{
	"id": "9d13cf64-4efa-4d13-ac9f-9536fd741e87",
	"created_at": "2026-04-06T00:10:47.899858Z",
	"updated_at": "2026-04-10T03:20:30.329968Z",
	"deleted_at": null,
	"sha1_hash": "0aaaabdf6570586606b9bc7b5a7a073566c79a99",
	"title": "Zeus Panda Banking Trojan Targets Online Holiday Shoppers | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1230079,
	"plain_text": "Zeus Panda Banking Trojan Targets Online Holiday Shoppers |\r\nProofpoint US\r\nBy December 14, 2017 Proofpoint Staff\r\nPublished: 2017-12-14 · Archived: 2026-04-05 21:07:55 UTC\r\nOverview\r\nBanking Trojans work by injecting code into web pages as they are viewed on infected machines, allowing the\r\nmalware to harvest banking credentials and credit card information as victims interact with legitimate sites. Most\r\noften, the injects -- the code that actually performs the man-in-the-browser attacks -- are configured for region-specific banking sites. More recently, we have seen injects for online payment sites, casinos, retailers, and more\r\nappearing in banking Trojan campaigns.\r\nSince November -- a period of time that includes Thanksgiving, Black Friday, Cyber Monday and now leading up to\r\nChristmas -- we have observed Zeus Panda banking Trojan campaigns that have an increasing focus on non-banking\r\ntargets with an extensive list of injects clearly designed to capitalize on holiday shopping and activities.\r\nMore specifically, these Zeus Panda (aka Panda Banker) campaigns expanded their injects to a variety of online\r\nshopping sites for brick and mortar retailers like Zara, specialty online retailers, travel sites, and video streaming\r\nsites, among others. The vast majority of these new targets will potentially see higher-than-normal numbers of credit\r\ncard transactions for the holidays. While Zeus Panda can be configured to steal a variety of information, these injects\r\ncollected the credit card number, address, phone number, DOB, SSN, and security question-related information such\r\nas mother’s maiden name.\r\nAnalysis\r\nOn December 11, a campaign targeted UK business users with a fake resume attachment named “resume.doc”\r\n(Figure 1) delivered via email. The subject line “Application submitted from Gumtree Jobs by [First Last Names] for\r\nField Sales Consultant - Status: Emailed”  referenced a job application via “Gumtree Jobs”, a legitimate jobs and\r\nclassified advertising platform with users in the UK, Australia, New Zealand, and South Africa. The actor abused the\r\nGumtree brand to lend legitimacy to the campaign but the site itself was not directly abused to send the fraudulent\r\napplications.\r\nhttps://www.proofpoint.com/us/threat-insight/post/zeus-panda-banking-trojan-targets-online-holiday-shoppers\r\nPage 1 of 6\n\nFigure 1: Fake resume document attachment contains macros that, if enabled, launch PowerShell code to download\r\nZeus Panda\r\nHowever, we first observed this instance of Zeus Panda targeting Canadian companies in November, before the\r\nThanksgiving holiday. For example, on November 13, we observed malicious emails with the subject “Your package\r\nis ready to be picked up” containing URLs linking to Microsoft Word documents such as “receipt-package-5a0a062cae04a.doc”. The documents used macros to download Zeus Panda.\r\nhttps://www.proofpoint.com/us/threat-insight/post/zeus-panda-banking-trojan-targets-online-holiday-shoppers\r\nPage 2 of 6\n\nFigure 2: The malicious URLs redirect to another landing page (hxxps://canadapost-packagecenter[.]com/), which in\r\nturns starts the document download\r\nhttps://www.proofpoint.com/us/threat-insight/post/zeus-panda-banking-trojan-targets-online-holiday-shoppers\r\nPage 3 of 6\n\nFigure 3: The malicious document receipt-package-5a0a062cae04a.doc contains macros that, if enabled, launched\r\nPowerShell code to download Zeus Panda\r\nThese instances of Zeus Panda include injects that feature wildcards for increased flexibility and, as noted, target a\r\ndisproportionate number of non-bank organizations. This campaign provides an example of the ongoing evolution of\r\nbanking Trojans and their uses, as well as the tendency for threat actors to built campaigns around major events and\r\nseasonal trends.\r\nConclusion\r\nUsers infected with banking Trojans like Zeus Panda often do not know they are infected as the malware conducts\r\nman-in-the-middle/browser attacks, quietly harvesting credit card numbers or banking credentials as users visit\r\nlegitimate banking and online shopping sites. While we have reported on previous examples of banking Trojans\r\ntargeting non-banking services, the timing and specific injects of these recent attacks are clearly focused on online\r\nholiday shoppers, travelers, and holiday activities, with far more retail-related and other non-banking injects than we\r\nnormally associate with a banking Trojan attack. For consumers, keeping endpoint protection up to date is the best\r\ndefense, although few endpoint antivirus systems can currently detect the malicious nature of this particular\r\ndocument. Organizations can protect users at many levels - the email gateway, the network gateway, and the\r\nendpoint. During the holidays, when many users will be traveling or using corporate devices from home, requiring\r\nthe use of a VPN can ensure that computers are protected and banking Trojan-related traffic can be detected and\r\nblocked whether or not a user is physically in the office.\r\nIndicators of Compromise (IOCs)\r\nhttps://www.proofpoint.com/us/threat-insight/post/zeus-panda-banking-trojan-targets-online-holiday-shoppers\r\nPage 4 of 6\n\nDecember 11 campaign\r\nIOC IOC Type Description\r\nhxxp://80.82.67[.]217/moo[.]jpg URL Document payload\r\n5f7a1b02d5b2904554e65bd01a12f1fa5ff2121eef53f3942c4e9e29c46bdce3 SHA256 Panda\r\ngromnes[.]top Domain Panda C\u0026C\r\naklexim[.]top Domain Panda C\u0026C\r\nkichamyn[.]top Domain Panda C\u0026C\r\ne13594d83f2a573627e742baf33298b9eeec1ebb8c7955304b8c35559e5f23dc SHA256 Attachment\r\nNovember 13 campaign\r\nIOC\r\nIOC\r\nType\r\nDescription\r\nhxxp://www.nfk-trading[.]com/analyticsmmrxbctq/redirect/0849e22e843170e1600c1910df8cf9da-id-qblozsmn-to-package-awaiting\r\nURL\r\nMalicious URL in\r\nemail\r\nhxxps://canadapost-packagecenter[.]com/ URL\r\nLanding page\r\nredirection\r\n2514dbf1549b517692e415af85baa6e5eca926cdedb526d2e255b5943501d98b SHA256\r\nreceipt-package-5a0a062cae04a.doc\r\nhxxp://89.248.169[.]136/bigmac.jpg URL Document payload\r\nhttps://www.proofpoint.com/us/threat-insight/post/zeus-panda-banking-trojan-targets-online-holiday-shoppers\r\nPage 5 of 6\n\nae92a4a5bc64db6af23219d7fa2d8bce98a5d7eb2eff7193e4f49698e3e5650d SHA256\r\nBigmac.jpg (Panda\r\nexecutable)\r\ngromnes[.]top Domain Panda C\u0026C\r\nET and ETPRO Suricata/Snort Signatures\r\n2825353 | ETPRO TROJAN Zeus Panda Banker Malicious SSL Certificate Detected\r\nSource: https://www.proofpoint.com/us/threat-insight/post/zeus-panda-banking-trojan-targets-online-holiday-shoppers\r\nhttps://www.proofpoint.com/us/threat-insight/post/zeus-panda-banking-trojan-targets-online-holiday-shoppers\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.proofpoint.com/us/threat-insight/post/zeus-panda-banking-trojan-targets-online-holiday-shoppers"
	],
	"report_names": [
		"zeus-panda-banking-trojan-targets-online-holiday-shoppers"
	],
	"threat_actors": [],
	"ts_created_at": 1775434247,
	"ts_updated_at": 1775791230,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0aaaabdf6570586606b9bc7b5a7a073566c79a99.pdf",
		"text": "https://archive.orkl.eu/0aaaabdf6570586606b9bc7b5a7a073566c79a99.txt",
		"img": "https://archive.orkl.eu/0aaaabdf6570586606b9bc7b5a7a073566c79a99.jpg"
	}
}