Zbot

Category: banking_trojan · Aliases: Zeus, Zbot, Zeus Panda, Wsnpoem · Sample count (EMBER 2018): 24,075 · Enrichment: curated_sourced · Updated: 2026-06-09

Overview

Zbot is better known as Zeus, one of the most influential banking trojans in malware history, designed to steal banking information and other sensitive credentials for exfiltration. As MITRE ATT&CK notes for the Zeus Panda variant, the original Zeus source code was leaked in 2011, which let many threat actors build new variants on top of it (including Citadel, Gameover Zeus, and Zeus Panda). It primarily targets Windows and captures credentials through browser-based techniques such as web injection and keylogging.

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

This family has been observed using the following ATT&CK techniques: T1185 T1071.001 T1056.001

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_ZBOT {
    meta:
        description = "Detects Zbot (banking_trojan)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "zbot" ascii wide nocase
        $s2 = "zeus" ascii wide nocase
        $s3 = "zbot" ascii wide nocase
        $s4 = "zeus panda" ascii wide nocase
        $s5 = "wsnpoem" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Zbot Activity
id: 6e5dbc153564966b5ca72ec5fdc961c3
status: experimental
description: Detects generic indicators of the zbot malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*zbot*"
            - "*zeus*"
            - "*zbot*"
            - "*zeus panda*"
            - "*wsnpoem*"
    condition: selection
level: medium

References & External Analysis

Frequently Asked Questions

What is Zeus/Zbot?

A landmark banking trojan that steals banking credentials and other sensitive data, typically by capturing what victims enter into their browser.

Why is the 2011 Zeus source-code leak important?

MITRE notes the original source code leaked in 2011, allowing threat actors to build many new variants from it, which shaped a whole generation of banking malware.

What variants came from Zeus?

Well-known descendants include Citadel, Gameover Zeus, and Zeus Panda, among others.

How does Zeus steal banking details?

Mainly through browser session hijacking / web injection and keylogging, capturing credentials as they are entered on banking sites.

What systems does Zeus target?

It primarily targets Windows, with the Zeus Panda variant documented across Windows XP through Windows 10.

How did Zeus typically spread?

Historically through phishing emails and drive-by downloads from compromised or malicious websites.

How can I protect financial accounts from trojans like Zeus?

Use multi-factor authentication, keep your system and browser patched, avoid suspicious attachments and links, and monitor accounts for unauthorized activity.

Where is the authoritative reference?

MITRE ATT&CK's Zeus Panda entry (S0330), linked on this page, documents the variant's techniques and the 2011 source leak.

Related Families (Category: banking_trojan)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/zbot.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.