Tinba (a contraction of 'Tiny Banker', also known as Zusy, TinyBanker, and Illi) is a Windows banking trojan. As documented by Malpedia (Fraunhofer FKIE), citing F-Secure, it is usually distributed through malvertising, exploit kits, and spam email campaigns, and has targeted bank customers in the United States and Europe. Once it infects a device, Tinba steals banking and personal information using webinjects: it monitors the user's browser activity and, when specific banking portals are visited, injects code that presents fake web forms mimicking the legitimate site to trick the victim into entering credentials and personal data. Tinba may also display socially engineered messages to pressure the user into entering information — for example, claiming that funds were accidentally deposited and must be refunded immediately. Tinba is notable for its very small code footprint, which is the origin of its 'Tiny Banker' name.
Threat reports may refer to this family under multiple names:
This family has been observed using the following ATT&CK techniques: T1185 T1071.001
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_ZUSY {
meta:
description = "Detects Zusy (banking_trojan)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "zusy" ascii wide nocase
$s2 = "tinba" ascii wide nocase
$s3 = "tinybanker" ascii wide nocase
$s4 = "illibanker" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Zusy Activity
id: d51782805761edae7f821833ff365244
status: experimental
description: Detects generic indicators of the zusy malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*zusy*"
- "*tinba*"
- "*tinybanker*"
- "*illibanker*"
condition: selection
level: mediumTinba, short for 'Tiny Banker' and also known as Zusy or TinyBanker, is a Windows banking trojan. According to Malpedia, citing F-Secure, it steals banking and personal information from infected computers, and has targeted bank customers in the United States and Europe.
Per Malpedia, citing F-Secure, Tinba is usually distributed through malvertising (malicious advertising that leads users to sites hosting threats), exploit kits, and spam email campaigns.
Tinba uses a technique called webinjects. It monitors the user's browser activity, and when the victim visits specific banking portals, it injects code that displays fake web forms designed to mimic the legitimate site, tricking the victim into entering their login credentials and personal information.
Malpedia notes that Tinba may display socially engineered messages to lure or pressure victims into entering information on its fake pages. One example cited is a message claiming that funds were accidentally deposited into the victim's account and must be refunded immediately.
The name Tinba is a contraction of 'Tiny Banker', a reference to the malware's unusually small code size. Malpedia lists it under the symbol win.tinba with the aliases Zusy, TinyBanker, and Illi.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/zusy.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.