The following is an example of a simple Python script that decrypts the string "CHXV" back to "ZEUS":
>>> chr_set = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
>>> key = 3
>>> cipher_text = "CHXV"
>>> plain_text = ""
>>> for ch in cipher_text:
j = chr_set.find(ch.upper())
plain_index = (j-key) % len(chr_set)
plain_text += chr_set[plain_index]
>>> print plain_text
ZEUS
Some malware samples may use a modified version of Caesar (shift) cipher; in that case, you can modify the previously mentioned script to suit your needs. The malware WEBC2-GREENCAT, used by the APT1 group, fetched the content from the C2 server and decrypted the content using the modified version of caesar cipher. It used a 66-character' character set, abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789._/-, and a key of 56.