ZEUS Sphinx Banking Trojan


Zeus Sphinx trojan first appeared in August 2015. Also known as Zloader or Terdot, it resurfaced in December 2019 and became aggressive in March 2020. Like other banking trojans, Sphinx’s main ability is to collect credentials for online banking sites and the newer version is looking to cash in on interest in government relief efforts around the Covid- 19 pandemic.

Spam and phishing emails lure victims by asking them to fill in an attached form in order for them to receive financial compensation related to COVID-19 from the government. Such malicious attachments may be named as "Covid-19 relief". Attachments are sent in the form of Office files, e.g .doc or .docx files.

Once the victim opens up the attached document, a macro is enabled and a downloader is activated. The downloader will communicate with a Command & Control Server, and deliver the new Sphinx variant to the infected device.

The Command & Control Server will then fetch relevant web injections when infected users land on a targeted page, and uses them to modify the pages which users are browsing to include social engineering content and trick them into divulging personal information and authentication codes.


  • Downloaded email attachment contains malware that has potential to disrupt computer system and steal information.
  • Victims are tricked into providing their personal information and credentials for sensitive accounts.


  • Stay away from unsolicited emails. Report it as spam and delete it from the Inbox and trash folder.
  • Verify email with the relevant party. Call to verify whether the party did send the email.
  • Be wary of attachments and examine true extension type. Most malware comes in the form of an executable file like an .exe file; a container file like .zip or .rar; or an Office spreadsheet or document which automatically runs macros.
  • Always update your operating system as soon as updates are readily available. Updates can be setup automatically.
  • Delete software or programs that are no longer in use.
  • Duly update all programs that are in use.
  • Refrain from sending sensitive work data or information via personal email.
  • Scan attachments before opening.
  • Do not click on suspicious links.