HOMETHREATSZeus Sphinx
APT / THREAT GROUP

Zeus Sphinx

2
aliases
Last seen:Mar 17, 2026

Intelligence Profile

This family describes the vanilla Zeus-variant that includes TOR (and Polipo proxy). It has an almost 90% overlap with Zeus v2.0.8.9.

Please note that IBM X-Force decided to call win.zloader/win.zeus_openssl "Zeus Sphinx", after mentioning it as "a new version of Zeus Sphinx" in their initial post in August 2016. Malpedia thus lists the alias "Zeus XSphinx" for win.zeus_openssl - the X to refer to IBM X-Force.

Zeus Sphinx on the one hand has the following versioning ("slow increase")

- 2015/09 v1.0.1.0 (Zeus Sphinx size: 1.5 MB)

- 2016/02 v1.0.1.2 (Zeus Sphinx size: 1.5 MB)

- 2016/04 v1.0.2.0 (Zeus Sphinx size: 1.5 MB)

Zeus OpenSSL on the other hand has the following versioning ("fast increase")

- 2016/05 v1.5.4.0 (Zeus OpenSSL size: 1.2 MB)

- 2017/01 v1.14.8.0 (Zeus OpenSSL size: 1.8 MB)

- 2017/01 v1.15.0.0 (Zeus OpenSSL size: 2.2 MB)

Threat Analysis

Zeus Sphinx is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

External References

Quick Facts

TypeAPT / Threat Group
Aliases2

Also Known As

Zeus Sphinxwin.zeus_sphinx

External Intelligence

Malpedia: win.zeus_sphinx

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.