HOMETHREATSZeus OpenSSL
APT / THREAT GROUP

Zeus OpenSSL

3
aliases
Last seen:Mar 17, 2026

Intelligence Profile

This family describes the Zeus-variant that includes a version of OpenSSL and usually is downloaded by Zloader.

In June 2016, the version 1.5.4.0 (PE timestamp: 2016.05.11) appeared, downloaded by Zloader (known as DEloader at that time). OpenSSL 1.0.1p is statically linked to it, thus its size is roughly 1.2 MB. In subsequent months, that size increased up to 1.6 MB.

In January 2017, with version 1.14.8.0, OpenSSL 1.0.2j was linked to it, increasing the size to 1.8 MB. Soon after also in January 2017, with version v1.15.0.0 the code was obfuscated, blowing up the size of the binary to 2.2 MB.

Please note that IBM X-Force decided to call win.zloader/win.zeus_openssl "Zeus Sphinx", after mentioning it as "a new version of Zeus Sphinx" in their initial post in August 2016. Malpedia thus lists the alias "Zeus XSphinx" for win.zeus_openssl - the X to refer to IBM X-Force.

Zeus Sphinx on the one hand has the following versioning ("slow increase")

- 2015/09 v1.0.1.0 (Zeus Sphinx size: 1.5 MB)

- 2016/02 v1.0.1.2 (Zeus Sphinx size: 1.5 MB)

- 2016/04 v1.0.2.0 (Zeus Sphinx size: 1.5 MB)

Zeus OpenSSL on the other hand has the following versioning ("fast increase")

- 2016/05 v1.5.4.0 (Zeus OpenSSL size: 1.2 MB)

- 2017/01 v1.14.8.0 (Zeus OpenSSL size: 1.8 MB)

- 2017/01 v1.15.0.0 (Zeus OpenSSL size: 2.2 MB)

Threat Analysis

Zeus OpenSSL is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

External References

Quick Facts

TypeAPT / Threat Group
Aliases3

Also Known As

Zeus OpenSSLXSphinxwin.zeus_openssl

External Intelligence

Malpedia: win.zeus_openssl

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
Zeus OpenSSL — APT / Threat Group | Threat Intelligence | CTIWATCH.COM