{ "id": "b1a2d34d-6f16-4f48-b37c-f2445bc4690a", "created_at": "2026-04-06T00:14:21.655729Z", "updated_at": "2026-04-10T13:12:29.248201Z", "deleted_at": null, "sha1_hash": "2d8a568a2cb330a93f07c54b7fbc5871221e83fb", "title": "ToxicPanda: a new banking trojan from Asia hit Europe and LATAM", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 6069387, "plain_text": "ToxicPanda: a new banking trojan from Asia hit Europe and\r\nLATAM\r\nBy ,\r\nArchived: 2026-04-05 14:54:41 UTC\r\nKey Points\r\nIn October 2024, the Cleafy Threat Intelligence team identified an anomalous Android banking\r\nTrojan campaign. The campaign was initially associated with TgToxic, a banking trojan family reported\r\nto be spread in Southeast Asia. Subsequent analyses revealed significant differences in the campaign's\r\ncode, and we started tracking this family as ToxicPanda.\r\nToxicPanda's main goal is to initiate money transfers from compromised devices via account takeover\r\n(ATO) using a well-known technique called On-Device fraud (ODF). It aims to bypass bank\r\ncountermeasures used to enforce users’ identity verification and authentication, combined with behavioral\r\ndetection techniques applied by banks to identify suspicious money transfers.\r\nAccording to its source code, ToxicPanda is in an early stage of development, with some commands\r\nappearing as placeholders without a real implementation.\r\nOur investigation successfully identified an active botnet with over 1500 infected devices across Italy,\r\nPortugal, Spain, and Latin America, targeting 16 banking institutions.  \r\nAccording to our findings, the TAs (Threat Actors) behind this malware campaign are likely Chinese\r\nspeakers, similar to those responsible for the original TgToxic. Notably, it is uncommon for TAs from this\r\ngeographical origin to conduct \"banking fraud\" operations targeting regions such as Europe and LATAM,\r\nindicating a potential shift or expansion in their operational focus.\r\nExecutive Summary\r\nIn late October 2024, Cleafy’s Threat Intelligence team observed a significant spike in a new Android malware\r\nsample initially classified as TgToxic. However, further analysis revealed that while it shares some bot command\r\nsimilarities with the TgToxic family, the code diverges considerably from its original source. Many capabilities\r\ncharacteristic of TgToxic are notably absent, and some commands appear as placeholders without real\r\nimplementation. Based on these findings, we started tracking this family as ToxicPanda.\r\nToxicPanda belongs to the modern RAT generation of mobile malware, as its Remote Access capabilities\r\nallow Threat Actors (TAs) to conduct Account Takeover (ATO) directly from the infected device, thus exploiting\r\nthe On Device Fraud (ODF) technique. This consolidation of this technique has already been seen by other\r\nbanking trojans, such as Medusa, Copybara, and, recently, BingoMod. Adopting a manual approach has several\r\nadvantages: it requires less skilled developers, TAs can distribute the malware's target base to any banking\r\ncustomers, and bypass various behavioral detection countermeasures put in place by multiple banks and financial\r\nservices.\r\nhttps://www.cleafy.com/cleafy-labs/toxicpanda-a-new-banking-trojan-from-asia-hit-europe-and-latam\r\nPage 1 of 20\n\nOur analysis will reveal that the TAs behind ToxicPanda are Chinese speakers. Notably, it is uncommon for\r\nTAs from this geographical origin to conduct \"banking fraud\" operations targeting regions such as Europe and\r\nLATAM, indicating a potential shift or expansion in their operational focus.\r\nFurther analysis of the ToxicPanda botnet infrastructure granted our team access to comprehensive telemetry data,\r\nrevealing the full extent of this campaign:\r\nOver 1500 Android devices were infected and remotely controlled during the ToxicPanda fraud campaign\r\nItaly is the primary hotspot, accounting for more than 50% of the infected devices, followed by\r\nPortugal, Spain, France, and Perù.\r\nThis geographical distribution underscores the ToxicPanda botnet's significant reach and adaptability. These\r\nnumbers suggest that the operators are expanding their focus beyond primary European targets, hinting at a\r\npotential shift towards Latin America.\r\nThe following table represents a summary of the TTPs behind ToxicPanda campaigns:\r\nFirst Evidence Early/Mid 2024\r\nState Active\r\nAffected Entities Retail banking\r\nTarget OSs Android Devices\r\nTarget Countries Italy, Portugal, Spain, France, Perù\r\nInfected Chain Side-loading via Social Engineering\r\nFraud Scenario On-Device Fraud (ODF)\r\nPreferred Cash-Out Instant Payments\r\nAmount handled (per transfer) Up to 10K EUR\r\nMalicious App Overview\r\nFrom a technical standpoint, this sample exhibits reduced capabilities, especially compared to modern banking\r\ntrojans. However, the notable differences between this sample and its “ancestor”, TGToxic, are intriguing.\r\nMost commands are either not implemented or exhibit poor refactoring, suggesting that TGToxic served as a\r\nfoundational template for this malware. The removal of the Automatic Transfer System (ATS) routine and reduced\r\nobfuscation routines indicates a downgrade in technical sophistication.\r\nThese changes may reflect the developers' inexperience with foreign targets and the challenges of stricter\r\nregulations in certain countries, such as PSD2 (Payment Services Directive). Additionally, the shift in primary\r\ntargets from crypto wallets to financial institutions aligns with the larger demographic of individuals holding bank\r\naccounts, at least for the EMEA region. The embedded notes within the code could further imply unfamiliarity\r\nhttps://www.cleafy.com/cleafy-labs/toxicpanda-a-new-banking-trojan-from-asia-hit-europe-and-latam\r\nPage 2 of 20\n\nwith certain technical aspects, highlighting the complexities of adapting and shifting in a “brand new”  operational\r\nenvironment.\r\nOur analysts identified the following icons during this investigation. It is evident that TA employs a mix of well-known brands (e.g., Google Chrome, VISA) and decoy icons resembling dating apps to enhance the malware's\r\ndeceptive capabilities and broaden its reach.\r\nFigure 1 - Identified ToxicPanda’s icons\r\nThe malware’s key features include:\r\nAccessibility Service Abuse: By exploiting Android's accessibility services, ToxicPanda can grant elevated\r\npermissions, manipulate user inputs, and capture data from other apps, making it particularly effective in\r\ntargeting banking applications.\r\nRemote Control Capabilities: ToxicPanda enables remote control of the infected device, allowing\r\nattackers to perform various actions, including initiating transactions and modifying account settings\r\nwithout the user's knowledge. With these capabilities, ToxicPanda can enable TAs to perform the On-Device Fraud (ODF) scenario, one of the most dangerous types of banking fraud.\r\nInterception of One-Time Passwords (OTPs): it can intercept OTPs sent via SMS or generated by\r\nauthenticator apps, allowing cybercriminals to bypass 2FA and authorise fraudulent transactions.\r\nUsage of Obfuscation Techniques: ToxicPanda continually evolves its obfuscation methods to avoid\r\ndetection. It uses code-hiding techniques to make it difficult for security researchers to analyse the\r\nmalware.\r\nIn this article, we will not delve into these features in detail, as they no longer introduce anything novel and are\r\nalready widely adopted by modern banking trojans. As previously outlined, the actors behind this campaign likely\r\nprioritized their efforts on the operational aspects, given the linguistic barriers and regulatory challenges specific\r\nto these territories (e.g., PSD2), as well as the sophisticated countermeasures implemented by anti-fraud teams.\r\nFor this reason, in the following chapters, we will focus on some of the unique characteristics identified within the\r\nanalyzed samples. We will then shift to a detailed examination of the command and control (C2) infrastructure,\r\nhttps://www.cleafy.com/cleafy-labs/toxicpanda-a-new-banking-trojan-from-asia-hit-europe-and-latam\r\nPage 3 of 20\n\nproviding valuable insights into how the group manages and maintains the botnet on an operational level.\r\nTechnical Analysis\r\nSystem configurations and app monitoring\r\nSome interesting artefacts left on the APK are related to files called langs.json and XX.json (where XX is a\r\nlanguage file, e.g., it.json, es.json, etc.).\r\nAnalyzing the langs.json JSON file, we could spot applications and classes associated with different Android\r\nsystems or vendor-specific apps (e.g., Samsung, Xiaomi, Huawei, Oppo). These configurations focus on system-level management applications, backup or cleaning utilities as well as security permissions (all applications likely\r\nto interfere with or limit the purpose of the malware). Moreover, analyzing the whole structure is possible to catch\r\nquite interesting keys, such as pkg, text and action.\r\nFigure 2 - Blocking interaction with unwanted applications\r\nThose keywords are structured to contain specific information that will be parsed later on from the dedicated\r\nmalware component. The figure above shows an example of “preventing” users from removing and generally\r\naccessing system settings, referring them back to the home screen.\r\nIn details:\r\naction: this field represents the actions that need to be performed.\r\npkg: application interested in this action (e.g., com.miui.securitycenter, com.android.systemui,\r\ncom.android.settings.intelligence, com.coloros.safecenter). It’s worth mentioning that those packages\r\nrefers also to specific device manufacturers  \r\ntext: a Chinese string that will be used to match the XX.json file containing language translation for target\r\ndevices.\r\nhttps://www.cleafy.com/cleafy-labs/toxicpanda-a-new-banking-trojan-from-asia-hit-europe-and-latam\r\nPage 4 of 20\n\nFigure 3 - Parsing the ‘langs.json’ file during the execution\r\nMatching internal telemetries and the mechanism observed, it's also possible to infer target countries that are the\r\nmain focus of this threat. Limiting targets to Europe, it's possible to observe Italy, Spain, Portugal, France,\r\nGermany, and the UK. However, considering the linguistic ties between Spanish and Portuguese and the LATAM\r\nregion, we must recognize that this area could also be a significant target.\r\nCollecting Phone Images\r\nOne notable characteristic of this malware, which aligns with practices commonly observed among Chinese-speaking developers, is its capability to access phone albums, convert images to BASE64, and transmit them back\r\nto the command and control (C2) server. While this technique is not entirely new— it has already been observed\r\nwith malware like TrickMo — it represents a significant strategy for gathering potentially sensitive information\r\n(e.g., screenshots containing login credentials or virtual cards) from user devices.\r\nFigure 4 -  Collecting device’s images\r\nhttps://www.cleafy.com/cleafy-labs/toxicpanda-a-new-banking-trojan-from-asia-hit-europe-and-latam\r\nPage 5 of 20\n\nDebug and Connection Info\r\nIn addition, it was possible to discover the following config.toml file inside the asset/ folder:\r\nFigure 5 - Network configuration settings (config.toml)\r\nThis file defines configuration settings for a communication or tunneling system, potentially facilitating\r\nconnections between the malware’s infrastructure and remote devices or servers.\r\nAs the previous image shows, this file contains a hardcoded DNS service (114.114.114.114), a Chinese Free\r\nPublic DNS service named 114DNS. While 114DNS is a legitimate public DNS, its use in malware or suspicious\r\nconfigurations can indicate a connection between TAs and China. Also, since this service is not commonly used\r\noutside the region, TAs still consider this region a testing ground for setting up their malware operations against\r\nnew geographical regions.\r\nCommand-List\r\nToxicPanda significantly overlaps the command names utilised in the TgToxic malware family. Our analysis\r\nidentified 61 commands common to both, with highly distinctive names that suggest their presence in both\r\nmalware is unlikely to be coincidental. This overlap indicates that the same TA (or closed affiliates) could be\r\nbehind both malware.\r\nhttps://www.cleafy.com/cleafy-labs/toxicpanda-a-new-banking-trojan-from-asia-hit-europe-and-latam\r\nPage 6 of 20\n\nFigure 6 - Malware commands\r\nConversely, ToxicPanda introduces 33 new commands, some lacking implementation. Additionally, several\r\ncommands from TgToxic persist in this variant but remain unimplemented—particularly those associated with\r\nEasyClick, a framework enabling UI automation scripts via JavaScript. In TgToxic, this framework was exploited\r\nto hijack the Android device’s user interface (UI), allowing for actions such as monitoring user input and\r\nautomating clicks and gestures. In contrast, ToxicPanda does not rely on this framework, though its associated\r\ncommands remain in the code with blank implementations.\r\nThe complete list of commands can be found in Appendix A - Malware Commands.\r\nC2 Communication\r\nToxicPanda contains three hard-coded domains designated for establishing a connection with the Command and\r\nControl (C2) server:\r\ndksu[.]top  \r\nmixcom[.]one\r\nfreebasic[.]cn\r\nhttps://www.cleafy.com/cleafy-labs/toxicpanda-a-new-banking-trojan-from-asia-hit-europe-and-latam\r\nPage 7 of 20\n\nUnlike more sophisticated malware that may employ advanced techniques such as Domain Generation Algorithms\r\n(DGA) or dynamic configuration updates to determine C2 endpoints, this malware relies on static, pre-defined\r\ndomains embedded directly within its code.\r\nFigure 7 -  Hard-coded C2 server domains\r\nIn the analyzed sample, domain selection is managed through a switch statement, which defaults to the first\r\ndomain (dksu[.]top) by setting a specific switch variable to 1. This approach simplifies the initial C2 connection\r\nprocess but reduces the malware's adaptability in cases where one or more of these domains are blocked.\r\nHowever, the C2 server can modify this behavior in real-time by leveraging the setCommandStyle command to\r\nchange the C2 domain remotely, providing some degree of flexibility despite the hard-coded nature of the initial\r\nconfiguration. While the malware lacks sophisticated C2 domain generation or obfuscation techniques, combining\r\nhard-coded domains with selective remote configuration demonstrates a balance between simplicity and\r\noperational effectiveness, allowing the attackers to maintain control with minimal complexity.\r\nThe chosen domain is prefixed with the subdomain ctrl to establish communication, and an initial HTTP request is\r\nsent over HTTPS to initiate contact with the C2 server. This “handshake” request prompts a response containing a\r\nJSON payload, including connection parameters such as the port number. This port will subsequently be used for a\r\nhttps://www.cleafy.com/cleafy-labs/toxicpanda-a-new-banking-trojan-from-asia-hit-europe-and-latam\r\nPage 8 of 20\n\npersistent connection to the C2 server via the WebSocket protocol, which enables low-latency, bidirectional\r\ncommunication.\r\nFigure 8 - Bot’s registration on the C2 server\r\nWith the WebSocket protocol, the initial message exchange involves a “login” request from the infected device to\r\nthe C2 server. This message includes a unique Device ID, allowing the C2 server to identify, register, and monitor\r\neach infected device within its botnet. Once the login is successful, the C2 server responds with specific\r\ncommands based on the fraud campaign’s goals. These commands, outlined in prior sections, prompt the infected\r\ndevice to carry out malicious actions as instructed by the C2 server.\r\nFigure 9 - WebSocket traffic\r\nToxicPanda employs AES encryption in ECB (Electronic Codebook) mode to secure network communication. The\r\nencryption key is hard-coded within the malware’s source code, derived from a specific byte array, and converted\r\ninto a string format. In the sample under analysis, this hard-coded encryption key is 0623U2SKT3YY3QB9P.\r\nhttps://www.cleafy.com/cleafy-labs/toxicpanda-a-new-banking-trojan-from-asia-hit-europe-and-latam\r\nPage 9 of 20\n\nFigure 10 - AES encryption routine\r\nA deep dive into ToxicPanda C2 panel\r\nOur analysts successfully obtained visibility into the botnet’s command and control (C2) panel during our\r\ninvestigation into the ToxicPanda Android banking trojan campaign. This visibility was a significant\r\nbreakthrough, providing crucial insights into the operations of the TAs behind this ongoing banking fraud\r\ncampaign.\r\nFigure 11 - C2 panel login page\r\nUnderstanding the inner workings of a botnet control panel is vital in the broader context of Threat Intelligence,\r\nespecially within the realm of Android banking trojans. Visibility into these C2 infrastructures allows analysts to\r\ngather invaluable intelligence regarding the techniques and procedures employed by TAs. It also helps us\r\nhttps://www.cleafy.com/cleafy-labs/toxicpanda-a-new-banking-trojan-from-asia-hit-europe-and-latam\r\nPage 10 of 20\n\nunderstand the scope of the compromised devices and the specific actions that operators can perform on infected\r\ndevices.\r\nAccess to such information enhances our ability to develop effective countermeasures, anticipate the attackers'\r\nnext steps, and ultimately disrupt their operations.\r\nFigure 12 - C2 panel dashboard\r\nIn this case, visibility into the botnet’s control panel confirmed that the ToxicPanda campaign was orchestrated by\r\na Chinese-speaking group—a rare occurrence in Europe, where this campaign has primarily occurred. The insights\r\ngleaned from the panel have further deepened our understanding of this group's operational capabilities and\r\nmethods of conducting fraud.\r\nThe “Machine Management” interface is one of the most important sections within the C2 panel. As shown in the\r\nfollowing image, this section provides the fraud operators with a detailed overview of each infected Android\r\ndevice connected to the botnet.\r\nFigure 13 - Victim’s list and details\r\nhttps://www.cleafy.com/cleafy-labs/toxicpanda-a-new-banking-trojan-from-asia-hit-europe-and-latam\r\nPage 11 of 20\n\nThis interface is organized into several columns, each representing various aspects of the compromised devices,\r\nincluding:\r\nID and Status: Displays each compromised device's identification number and online/offline status.\r\nBrand and Model: Information about the device's make and model helps operators understand its\r\ntechnical specifications.\r\nGeolocation: Shows the geographical region based on the device’s time zone, helping the operators narrow\r\ndown the location of the infected devices.\r\nVersion and Last Seen: This details the software version running on the device and when it was last active\r\non the network.\r\nTAs also have various controls, including updating or resetting scripts, clearing the cache, or removing\r\ndevices from the botnet. These controls enable fraudsters to maintain or upgrade their malware on the devices,\r\nensuring long-term persistence or adjusting their tactics to remain undetected by anti-fraud measures.\r\nA key feature of this botnet is the ability to initiate On-Device Fraud (ODF), a method increasingly favored by\r\nbanking fraudsters. The “Machine Management” interface allows operators to request real-time remote access to\r\nany connected Android device. Once connected, the operator can perform fraudulent transactions directly from the\r\nvictim’s certified device.\r\nFurther analysis of the ToxicPanda botnet infrastructure granted our team access to comprehensive telemetry\r\ndata, revealing the full extent of this campaign. This dataset allowed us to map out the geographic distribution of\r\nover 1,500 infected devices, highlighting the regions currently experiencing the heaviest concentration of\r\ninfections.\r\nFigure 14 - Victims’ geographic distribution\r\nThe aggregated data, visualized in the map above, clearly illustrates a pronounced targeting pattern:\r\nhttps://www.cleafy.com/cleafy-labs/toxicpanda-a-new-banking-trojan-from-asia-hit-europe-and-latam\r\nPage 12 of 20\n\nItaly is the primary hotspot, accounting for 56.8% of the infected devices. This concentration suggests that\r\nItaly is a strategic focal point for the operators behind ToxicPanda.\r\nPortugal follows, with 18.7% of compromised devices, indicating a secondary target within Europe.\r\nHong Kong is the third most affected region, at 4.6%, potentially reflecting either testing grounds or\r\nemerging targets within Asian markets.\r\nSpain and Peru are also featured on the list, though they have smaller shares of 3.9% and 3.4%,\r\nrespectively. These numbers suggest that the operators are expanding their focus beyond primary European\r\ntargets, hinting at a potential shift towards Latin America.\r\nThis geographical distribution underscores the significant reach and adaptability of the ToxicPanda botnet. By\r\nleveraging these insights, we better understand the botnet's operational focus and can more effectively strategize\r\nregion-specific defenses. The visibility into regional infection patterns also helps financial institutions and local\r\nauthorities in the most impacted areas prioritize mitigation efforts and fortify their anti-fraud measures\r\naccordingly.\r\nMoreover, our analysts can provide valuable insights into the geographic origin of TA connections and the\r\nservices they rely on to access the C2 panel. The following image gives an aggregated, high-level view of these\r\nextracted telemetries, highlighting key operational patterns:\r\nFigure 15 - Threat Actors’ origin connections\r\nConclusions\r\nOur telemetry data indicates that the threat posed by ToxicPanda is becoming increasingly prominent, with a\r\nbotnet comprising thousands of devices, primarily across Europe. This TA actively targets Europe and potentially\r\nextends its reach into the LATAM region, leveraging linguistic and cultural ties.\r\nToxicPanda needs to demonstrate more advanced and unique capabilities that would complicate its analysis.\r\nHowever, artefacts such as logging information, dead code, and debugging files suggest that the malware may\r\neither be in its early stages of development or undergoing extensive code refactoring—particularly given its\r\nsimilarities with TGToxic.\r\nhttps://www.cleafy.com/cleafy-labs/toxicpanda-a-new-banking-trojan-from-asia-hit-europe-and-latam\r\nPage 13 of 20\n\nMore broadly, we observe a marked shift as Chinese-speaking TAs expand their focus into new geographical\r\nregions, especially targeting financial institutions and customers in pursuit of banking fraud opportunities. This\r\ntrend underscores the mobile security ecosystem's escalating challenge, as the marketplace is increasingly\r\nsaturated with malware and new threat actors emerge.\r\nAn important question arising from this analysis is not just how to defend against threats like ToxicPanda but why\r\ncontemporary antivirus solutions have struggled to detect a threat that is, in technical terms, relatively\r\nstraightforward. Although there is no single answer, the lack of proactive, real-time detection systems is a primary\r\nissue.\r\nCurrent security approaches emphasize isolated point detections rather than establishing a comprehensive “Early\r\nWarning system”. Such a system would enable continuous monitoring of suspicious applications, supporting\r\ntimely classification and mitigation before a full-scale threat can materialize.\r\nAppendix 1: Malware Commands\r\nCommand Description tgToxic ToxicPanda\r\nAwake Keeps the device awake x x\r\nadm Request admin rights. x\r\nadmLock Turn Off Screen x\r\nadmLockRule Requires a password reset x\r\nadmPwd N/A x\r\nadmSet N/A x\r\nantiDeleteOff Deactivates anti-delete mode x x\r\nantiDeleteOn Activates anti-delete mode x x\r\nask_relay N/A x\r\nautoBoot N/A x\r\nautoRequestPerm N/A x\r\nback Activates the back button using the Accessibility service x x\r\nbackstage Check the status of the backstage service x x\r\nblack Activates a black overlay on the screen x x\r\nblackB N/A x x\r\ncallAcc\r\nN/A, Verifies if Android Accessibility service is active in\r\nTgToxic\r\nx\r\nhttps://www.cleafy.com/cleafy-labs/toxicpanda-a-new-banking-trojan-from-asia-hit-europe-and-latam\r\nPage 14 of 20\n\nCommand Description tgToxic ToxicPanda\r\ncallAppSetting Opens the app settings x x\r\ncancelAwake Disables device awake mode x x\r\ncancelWakeup Maintains a dimmed screen x x\r\ncapture Takes a screenshot x x\r\ncapturePic Enables screenshot functionality x x\r\ncatAllViewSwitch N/A x x\r\nclickB Clicks within a defined boundary x x\r\nclickInput Selects the input field x x\r\nclickPoint Clicks on a specific point on the screen x x\r\ncloseEnv N/A, Sets the accessibility status to inactive in TgToxic x\r\ncloseProtect N/A x\r\ndoNotDisturb Sets the Do Not Disturb mode on the device x\r\nfetchIcon Retrieves icons of wallet applications x\r\ngestureB Executes a series of gestures x x\r\ngestureCapture Captures user’s gesture x\r\ngoogleAuth\r\nN/A, Retrieves Google 2FA code via Accessibility in\r\nTgToxic\r\nx\r\nhideShortcuts Hides the application icon on the device x\r\nhome\r\nActivates the home button using the Accessibility\r\nservice\r\nx x\r\ninit_data Initializes specific application data x\r\ninputSend Captures text input x x\r\ninstallApk N/A, Downloads and installs an APK in TgToxic x\r\ninstallPermission N/A x\r\nlight Removes the black screen overlay x x\r\nlightT N/A x\r\nhttps://www.cleafy.com/cleafy-labs/toxicpanda-a-new-banking-trojan-from-asia-hit-europe-and-latam\r\nPage 15 of 20\n\nCommand Description tgToxic ToxicPanda\r\nlockScreen Locks the device screen x x\r\nlogMode Modifies the log mode x\r\nopenIntent Displays a floating toolbar x x\r\nopenUrl Open WebPage x\r\npermission Requests all necessary permissions x x\r\npermissionB Automatically grants permissions x x\r\npower N/A x x\r\nreConn N/A x\r\nreOpenMe Reopens the application x x\r\nreadAlbumLast Retrieves the last album file name x\r\nreadAlbumList Retrieves all album file names x x\r\nreadAlbumThumbnail Retrieves thumbnails for all album images x x\r\nreadContactList Retrieves all contact information x x\r\nreadSmsList Retrieves all SMS messages x x\r\nrealtimeOnOff N/A x\r\nrealtimeSet N/A x\r\nrecent\r\nActivates the recent button using the Accessibility\r\nservice\r\nx x\r\nreleaseScreenCapture N/A x\r\nreqPerList N/A x x\r\nreqScreenPermission N/A, Requests permission for screen capture in TgToxic x\r\nrequestfloaty\r\nN/A, Requests permission for floating windows in\r\nTgToxic\r\nx\r\nrestartSc Restarts the Easyclick script service x x\r\nrestartMe Restarts the application x x\r\nrightClick Activates the back button x x\r\nhttps://www.cleafy.com/cleafy-labs/toxicpanda-a-new-banking-trojan-from-asia-hit-europe-and-latam\r\nPage 16 of 20\n\nCommand Description tgToxic ToxicPanda\r\nscreen_relay Configures screenshot settings x x\r\nscreenshot N/A x\r\nsendAlert Sends an alert notification x\r\nsetAppStyle Modifies the domain used to contact the C2 server x\r\nsetCam Captures a photo x x\r\nsetDebugMode Sets the debug mode x\r\nsetDebugOff Disables debug mode x x\r\nsetDebugOn Enables debug mode x x\r\nsetHideMode Sets the hide mode x\r\nsetWakeup N/A, Schedules a task to wake up the device in TgToxic x\r\nshowShortcuts Adds an icon to the home screen x x\r\nstartApk Launch an application on the device x\r\nstartCam Activates the camera x x\r\nstopCam Turns off the camera x x\r\nstopHereTest N/A x\r\nswipePwdScreenOff N/A, Disables enforced password mode in TgToxic x\r\nswipePwdScreenOn N/A, Enforces password entry mode in TgToxic x\r\ntakeScreen Gets screen data x\r\ntouchDown Initiates a downward swipe x x\r\ntouchMove Initiates a move swipe x x\r\ntouchUp Initiates an upward swipe x x\r\ntransparent N/A x\r\nuninstallApk Uninstalls the application x\r\nupdate N/A, Updates Easyclick scripts in TgToxic x\r\nupdateApk N/A, Installs an APK in TgToxic x\r\nwakeup Keeps the screen active x x\r\nhttps://www.cleafy.com/cleafy-labs/toxicpanda-a-new-banking-trojan-from-asia-hit-europe-and-latam\r\nPage 17 of 20\n\nCommand Description tgToxic ToxicPanda\r\nwalletList Uploads the list of installed wallet applications x x\r\nwallpaper N/A x x\r\nTLP:AMBER version. This report is a TLP:WHITE version intended for public dissemination and is based on an\r\noriginal TLP:AMBER report. The TLP:AMBER report was previously shared privately with relevant financial\r\nCERTs, impacted banking institutions, and law enforcement agencies (LEAs). We encourage trusted researchers\r\nand analysts within the community to contact us via email at labs@cleafy.com to request access to the\r\nTLP:AMBER version. Access will be granted to those recognized as \"trusted entities,\" allowing for a deeper\r\ninsight into the findings and supporting data behind this analysis.\r\nAppendix 2: Indicator of Compromise (IOCs)\r\nToxicPanda Sample:\r\nHash App name\r\n2f5c4325f77280b2b58be981f9051f04 Chrome\r\n6e0a7e94ce0a1fe70d43fe727dc41061 dbltest\r\n68139c9e7960d3eb956472bdc5ed5ad2 Chrome\r\nf5c44a7044572e39e8fb9fa8e1780924 Chrome\r\n4295dfdd9d9fad74ee08d48d13e2b856 Chrome\r\nC2 servers:\r\nDomains\r\ndksu[.]top\r\nmixcom[.]one\r\nfreebasic[.]cn\r\nDistribution:\r\nDomain Campaign/Decoy\r\nfgta[.]lol 99 Spedmart\r\ndpds[.]lol Chrome\r\ncgtp[.]lol Amore Live\r\nhttps://www.cleafy.com/cleafy-labs/toxicpanda-a-new-banking-trojan-from-asia-hit-europe-and-latam\r\nPage 18 of 20\n\nDomain Campaign/Decoy\r\natnp[.]lol SK-II\r\nbnwu[.]lol 鑺辫姳鐩存挱 (Braided girl)\r\ndblpap1[.]top dbltest\r\ndblpap2[.]top dbltest\r\ndblpap3[.]top Chrome\r\ndblxz[.]lol eporner\r\ndbltest[.]top dbltest\r\ndbltest6[.]top dbltest\r\ndbltest8[.]top dbltest\r\ncpt[.]lol MindMate\r\nunk[.]lol MindMate\r\n99spedmart[.]me 99 Spedmart\r\nmwscg[.]top Amore Live\r\nckysp[.]top Amore Live\r\nkmpct[.]top Honey Peach\r\nLanding pages:\r\nhttps://www.cleafy.com/cleafy-labs/toxicpanda-a-new-banking-trojan-from-asia-hit-europe-and-latam\r\nPage 19 of 20\n\nFigure 16 - Example of Toxic landing pages\r\nMeet the authors:\r\nMichele Roviello\r\nAlessandro Strino\r\nFederico Valentini\r\nSource: https://www.cleafy.com/cleafy-labs/toxicpanda-a-new-banking-trojan-from-asia-hit-europe-and-latam\r\nhttps://www.cleafy.com/cleafy-labs/toxicpanda-a-new-banking-trojan-from-asia-hit-europe-and-latam\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.cleafy.com/cleafy-labs/toxicpanda-a-new-banking-trojan-from-asia-hit-europe-and-latam" ], "report_names": [ "toxicpanda-a-new-banking-trojan-from-asia-hit-europe-and-latam" ], "threat_actors": [], "ts_created_at": 1775434461, "ts_updated_at": 1775826749, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2d8a568a2cb330a93f07c54b7fbc5871221e83fb.pdf", "text": "https://archive.orkl.eu/2d8a568a2cb330a93f07c54b7fbc5871221e83fb.txt", "img": "https://archive.orkl.eu/2d8a568a2cb330a93f07c54b7fbc5871221e83fb.jpg" } }