Zusy

Category: banking_trojan · Aliases: tinba, tinybanker, illibanker · Sample count (EMBER 2018): 14,120 · Enrichment: curated_sourced · Updated: 2026-06-10

Overview

Tinba (a contraction of 'Tiny Banker', also known as Zusy, TinyBanker, and Illi) is a Windows banking trojan. As documented by Malpedia (Fraunhofer FKIE), citing F-Secure, it is usually distributed through malvertising, exploit kits, and spam email campaigns, and has targeted bank customers in the United States and Europe. Once it infects a device, Tinba steals banking and personal information using webinjects: it monitors the user's browser activity and, when specific banking portals are visited, injects code that presents fake web forms mimicking the legitimate site to trick the victim into entering credentials and personal data. Tinba may also display socially engineered messages to pressure the user into entering information — for example, claiming that funds were accidentally deposited and must be refunded immediately. Tinba is notable for its very small code footprint, which is the origin of its 'Tiny Banker' name.

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

This family has been observed using the following ATT&CK techniques: T1185 T1071.001

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_ZUSY {
    meta:
        description = "Detects Zusy (banking_trojan)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "zusy" ascii wide nocase
        $s2 = "tinba" ascii wide nocase
        $s3 = "tinybanker" ascii wide nocase
        $s4 = "illibanker" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Zusy Activity
id: d51782805761edae7f821833ff365244
status: experimental
description: Detects generic indicators of the zusy malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*zusy*"
            - "*tinba*"
            - "*tinybanker*"
            - "*illibanker*"
    condition: selection
level: medium

References & External Analysis

Frequently Asked Questions

What is Tinba?

Tinba, short for 'Tiny Banker' and also known as Zusy or TinyBanker, is a Windows banking trojan. According to Malpedia, citing F-Secure, it steals banking and personal information from infected computers, and has targeted bank customers in the United States and Europe.

How does Tinba spread?

Per Malpedia, citing F-Secure, Tinba is usually distributed through malvertising (malicious advertising that leads users to sites hosting threats), exploit kits, and spam email campaigns.

How does Tinba steal banking credentials?

Tinba uses a technique called webinjects. It monitors the user's browser activity, and when the victim visits specific banking portals, it injects code that displays fake web forms designed to mimic the legitimate site, tricking the victim into entering their login credentials and personal information.

What social engineering does Tinba use?

Malpedia notes that Tinba may display socially engineered messages to lure or pressure victims into entering information on its fake pages. One example cited is a message claiming that funds were accidentally deposited into the victim's account and must be refunded immediately.

Why is Tinba called 'Tiny Banker'?

The name Tinba is a contraction of 'Tiny Banker', a reference to the malware's unusually small code size. Malpedia lists it under the symbol win.tinba with the aliases Zusy, TinyBanker, and Illi.

Related Families (Category: banking_trojan)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/zusy.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.