{
	"id": "0c9fc809-7415-4f31-9a24-116c54d02307",
	"created_at": "2026-04-06T00:15:33.118697Z",
	"updated_at": "2026-04-10T03:22:06.771168Z",
	"deleted_at": null,
	"sha1_hash": "280cce6bf266d8a3178137ee16b67eece2a51854",
	"title": "ZeuS Panda",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 87803,
	"plain_text": "ZeuS Panda\r\nBy Contributors to Wikimedia projects\r\nPublished: 2018-04-08 · Archived: 2026-04-05 20:14:00 UTC\r\nFrom Wikipedia, the free encyclopedia\r\nZeuS Panda, Panda Banker, or Panda is a variant of the original Zeus (Trojan horse) under the banking Trojan\r\ncategory. Its discovery was in 2016 in Brazil around the time of the Olympic Games. The majority of the code is\r\nderived from the original Zeus trojan, and maintains the coding to carry out man-in-the-browser, keystroke\r\nlogging, and form grabbing attacks. ZeuS Panda launches attack campaigns with a variety of exploit kits and\r\nloaders by way of drive-by downloads and phishing emails, and also hooking internet search results to infected\r\npages. Stealth capabilities make not only detecting but analyzing the malware difficult.\r\nZeuS Panda utilizes the capabilities from numerous loaders such as Emotet, Smoke Loader,\r\n[1]\r\n Godzilla,[2] and\r\nHancitor.\r\n[3]\r\n The methods of the loaders vary but the same end state goal of installing ZeuS Panda into a system is\r\nthe same. Many of the loaders were originally trojans before were retooled as a delivery system for ZeuS Panda.\r\nThe delivery mechanisms do not stop necessarily with the aforementioned loaders as Exploit kits such as Angler,\r\nNuclear, Neutrino, Sundown[4] are also utilized. Coders of the ZeuS Panda banking trojan, as well as other trojan\r\ncoders, lean toward employing loaders over exploit kits due to the higher potential yield in monetary gain.[5] The\r\nloaders also add the persistent capability of ZeuS Panda across reboot and also if it is deleted.[6][7] If ZeuS Panda\r\nno longer detected on a system and if the loader is still present, it will re-download the nefarious code and start\r\nrunning all over again.\r\nOne of the key distinctions of ZeuS Panda over other banking trojans is the ability to target systems in specific\r\nregions of the world. It does this by a rudimentary process by which it detects the Human Interface Device code\r\nthe attached keyboard. If a keyboard code from Russia (0x419), Belarus (0x423), Kazakhstan (0x43f) or Ukraine\r\n(0x422) is detected Zeus Panda will self delete. This falls in line with the ethics of Russian cyber criminals abide\r\nto avoid detainment: “Russians must not hack Russians…”, second “If a Russian Intelligence service asks for\r\nhelp, you provide it”, and last “Watch where you vacation”.[8]\r\nZeuS Panda employs many methods of infection, namely drive by downloads, poisoned email, word document\r\nmacro.[9] The drive by downloads are “Downloads which a person has authorized but without understanding the\r\nconsequences (e.g. downloads which install an unknown or counterfeit executable program, ActiveX component,\r\nor Java applet) automatically.” Including “Any download that happens without a person's knowledge, often a\r\ncomputer virus, spyware, malware, or crimeware.” Poisoned email occurs when a mailing list is injected with a\r\nnumber of invalid e-mail addresses, the resources required to send a message to this list has increased, even\r\nthough the number of valid recipients has not. Command and control servers are how ZeuS Panda is able to spread\r\nacross the vastness of the world but also remain under control by a handful of operators.[10]\r\nhttps://en.wikipedia.org/wiki/ZeuS_Panda\r\nPage 1 of 3\n\nFirst discovered in 2016 prior to the Olympics in Brazil, ZeuS Panda has spread to all parts of the globe in similar\r\nfashion to the original Zeus banking trojan. This is similar to the map of Zeus infections across the global,\r\nespecially in regional concentrations of infection. Locations of the infected domains by region and concentration\r\nare similar to the original Zeus infection locations. Though there are still locations within Russia which are listed\r\nas infections, it is likely to be a standalone server distributing the banking trojan. Countries which are targeted\r\nmore than others are likely based on the GDP.\r\nThere are regions which do not have as many reported infections. Some of the reasons are likely lack of sufficient\r\nGDP to be a target, one of the protected areas which Russian cybercriminals do not attack, or simply lack of\r\nreporting by personnel and antivirus in the region.[10]\r\nStealth capabilities\r\n[edit]\r\nZeuS Panda is able to detect and counter many forensic analytic tools and sandbox environments. Currently there\r\nis at least 23 known tools it can detect and if any of them are found on the system, ZeuS Panda stops installation\r\nand removes itself from the system. Adding the “-f” command line parameter at the start of the malware will do\r\naway with this security feature in effort to raise infection rate at the risk of detection. Aside from the anti-detection\r\ncapabilities, it also has anti-analysis protocols should the “-f” function be used or a program not on the trojans\r\nwatchlist detect it. It does so by inspecting the file, mutex, running process, and registry key.\r\n[11]\r\nAfter the anti-detection and analysis parameters are met, ZeuS Panda will deeply embed itself into the system\r\nregistry. It will looks for empty folders with a long subfolder chain without the names Microsoft or Firefox in the\r\ntree.[10] Encrypting its data adds to the difficulty of detection by cyber forensics. The configuration settings are\r\nencrypted with RC4 and AES encryption, but is also known to use cryptographic hash functions employing\r\nSHA256 and SHA1 algorithms.[11]\r\nCertain anti-virus companies have been able to overcome ZeuS Panda's stealth capabilities and remove it from the\r\ninfected system. Some of them go off of a list of Indicators of Compromise (IoC), and can also determine which\r\ncampaign the version of ZeuS Panda originated. The IoCs are signatures left behind by the malware as well as IP\r\naddresses, hashes, or URLs linked to command and control servers. Once the anti-virus determines it is ZeuS\r\nPanda infecting the system, it goes through an automatic algorithm to completely remove it and its loader if\r\npossible. There are also ways to remove it manually.\r\n[12][13]\r\n1. ^ \"Smoke Loader\".\r\n2. ^ \"New \"Panda Banker\" Trojan Borrows Code From Zeus - SecurityWeek.Com\". www.securityweek.com.\r\n3. ^ \"Malware-Traffic-Analysis.net - 2018-04-04 - Hancitor malspam - Fake DHL notifications\".\r\nwww.malware-traffic-analysis.net.\r\n4. ^ \"Zeus Panda Delivered By Sundown - Targets UK Banks - Forcepoint\". blogs.forcepoint.com. 26 July\r\n2016. Archived from the original on 10 August 2017. Retrieved 8 April 2018.\r\n5. ^ \"Major decline in exploit kits - less financially viable than ransomware\".\r\n[permanent dead link]\r\n6. ^ \"Smoke Loader - downloader with a smokescreen still alive - Malwarebytes Labs - Malwarebytes Labs\".\r\nblog.malwarebytes.com.\r\nhttps://en.wikipedia.org/wiki/ZeuS_Panda\r\nPage 2 of 3\n\n7. ^ \"Panda Banker: New Banking Trojan Hits the Market\". www.proofpoint.com. 20 April 2016.\r\n8. ^ \"Russian Cybercrime Rule No. 1: Don't Hack Russians\". www.bankinfosecurity.com.\r\n9. ^ \"Zeus Panda Targeting - Northwest Bank\". www.bank-northwest.com.\r\n10. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n Berghoff, Tim (11 August 2017). \"Analysis: ZeuS Panda\". www.gdatasoftware.com.\r\n11. ^ Jump up to: a\r\n \r\nb\r\n \"Analysis Results of Zeus.Variant.Panda\" (PDF).\r\n12. ^ \"Panda Banker - IBM X-Force Collection\". exchange.xforce.ibmcloud.com.\r\n13. ^ K., Maria (13 December 2017). \"Zeus Panda Malware Removal (March 2018 Update)\".\r\nSource: https://en.wikipedia.org/wiki/ZeuS_Panda\r\nhttps://en.wikipedia.org/wiki/ZeuS_Panda\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://en.wikipedia.org/wiki/ZeuS_Panda"
	],
	"report_names": [
		"ZeuS_Panda"
	],
	"threat_actors": [],
	"ts_created_at": 1775434533,
	"ts_updated_at": 1775791326,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/280cce6bf266d8a3178137ee16b67eece2a51854.pdf",
		"text": "https://archive.orkl.eu/280cce6bf266d8a3178137ee16b67eece2a51854.txt",
		"img": "https://archive.orkl.eu/280cce6bf266d8a3178137ee16b67eece2a51854.jpg"
	}
}