Zbot is a Windows banking trojan and information-stealing malware family, also referred to in vendor detections as Trojan.Zbot, Win32/Zbot, Trojan-Spy.Win32.Zbot, PWS-Zbot, and related banker/infostealer names. The provided content states that it attempts to steal confidential information from compromised computers and can download configuration files and updates from the Internet. It is described as affecting Windows systems, including legacy desktop and server versions such as Windows 95, 98, Me, NT, 2000, XP, Vista, and Windows Server 2003.
The content places Zbot among the top banking trojan and information stealer families observed in Asia and the South Pacific in INTERPOL’s 2025/2026 cyberthreat assessment. It is also described in multiple intrusion chains as a follow-on payload delivered by exploit kits and social-engineering operations. Specifically, the content says the Impact Exploit Kit delivered a payload assessed as Zbot, and another exploit-kit analysis notes a payload that may have been Zbot or Citadel. The content also states that newer CryptoLocker campaigns often involved prior Zbot infection that subsequently installed CryptoLocker. In Rapid7 reporting on Black Basta-linked social-engineering activity in 2024, operators commonly executed loaders such as Zbot, explicitly noted there as Zloader, after credential harvesting.
Behavior and execution details directly mentioned in the content include downloading configuration files and updates from the Internet, use as a loader/follow-on payload after initial access, and persistence/activity indicators associated with Zbot-linked CryptoLocker delivery such as a registry key under HKCU\Software\Microsoft<random>, droppers in %Temp%, and a startup entry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run. In the Rapid7 case, a Zbot/Zloader sample named SyncSuite.exe with SHA256 DB34E255AA4D9F4E54461571469B9DD53E49FEED3D238B6CFB49082DE0AFB1E4 was observed copying itself to a random folder under %APPDATA%, persisting via HKCU\Software\Microsoft\Windows\CurrentVersion\Run or a scheduled task named after the executable, loading a fresh copy of ntdll.dll to avoid hooking, and performing process hollowing into msedge.exe using NTAPI functions.
Associated activity in the content includes delivery by exploit kits, phishing-linked malware chains, credential-harvesting operations, and ransomware enablement. Threat associations directly mentioned include Black Basta operators using Zbot/Zloader as a follow-on loader, and historical linkage to CryptoLocker installation after Zbot infection. High-confidence observables mentioned in the content include the sample hash DB34E255AA4D9F4E54461571469B9DD53E49FEED3D238B6CFB49082DE0AFB1E4 for SyncSuite.exe and the registry/persistence paths noted above.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
6 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
<edit1 2013-01-25> ... It's also featuring CVE-2013-0422 since 13/01/13
Exploits: - CVE-2010-0188 (PDF LibTiff) ... CVE-2010-0188 : Impact EK - CVE-2012-0188 ... <edit1 2013-01-25> It seems it's featuring CVE-2011-0611 via CVE-2010-0188
<edit1 2013-01-25> It seems it's featuring CVE-2011-0611 via CVE-2010-0188 see post publications and Hendrik Adrian detailed analysis there.
Exploits: - CVE-2012-1723 (Java Applet Field Bytecode) ... CVE-2012-1723 : Impact EK - CVE-2012-1723 path (sames URLs) CVE-2012-1723 in one jar of Impact EK
Exploits: - CVE-2008-0655 (PDF colEmail) ... CVE-2008-0655 : Was not able to get infected with the proper configuration (Adobe Reader 8.1.1) ..don't know why.
Exploits: - CVE-2012-5076 (Java New Bytecode bypass) ... CVE-2012-5076 : Impact EK - CVE-2012-5076 Positive Path ... CVE-2012-5076 but seems implemented in a slightly different way than what we can see on other EK
10 distinct techniques documented for this family, organized by ATT&CK tactic.
Impact EK Landing ... GET http://78.xxx.xx3.12x/lashsenc.php?boutearn=674660 ... GET .../fagearge.php ... GET .../tionlase.jar ... GET .../capelazy.jar ... GET .../cutelity.php
This infection is typically spread through emails sent to company email addresses that pretend to be customer support related issues from Fedex, UPS, DHS, etc. These emails would contain a zip attachment that when opened would infect the computer.
These emails would contain a zip attachment that when opened would infect the computer. These zip files contain executables that are disguised as PDF files as they have a PDF icon and are typically named something like FORM_101513.exe or FORM_101513.pdf.exe.
Exploits: - CVE-2010-0188 (PDF LibTiff) - CVE-2008-0655 (PDF colEmail) - CVE-2012-1723 (Java Applet Field Bytecode) - CVE-2012-5076 (Java New Bytecode bypass) | CVE-2012-5076 : Impact EK - CVE-2012-5076 Positive Path ... GET .../jollaban/tionlase.jar ... GET .../jollaban/capelazy.jar ... CVE-2012-1723 : Impact EK - CVE-2012-1723 path (sames URLs) CVE-2012-1723 in one jar of Impact EK
It will then create one of the following autostart entries in the registry to start CryptoLocker when you login: KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "CryptoLocker" ... HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "*CryptoLocker"
It will then create one of the following autostart entries in the registry to start CryptoLocker when you login: KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "CryptoLocker" ... HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "*CryptoLocker"
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A banking trojan and information stealer identified as one of the top malware families prevalent in Asia and the South Pacific.
Banking trojan referenced as a payload distributed in Black Basta-linked activity.
Loader used post-initial-access to establish persistence, store encrypted config in registry, evade hooks by loading a fresh ntdll.dll, and inject into msedge.exe via process hollowing; used as a gateway for follow-on in-memory payloads and data theft.
Banking trojan used as a precursor/dropper that installs CryptoLocker from malicious email attachments.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.