The source code for ZeuS leaked in 2011, which the content says accelerated the growth of the broader infostealer ecosystem and influenced later malware families. The content also states that ZeuS development was reportedly terminated and its code base merged with SpyEye, while Gameover ZeuS was based on ZeuS code and evolved into a major botnet responsible for more than one million infections and over $100 million in losses. ZeuS is also cited as malware historically associated with later families and operations including Dridex and Chthonic, and as a payload installed by other botnets such as Mariposa.
High-confidence indicators and identifiers mentioned in the content are primarily naming and attribution references rather than technical IOCs: aliases include Zeus and ZeuS; related variants include Gameover ZeuS/GOZ and JabberZeuS; and associated actors include Evgeniy Mikhailovich Bogachev, Evil Corp, and the JabberZeuS crew.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
9 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
SocGholish is linked to the Russian cybercriminal group Evil Corp. This group has previously been responsible for Zeus and Dridex malware and is also associated with several large-scale ransomware and money-laundering operations.
During 1H2010, the criminals instead emphasized the Avalanche infrastructure as a major distribution point for the notorious Zeus Trojan. Zeus is a sophisticated piece of malware that is in the hands of many different e-criminals.
These days it seems more often involved in sending emails that try to trick recipients into opening malware-laden attachments, most often variants of the ZeuS and SpyEye trojans.
Unit 42 identified ten strains of info-stealers popular with SilverTerrier: AgentTesla, Atmos, AzoRult, ISpySoftware, ISR Stealer, KeyBase, LokiBot, Pony, PredatorPain, and Zeus.
The JabberZeuS Crew, the Business Club, and other crime rings collectively pocketed over $200 million from U.S. and U.K. financial institutions using Evgeniy Bogachev’s ZeuS banking trojan...
The JabberZeuS Crew, the Business Club, and other crime rings collectively pocketed over $200 million from U.S. and U.K. financial institutions using Evgeniy Bogachev’s ZeuS banking trojan...
Techniques & procedures
31 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
4 techniques
Resource Development
In November 2010, Panin allegedly received the source code and rights to sell Zeus from Evginy Bogachev, a/k/a Slavik, and incorporated many components of Zeus into SpyEye.
According to data recorded by Abuse.ch, some of the domains Microsoft seized appear to belong to legitimate businesses whose sites were compromised and used to host components of the malware infrastructure.
Initial Access
4 techniques
Initial Access
These lures took victims to “drive-by download” sites, where the criminals infected vulnerable machines.
"Avalanche" is the name given to the world's most prolific phishing gang and to the infrastructure it uses to host phishing sites. And this is the group that has shifted additional resources to the creation of spoof sites and spam lures that distributed the very latest, most malignant Zeus variants.
Execution
2 techniques
Execution
Persistence
1 technique
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
6 techniques
Stealth
Specifically, Harderman says he wants to turn the guts of the Trojan into a rootkit, and to build additional functionality on top, in the form of modular plug-ins.
To keep them under the antivirus radar, Nigerian actors techniques use "crypters" - software tools designed to encrypt, obfuscate, and modify malware.
GOZ, however, utilizes a P2P network of infected hosts to communicate and distribute data, and employs encryption to evade detection.
The criminals posed as employees of the business, moving thousands of dollars to overseas locations.
Credential Access
6 techniques
Credential Access
infected tens of millions of computers, harvested huge volumes of sensitive financial data
Trojans like ZeuS and SpyEye have the built-in ability to keep logs of every keystroke a victim types on his or her keyboard
others used it just as a piece of malware to log information that ZeuS collected from victims from either the keystroke logging, or the built-in POST data logging, which worked for both HTTP and HTTPS websites
In 2007 the first large scale attacks took place, that used the ZeuS bank attack configuration called “webinjects”... While ZeuS is a versatile malware kit... its key strength is in browser manipulation through the use of its dynamic configuration.
Information stealers seem to be the preferred type of malware to help in their fraudulent email attacks... The attacker can pilfer data about the targets and use it to create efficient messages for diverting transactions or asking money to be sent to fraudsters' account.
Collection
5 techniques
Collection
infected tens of millions of computers, harvested huge volumes of sensitive financial data
Trojans like ZeuS and SpyEye have the built-in ability to keep logs of every keystroke a victim types on his or her keyboard
others used it just as a piece of malware to log information that ZeuS collected from victims from either the keystroke logging, or the built-in POST data logging, which worked for both HTTP and HTTPS websites
Command and Control
4 techniques
Command and Control
Zeus distribution also relies on the registration of domain names for spamming, drive-by-download sites, and Zeus command-and-control domains.
The peer-to-peer layer merely functioned as a reliable and robust communication mechanism, and a way to hide the next layers of the infrastructure in order to become more resistant to takedown activity.
Impact
1 technique
Impact
IOCs tracked for this family
147 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
95 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware family explicitly associated in the article with Evil Corp.
This group has previously been responsible for Zeus and Dridex malware and is also associated with several large-scale ransomware and money-laundering operations.
Named as malware previously associated with Evil Corp.
Banking trojan used in phishing campaigns to infect victims and steal banking credentials, leading to fraudulent ACH and wire transfers.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.