Zbot is better known as Zeus, one of the most influential banking trojans in malware history, designed to steal banking information and other sensitive credentials for exfiltration. As MITRE ATT&CK notes for the Zeus Panda variant, the original Zeus source code was leaked in 2011, which let many threat actors build new variants on top of it (including Citadel, Gameover Zeus, and Zeus Panda). It primarily targets Windows and captures credentials through browser-based techniques such as web injection and keylogging.
Threat reports may refer to this family under multiple names:
This family has been observed using the following ATT&CK techniques: T1185 T1071.001 T1056.001
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_ZBOT {
meta:
description = "Detects Zbot (banking_trojan)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "zbot" ascii wide nocase
$s2 = "zeus" ascii wide nocase
$s3 = "zbot" ascii wide nocase
$s4 = "zeus panda" ascii wide nocase
$s5 = "wsnpoem" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Zbot Activity
id: 6e5dbc153564966b5ca72ec5fdc961c3
status: experimental
description: Detects generic indicators of the zbot malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*zbot*"
- "*zeus*"
- "*zbot*"
- "*zeus panda*"
- "*wsnpoem*"
condition: selection
level: mediumA landmark banking trojan that steals banking credentials and other sensitive data, typically by capturing what victims enter into their browser.
MITRE notes the original source code leaked in 2011, allowing threat actors to build many new variants from it, which shaped a whole generation of banking malware.
Well-known descendants include Citadel, Gameover Zeus, and Zeus Panda, among others.
Mainly through browser session hijacking / web injection and keylogging, capturing credentials as they are entered on banking sites.
It primarily targets Windows, with the Zeus Panda variant documented across Windows XP through Windows 10.
Historically through phishing emails and drive-by downloads from compromised or malicious websites.
Use multi-factor authentication, keep your system and browser patched, avoid suspicious attachments and links, and monitor accounts for unauthorized activity.
MITRE ATT&CK's Zeus Panda entry (S0330), linked on this page, documents the variant's techniques and the 2011 source leak.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/zbot.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.