Skip to content
July 13, 2026
  • Linkedin
  • Twitter
  • Facebook
  • Youtube

Daily CyberSecurity

Zero-hour alerts. Unmatched analysis.

Primary Menu
  • Home
  • CVE Data
    • CVE Watchtower
    • Top Exploited CVEs
    • CVE Stats by Vendor
    • Q2 2026 Report
  • Cyber Criminals
  • Data Leak
  • Linux
  • Malware
  • Vulnerability
  • Submit Press Release
  • Vulnerability Report
Light/Dark Button
  • Home
  • News
  • Malware
  • Hackers use website of Ukrainian accounting software developer to disseminate a new variant of Zeus Bank Trojan
  • Malware

Hackers use website of Ukrainian accounting software developer to disseminate a new variant of Zeus Bank Trojan

Do Son January 9, 2018 3 minutes read
Add Daily CyberSecurity as a preferred source on Google

According to foreign media reports on January 6, hackers abuse the official website of Ukrainian accounting software developer Crystal Finance Millennium (CFM) to distribute malware and distribute new variants of Zeus Bank Trojans. Cisco Talos said the malware was acquired through a download program attached to spam and has a range of spreads.

The attack occurred before and after the holiday of Independence Day of Ukraine in August 2017, when Ukrainian authorities and enterprises received cyber-attacks alerts from the local security company ISSP. A domain name used to host the malicious software was related to the website of the Ukrainian accounting software developer CFM. Not only that, but the attacker also used the CFM website to spread the PSCrypt ransomware, which was malware targeted at Ukrainian users last year. Fortunately, this attack hacker did not compromise CFM’s update server and did not see the same level of access in earlier Nyetya protocols.

In this attack, the malware-loaded email contains a JavaScript archive that is used as a malware-download program. Once the file is opened, Javascript will be executed and cause the system to retrieve the malware’s playload. After running, the Zeus Bank Trojan virus will infect the system.

Cisco Talos Statistics: Affected by the new variant of Zeus Bank Trojan

Since the source code for Zeus Trojan 2.0.8.9 was leaked in 2011, other threat actors have been inspired by malicious code to incorporate it into several other bank trojans. Researchers found code reuse exists between the malware released this campaign and the leaked version of Zeus source code:

Once executed on the system, the malware performs a number of operations to determine if it is executing in a virtual sandbox environment. If the malware does not detect that it is running in a sandboxed environment, then it takes steps to make it persistent on the infected system. Malware even creates a registry entry on the infected system to ensure that malicious code is executed each time the infected device is restarted. Once the system is infected, malware tries to contact different C & C servers.

The researchers said most malware-infected systems are in Ukraine and the United States, with ISPs of PJSC Ukrtelecom, which are under the jurisdiction of the Ministry of Transport of Ukraine, the worst affected. Impact reached 3115 unique IP addresses, with 11,925,626 beacons showing the scale of the malware.

Researchers say more and more attackers are trying to abuse trusted software makers as a means of gaining a foothold in the target environment. In order to deploy more effective security controls to protect their network environment, attackers are constantly improving their methods of attack.

Source: IBTimes

Get Zero-Hour Vulnerability Alerts

Critical CVEs, CVSS scores, and PoC updates — straight to your inbox every week.


We respect your inbox. Unsubscribe anytime.

Related coverage

  • The Hidden Menace of Glupteba: Infiltrating Systems with UEFI Bootkits
  • Teal Kurma’s Evolving Cyber Activities: A Resurgent Threat to Europe and the Middle East
  • Silver Fox APT Targets Organizations with PNGPlug and ValleyRAT Malware
  • CL-STA-0048: Chinese-Linked APT Targets Telecoms in South Asia
  • Hidden Skimmers, Web Whispers: New JavaScript Theft Tricks
Track all actively exploited CVEs →

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee Logo Buy Me a Coffee PayPal
Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Share this article:

Facebook Post LinkedIn Telegram
Written by
@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.

Tags: Zeus Bank Trojan

Search

Translation

CVE WATCHTOWER
🚨

Receive alerts for vulnerabilities being exploited in the wild.

⚡

Get notified instantly when a Proof of Concept (PoC) exploit is published.

🔍

Access critical info on vulnerabilities even when marked as "RESERVED".

🧠

Insights powered by decades of expertise and global intelligence sources.

🎯

Customize alerts with up to 10 keywords for your specific tech stack.

📊

Export the raw CVE database for SIEM integration and reporting.

Upgrade Package

🚨 Active Exploits in the Wild

  • CVE-2026-1207CVSS 5.4
    An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on...
    Admin intel📅 Updated: Jul 10, 2026
  • CVE-2026-48939CVSS 10.0
    A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment...
    CISA KEV📅 Added to KEV: Jul 10, 2026
  • CVE-2026-56291CVSS 10.0
    The Joomla extension Balbooa Forms is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files...
    CISA KEV📅 Added to KEV: Jul 10, 2026
  • CVE-2026-55255CVSS 8.4
    Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, an Insecure Direct...
    CISA KEV📅 Added to KEV: Jul 7, 2026
  • CVE-2026-48908
    A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in...
    CISA KEV📅 Added to KEV: Jul 7, 2026
  • CVE-2026-56290
    The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable...
    CISA KEV📅 Added to KEV: Jul 7, 2026
  • CVE-2026-20896CVSS 9.8
    Gitea Docker image: `REVERSE_PROXY_TRUSTED_PROXIES = *` default lets any source IP impersonate any user via `X-WEBAUTH-USER`
    Admin intel📅 Updated: Jul 6, 2026
  • CVE-2026-48282CVSS 10.0
    ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted...
    Admin intelCISA KEV📅 Added to KEV: Jul 7, 2026📅 Updated: Jul 3, 2026
Powered by CVE Watchtower

🔴 Live Critical Threats

  • CVE-2026-14453CVSS 9.6
    This vulnerability is a critical Server-Side Template Injection (SSTI) in Centreon's centreon-open-tickets...
  • CVE-2026-59518CVSS 9.8
    Deserialization of Untrusted Data vulnerability in wpWax Directorist directorist allows Object Injection.This...
  • CVE-2026-59515CVSS 9.3
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')...
  • CVE-2026-57813CVSS 9.8
    Incorrect Privilege Assignment vulnerability in properfraction MailOptin mailoptin allows Privilege Escalation.This issue...
  • CVE-2026-57811CVSS 10.0
    Improper Control of Generation of Code ('Code Injection') vulnerability in Realtyna Realtyna...
  • CVE-2026-57770CVSS 9.8
    Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Photography grandphotography allows Object...
  • CVE-2026-57744CVSS 9.8
    Deserialization of Untrusted Data vulnerability in stmcan RT-Theme 18 | Extensions rt18-extensions...
  • CVE-2026-57739CVSS 9.3
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')...
  • CVE-2026-57738CVSS 9.8
    Deserialization of Untrusted Data vulnerability in axiomthemes 777 triple-seven allows Object Injection.This...
  • CVE-2026-57726CVSS 9.3
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')...
Powered by CVE WATCHTOWER

Our Websites
  • Penetration Testing Tools
  • The Daily Information Technology
  • Top Exploited CVEs
  • Daily CyberSecurity

    • About SecurityOnline.info
    • Advertise with us
    • Announcement
    • Contact
    • Contributor Register
    • Login
    • Disclaimer
    • DCMA
    • Privacy Policy
    • About SecurityOnline.info
    • Advertise on SecurityOnline.info
    • Contact Us

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works

    • CVE Watchtower
    • CVE Statistics by Vendor 2026
    • Q2 2026 Report
    • Top Exploited CVEs
    • Linkedin
    • Twitter
    • Facebook
    • Youtube
    © 2017 - 2026 Daily CyberSecurity. All Rights Reserved.