HOMETHREATSZeus Sphinx
MALWARE FAMILY

Zeus Sphinx

Internal ID: win.zeus_sphinx
1
aliases
Last seen:Mar 17, 2026

Intelligence Profile

This family describes the vanilla Zeus-variant that includes TOR (and Polipo proxy). It has an almost 90% overlap with Zeus v2.0.8.9.

Please note that IBM X-Force decided to call win.zloader/win.zeus_openssl "Zeus Sphinx", after mentioning it as "a new version of Zeus Sphinx" in their initial post in August 2016. Malpedia thus lists the alias "Zeus XSphinx" for win.zeus_openssl - the X to refer to IBM X-Force.

Zeus Sphinx on the one hand has the following versioning ("slow increase")

- 2015/09 v1.0.1.0 (Zeus Sphinx size: 1.5 MB)

- 2016/02 v1.0.1.2 (Zeus Sphinx size: 1.5 MB)

- 2016/04 v1.0.2.0 (Zeus Sphinx size: 1.5 MB)

Zeus OpenSSL on the other hand has the following versioning ("fast increase")

- 2016/05 v1.5.4.0 (Zeus OpenSSL size: 1.2 MB)

- 2017/01 v1.14.8.0 (Zeus OpenSSL size: 1.8 MB)

- 2017/01 v1.15.0.0 (Zeus OpenSSL size: 2.2 MB)

Threat Analysis

Zeus Sphinx is a malware family tracked by threat intelligence researchers and catalogued in the Malpedia dataset. It represents a distinct malicious software lineage with identifiable code characteristics, behaviors, and victimology.

External References

Quick Facts

TypeMalware Family
Aliases1

Also Known As

win.zeus_sphinx

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.