Spyeye

Category: banking_trojan · Aliases: None known · Sample count (EMBER 2018): 192 · Enrichment: curated_sourced · Updated: 2026-06-11

Overview

SpyEye is a banking Trojan that originated in Russia and was sold on underground forums for several hundred dollars, marketed as "the next Zeus." It targeted web browsers on Microsoft Windows (and Safari on Apple iOS) and provided the typical capabilities of a banking Trojan, including keylogging, automatic credit-card form filling, encrypted configuration files, email backups, and POP3 and FTP credential grabbers. SpyEye allowed criminals to steal money from online bank accounts and to initiate fraudulent transactions even while a legitimate user was logged in. It is documented by Fraunhofer FKIE's Malpedia.

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_SPYEYE {
    meta:
        description = "Detects Spyeye (banking_trojan)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "spyeye" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Spyeye Activity
id: 173a5569e3517a85292f06b12e4eef2d
status: experimental
description: Detects generic indicators of the spyeye malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*spyeye*"
    condition: selection
level: medium

References & External Analysis

Frequently Asked Questions

What is SpyEye?

SpyEye is a banking Trojan that originated in Russia and was sold on underground forums, marketed as "the next Zeus." It was designed to steal money from victims' online bank accounts.

What can SpyEye do?

SpyEye includes capabilities typical of banking Trojans: keylogging, automatic credit-card form filling, encrypted configuration files, email backups, and POP3 and FTP credential grabbers.

How does SpyEye steal money?

SpyEye targets web browsers to capture banking credentials and can initiate fraudulent transactions even while a legitimate user is logged into their bank account.

What sources document SpyEye?

SpyEye is profiled in Fraunhofer FKIE's Malpedia, which describes its origin, pricing on underground forums, and its banking-Trojan capabilities.

Related Families (Category: banking_trojan)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/spyeye.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.