Zbot, or Zeus, is a trojan that aims to steal confidential information from a compromised system, such as system information, online credentials, and banking details. A Zbot trojan is created using a malicious toolkit available on hacker forums and underground marketplaces, which gives the attacker control over the functionality of the executable used to infect victims. The Zbot trojan is typically distributed through spam email campaigns and drive-by downloads, though other vectors are possible given its customizable setup. Once it is executed, the trojan identifies Internet Explorer, FTP, or POP3 credentials contained within Protected Storage (PStore), which are then compromised and used to authenticate and log in to an account as a legitimate user. It is most effective at compromising information by monitoring websites in the configuration file and manipulating webpages a user is viewing to add additional data fields. It can be updated through a command and control (C2) server for additional functions such as downloading and executing additional files, shutting down or rebooting the victim device, or deleting system files. As of October 2015, the majority of victims impacted by Zbot were in the United States, according to Symantec.

In June, the Zbot botnet, used with the Zbot trojan, began using a "fast flux" technique to evade detection. Fast flux, a subset of botnets, increases the difficulty of blocking a given IP address range to defend against botnets. Defending against the changing IP addresses used by the botnet is challenging, and many times leads to false positives. Antivirus software has difficulty identifying Zbot malware samples, sometimes only flagged by 3 of 57 antivirus vendors. 


  • April 2016: Heimdal Security classified the Zbot/Zeus trojan as the most dangerous financial malware.
  • June 2016: Details on Zbot botnet's use of fast flux technique. (Risk Analytics)
  • October 2016: Zbot/Zeus was spotted using .MSG file attachments as a distribution method. (SecurityWeek)
  • January 2017: The banking trojan combined with the Terdot Zloader downloader to abuse a legitimate certificate application to spy on users and modify web content through man-in-the-middle (MITM) attacks against browsers. (SCMagazine)
  • July 2017: New Zeus version dubbed "Neutrino" targets point-of-sale (PoS) systems to collect credit/debit card information. Additional functionality includes: download and start a file, take a screenshot, search for a process, change register branches, and search for and send a file to the C2. (InfoSecurity)

Technical Details

  • Microsoft Protection Center provides technical details on Zbot trojan, available here.
  • Symantec provides technical details on Zbot, available here.

One example of the Zbot trojan. Image Source: Malwarebytes

Trojan VariantsNJCCICZbot, Zeus