Upatre is a Windows downloader trojan. As documented by Malpedia (Fraunhofer FKIE), it was first discovered in 2013 and has been widely updated since. Its primary role is to deliver further malware to victims: Upatre was a prolific delivery mechanism for the Gameover P2P (Gameover Zeus) banking trojan in 2013-2014, and later for the Dyre banking trojan in 2015. As a small first-stage downloader, it is typically distributed via spam email attachments and then retrieves and runs a larger second-stage payload.
Threat reports may refer to this family under multiple names:
This family has been observed using the following ATT&CK techniques: T1566.001 T1105 T1071.001 T1204.002
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_UPATRE {
meta:
description = "Detects Upatre (downloader)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "upatre" ascii wide nocase
$s2 = "upatre downloader" ascii wide nocase
$s3 = "waski" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Upatre Activity
id: 4d7317e7ad328bfdab4d7341e74d1888
status: experimental
description: Detects generic indicators of the upatre malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*upatre*"
- "*upatre downloader*"
- "*waski*"
condition: selection
level: mediumUpatre is a Windows downloader trojan first discovered in 2013. According to Malpedia, its primary purpose is to deliver further malware to infected systems, acting as a first-stage loader for larger threats.
Per Malpedia, Upatre was a prolific delivery mechanism for the Gameover P2P (Gameover Zeus) banking trojan in 2013-2014, and later delivered the Dyre banking trojan in 2015.
Upatre is a small first-stage downloader. Once it runs on a victim's system, its job is to retrieve and execute a larger second-stage payload, which is the malware the attackers actually want to deploy. Malpedia notes Upatre has been widely updated over time.
Upatre was most prominent during 2013-2015 as a loader for Gameover Zeus and Dyre. Malpedia documents it as having been widely updated since its 2013 discovery; its activity is most strongly associated with that mid-2010s period.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/upatre.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.