Malware analysis

Zeus Sphinx: What it is, how it works and how to prevent it | Malware spotlight

Greg Belding
August 12, 2020 by
Greg Belding


When something is described as “rising from the ashes,” the mythological creature known as the phoenix normally comes to mind. For those that research malware, they may soon want to swap “phoenix” for “Zeus Sphinx.” 

This malware used to be a persistent threat for banks and financial institutions in 2015 and seemingly died out. As of December 2019 (and especially after the COVID-19 pandemic), Zeus Sphinx has seen a marked resurgence and been observed taking advantage of the pandemic to spread its maliciousness. 

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

This article will detail the Zeus Sphinx malware with regard to its recent resurgence. We’ll explore what it is, how it works and how you can prevent becoming a victim yourself.

What is Zeus Sphinx?

Zeus Sphinx (also known as Zloader or Terdot) is not an amalgamation of two mythological creatures or the latest trendy crossover vehicle. Instead, it is a malware dating back to 2015. But just like a virus that won’t quit, Zeus Sphinx reappeared in December of 2019. This comeback was furthered by the COVID-19 crisis, where Zeus Sphinx used COVID-19 as a cover to induce users to download the malware.

When Zeus Sphinx first appeared, the malware was a banking Trojan that first targeted banks in the United States, later extending its reach to Canada and Brazil. After a brief hiatus, this malware slowly began reappearing in December 2019 with researchers concluding that the operators were testing the malware for future full-scale deployments. Beginning in March or April of 2020, Zeus Sphinx attacks increased significantly, with a few modifications and a tactic of exploiting the COVID-19 pandemic to target banks in North America.

The modifications observed in new versions of Zeus Sphinx are nothing to shake a sphinx’s tail at. IBM researchers have discovered that the malware has become more efficient at stealing both banking and financial information, which is the main purpose of the malware. It also sports a new command-and-control (C2) server infrastructure and new methods to maintain persistence during an attack.

These enhanced functionalities, combined with the use of COVID-19 as an abuse of trust of potential victims, reinforce the warning that a recent IBM report has stated about the malware — that financial institutions must reckon with the return of Zeus Sphinx as well as new potential victims. 

How does Zeus Sphinx work?

Built upon the Zeus v2.0.8.9 codebase, this malware gains entry onto a system by way of phishing and spam campaigns. This resurgence of Zeus Sphinx relies heavily upon the trust factor involved with emails and attachments that reference COVID-19. 

A frequently used malicious document name that has snared users recently is “COVID-19 relief”. This angle that operators of Zeus Sphinx have taken has led researchers to believe that these new Zeus Sphinx attack campaigns are preying upon users’ expectation of receiving COVID-19 relief payments from the federal government. This keeps in line with a whole host of other malware in the wild that are taking advantage of this crisis. In fact, the use of COVID-related spam campaigns has jumped 6,000% since the beginning of 2020.

Zeus Sphinx has been observed tricking users with a malicious form that asks users to insert personal data so they can receive their money. (Please be aware that the government will never ask you to submit personal information to receive a COVID-19 relief payment.) When the user accepts the malicious macros in the file, the malware begins its deployment and the malware downloader is fetched. They enhance the effectiveness of this malicious document, as it is password-protected so users cannot analyze the file.

After being implanted onto a computer, the malware adds a Windows Registry run key as either a dynamic link library file or a malicious executable to aid in persistence. Zeus Sphinx increases its persistence ability by creating a file called msiexec.exe, which helps hide its activity from security scans and tools. It is also known to deploy browser injection and hooking techniques to further steal personal information from users. An example of this is in-session browser popups requesting personal information that can help attackers steal financial and bank card data.

Another significant upgrade to Zeus Sphinx since its last run through the wild is an RC4 encryption key for communication with the command-and-control server. This allows for more stealthy communications with this server during attacks and also allows attackers to use the infected device in a botnet.

How to prevent Zeus Sphinx

Luckily, you can do quite a bit to prevent Zeus Sphinx from infecting your (or your organization’s) system. Below is a list of recommendations that even those who are not the most information security-savvy can do to prevent it:

  • Use a respected internet security solution
  • Ensure that your system and software is updated
  • Be cautious when clicking on unknown links and if possible, confirm that the link is sent from a party you know
  • Communicate to your organization the importance of keeping your cybersecurity awareness elevated during this crisis. try to incorporate examples of COVID-19 phishing and spam emails in your organization’s cybersecurity awareness program


Zeus Sphinx has made a resurgence since December 2019. Once the COVID-19 pandemic took off, Zeus Sphinx began taking advantage of the situation and using the cover of the crisis to spread itself to potential victims. 

Despite it being a more effective threat than its first time around, you can prevent infection by using standard cybersecurity awareness and by not getting tricked by those who will exploit a medical emergency for the sake of ill-gotten gain.

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.



  1. Enhanced Zeus Sphinx Trojan Used in COVID-19 Schemes, BankInfoSecurity Blog
  2. Sphinx Malware Returns to Riddle U.S. Targets, Threatpost
  3. Zeus Sphinx Rises Back From the Ashes, Cyware Social
Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.