Zpevdo

Category: trojan_generic · Aliases: Trojan.Zpevdo, Downloader.Zpevdo, Win32/Zpevdo · Sample count (EMBER 2018): 1,303 · Enrichment: documented_reference_only · Updated: 2026-07-02T07:49:34Z

Overview

Executive Summary

Zpevdo is a malicious Trojan designed to covertly infiltrate Windows systems, establish persistence, and act as a reliable downloader for remote threat actors. It is frequently utilized in the initial stages of a cyberattack to gather system intelligence and facilitate the automated deployment of secondary, highly destructive malware payloads, such as enterprise ransomware or banking trojans.

Infection Vector and Technical Capabilities

Zpevdo is predominantly distributed through socially engineered spam campaigns containing malicious attachments (often weaponized PDFs or Office documents utilizing macro exploits) or via compromised software installers downloaded from untrustworthy web portals. Upon successful execution, Zpevdo operates with a focus on stealth and payload delivery:

Threat Assessment

A Zpevdo infection represents a significant breach of the endpoint perimeter. Because it provides remote attackers with the ability to execute arbitrary code, a single compromised machine can rapidly be utilized to pivot laterally and compromise the entire corporate network.

Remediation and Eradication

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

This family has been observed using the following ATT&CK techniques: T1105 T1547.001 T1059

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_ZPEVDO {
    meta:
        description = "Detects Zpevdo (trojan_generic)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "zpevdo" ascii wide nocase
        $s2 = "trojan.zpevdo" ascii wide nocase
        $s3 = "downloader.zpevdo" ascii wide nocase
        $s4 = "win32/zpevdo" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Zpevdo Activity
id: 9afc6d3bf418449f694665305f74f900
status: experimental
description: Detects generic indicators of the zpevdo malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*zpevdo*"
            - "*trojan.zpevdo*"
            - "*downloader.zpevdo*"
            - "*win32/zpevdo*"
    condition: selection
level: medium

References & External Analysis

Frequently Asked Questions

Where can I learn more about zpevdo?

Refer to the linked MITRE ATT&CK technique pages, which document the behaviors associated with this family.

Related Families (Category: trojan_generic)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/zpevdo.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.