Inside the world of the Citadel trojan

Jump to navigation Jump to search

(Publication) Google search: [1]

Inside the world of the Citadel trojan
Botnet Citadel
Botnet/malware group
Exploit kits
Distribution vector
Operation/Working group
Date 2013 / 2013-01-31
Editor/Conference McAfee
Link ( Archive copy)
Author Ryan Sherstobitoff
Type White paper


Zeus “banking” malware and its variants have been making headlines in recent months. One variant, the Citadel Trojan, has now taken the spotlight with the news of its withdrawal from the open crimeware market.

Recently the author of Citadel, Aquabox, has been banned from a large online forum that sells malware and other services to cybercriminals. Some in the security industry predict that this will be the downfall of the Citadel Trojan; this very well may be the case. However, at the moment McAfee Global Threat Intelligence shows that Citadel remains a very active threat and continues to target victims in several countries. As with any sophisticated malware—such as Zeus and SpyEye—that ceases development, this Trojan’s use will continue as long as it provides value to cybercriminal operations.

McAfee Labs concludes that some groups have shifted tactics to use Citadel in ways other than what it was originally intended for. We also see from our telemetry data gathered from the field that Citadel still remains active in many parts of the world.


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2013BFR1290,
   editor = {McAfee},
   author = {Ryan Sherstobitoff},
   title = {Inside the world of the Citadel trojan},
   date = {31},
   month = Jan,
   year = {2013},
   howpublished = {\url{}},