Upatre

Category: downloader · Aliases: upatre downloader, waski · Sample count (EMBER 2018): 4,200 · Enrichment: curated_sourced · Updated: 2026-06-10

Overview

Upatre is a Windows downloader trojan. As documented by Malpedia (Fraunhofer FKIE), it was first discovered in 2013 and has been widely updated since. Its primary role is to deliver further malware to victims: Upatre was a prolific delivery mechanism for the Gameover P2P (Gameover Zeus) banking trojan in 2013-2014, and later for the Dyre banking trojan in 2015. As a small first-stage downloader, it is typically distributed via spam email attachments and then retrieves and runs a larger second-stage payload.

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

This family has been observed using the following ATT&CK techniques: T1566.001 T1105 T1071.001 T1204.002

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_UPATRE {
    meta:
        description = "Detects Upatre (downloader)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "upatre" ascii wide nocase
        $s2 = "upatre downloader" ascii wide nocase
        $s3 = "waski" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Upatre Activity
id: 4d7317e7ad328bfdab4d7341e74d1888
status: experimental
description: Detects generic indicators of the upatre malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*upatre*"
            - "*upatre downloader*"
            - "*waski*"
    condition: selection
level: medium

References & External Analysis

Frequently Asked Questions

What is Upatre?

Upatre is a Windows downloader trojan first discovered in 2013. According to Malpedia, its primary purpose is to deliver further malware to infected systems, acting as a first-stage loader for larger threats.

What malware did Upatre deliver?

Per Malpedia, Upatre was a prolific delivery mechanism for the Gameover P2P (Gameover Zeus) banking trojan in 2013-2014, and later delivered the Dyre banking trojan in 2015.

How does a downloader like Upatre work?

Upatre is a small first-stage downloader. Once it runs on a victim's system, its job is to retrieve and execute a larger second-stage payload, which is the malware the attackers actually want to deploy. Malpedia notes Upatre has been widely updated over time.

Is Upatre still active?

Upatre was most prominent during 2013-2015 as a loader for Gameover Zeus and Dyre. Malpedia documents it as having been widely updated since its 2013 discovery; its activity is most strongly associated with that mid-2010s period.

Related Families (Category: downloader)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/upatre.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.