diff --git a/clusters/tool.json b/clusters/tool.json
index ded44802..d583a212 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -1194,6 +1194,21 @@
       "description": "GeminiDuke is malware that was used by APT29 from 2009 to 2012.",
       "value": "GeminiDuke"
     },
+    {
+      "meta": {
+        "synonyms": [
+          "Trojan.Zbot",
+          "Zbot",
+          "ZeuS"
+        ],
+        "refs": [
+          "https://en.wikipedia.org/wiki/Zeus_(malware)",
+          "https://www.symantec.com/security_response/writeup.jsp?docid=2010-011016-3514-99"
+        ]
+      },
+      "description": "Trojan.Zbot, also called Zeus, is a Trojan horse that attempts to steal confidential information from the compromised computer. It may also download configuration files and updates from the Internet. The Trojan is created using a Trojan-building toolkit.",
+      "value": "Zeus"
+    },
     {
       "meta": {
         "derivated-from": [