{
  "family": "zbot",
  "sample_count": 24075,
  "category": "banking_trojan",
  "description": "Zbot, also widely known as Zeus, is one of the most influential banking trojans in malware history, originally created in 2007 and used to steal financial credentials, banking session data, and cryptocurrency wallets through form-grabbing and keylogging. The Zeus source code leak in 2011 spawned dozens of derivatives including Citadel, Gameover Zeus, and ICE IX. It typically spreads via phishing and drive-by downloads, and uses webinjects to manipulate banking sessions in real time. Zeus pioneered many techniques still used by modern banking trojans, making it a foundational reference point for financial malware research.",
  "cta": "If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance.",
  "aliases": [
    "zeus",
    "zbotzeus",
    "wsnpoem",
    "kneber"
  ],
  "enrichment_level": "hand-curated",
  "faq": [
    {
      "@type": "Question",
      "name": "What is Zbot?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Zbot, also widely known as Zeus, is one of the most influential banking trojans in malware history, originally created in 2007 and used to steal financial credentials, banking session data, and cryptocurrency wallets through form-grabbing and keylogging. The Zeus source code leak in 2011 spawned dozens of derivatives including Citadel, Gameover Zeus, and ICE IX. It typically spreads via phishing and drive-by downloads, and uses webinjects to manipulate banking sessions in real time. Zeus pioneered many techniques still used by modern banking trojans, making it a foundational reference point for financial malware research."
      }
    },
    {
      "@type": "Question",
      "name": "How does Zbot spread?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Zbot (ZeuS) source code was leaked in 2011, spawning numerous variants distributed through phishing, exploit kits, and drive-by downloads."
      }
    },
    {
      "@type": "Question",
      "name": "What are the signs of a Zbot infection?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Browser web-injects on banking sites, additional credential or token prompts that did not exist before, and AV detections for Zbot, Zeus, or Wsnpoem are common indicators."
      }
    },
    {
      "@type": "Question",
      "name": "What should I do if I think I have Zbot on my system?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance."
      }
    }
  ],
  "faq_count": 4,
  "mitre_attack": [
    "T1185",
    "T1071.001",
    "T1056.001"
  ],
  "cisa_advisory": null,
  "last_updated": "2026-05-27"
}