{ "id": "d67dc346-56de-47f8-95c1-6b0140c40ceb", "created_at": "2026-04-06T00:21:35.783876Z", "updated_at": "2026-04-10T03:36:47.739601Z", "deleted_at": null, "sha1_hash": "687319a1eb691ff1004846ce8047698e34afb9ae", "title": "Threat Actors Using Legitimate PayPal Accounts To Distribute Chthonic Banking Trojan | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 579343, "plain_text": "Threat Actors Using Legitimate PayPal Accounts To Distribute Chthonic\r\nBanking Trojan | Proofpoint US\r\nPublished: 2016-07-26 · Archived: 2026-04-05 23:47:48 UTC\r\nUpdated August 2, 2016, to reflect new information a bout the malware referenced in this post; additional details added\r\nat the bottom.\r\nWhile many email providers, clients, and anti-spam engines have become adept at detecting spam, malicious messages sent\r\nvia high-profile, legitimate providers are much harder to catch. Threat actors continue to look for new ways to bypass these\r\nengines and, in the latest example of innovative approaches to malware distribution, have managed to co-opt PayPal services\r\nin a small campaign.\r\nProofpoint analysts recently noticed an interesting abuse of legitimate service in order to deliver malicious content.\r\nSpecifically, we observed emails with the subject “You’ve got a money request” that came from PayPal. The sender does not\r\nappear to be faked: instead, the spam is generated by registering with PayPal (or using stolen accounts) and then using the\r\nportal to “request money.” We are not sure how much of this process was automated and how much manual, but the email\r\nvolume was low. \r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan\r\nPage 1 of 11\n\nFigure 1: Email delivering malicious content\r\nAlthough the actual email address is obscured in Figure 1, this message was sent to a Gmail inbox. Gmail failed to block the\r\nemail since it appears legitimate. PayPal’s money request feature allows adding a note along with the request, where the\r\nattacker crafted a personalized message and included a malicious URL. In a double whammy, the recipient here can fall for\r\nthe social engineering and lose $100, click on the link and be infected with malware, or both.\r\nIf the user does click on the Goo.gl link, they are redirected to katyaflash[.]com/pp.php, which downloads an obfuscated\r\nJavaScript file named paypalTransactionDetails.jpeg.js to the user’s system. If the user then opens the JavaScript file, it\r\ndownloads an executable from wasingo[.]info/2/flash.exe. This executable is Chthonic, a variant of the Zeus banking Trojan.\r\nThe command and control (C\u0026C) for this instance is kingstonevikte[.]com. The following screenshot more clearly illustrates\r\nthe sequence of events:\r\nFigure 2: Network traffic generated starting with user clicking on the malicious URL and opening the downloaded\r\nJavaScript\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan\r\nPage 2 of 11\n\nIt is also interesting that Chthonic downloads a second-stage payload, a previously undocumented malware “AZORult”\r\nwhich we are currently investigating:\r\nFigure 3: Logo used internally by the AZORult module\r\nConclusion\r\nAlthough the scale of this campaign appeared to be relatively small (this particular example was only detected through one\r\nof our spamtraps; as of the writing of this blog, the malicious link has only been clicked 27 times according to Google\r\nAnalytics for the URL shortener), the technique is both interesting and troubling. For users without anti-malware services\r\nthat can detect compromised links in emails and/or phone homes to a C\u0026C, the potential impact is high. At the same time,\r\nthe combined social engineering approach of requesting money via PayPal from what appears to be a legitimate source\r\ncreates additional risk for untrained or inattentive recipients, even if they are not infected with the malicious payload.\r\nPayPal has been notified of this particular abuse of service but this represents yet another technique threat actors can use to\r\nbypass traditional defenses, regardless of the specific provider.\r\nIndicators of Compromise (IOC’s)\r\nIOC\r\nIOC\r\nType\r\nDescription\r\n[hxxp://goo[.]gl/G7z1aS?paypal-nonauthtransaction.jpg] URL URL in the email message\r\n[hxxp://katyaflash[.]com/pp.php] URL\r\nURL after the goo.gl redirect\r\n(hosting the js)\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan\r\nPage 3 of 11\n\n865d2e9cbf5d88ae8b483f0f5e2397449298651381f66c55b7afd4b750eb4da4 SHA256 paypalTransactionDetails.jpeg.js\r\n[hxxp://wasingo[.]info/2/flash.exe] URL JavaScript payload\r\n0d2def167ecf39a69a7e949c88bb2096cfd76f7d4bf72f1b0fe27a9da686c141 SHA256 flash.exe\r\nkingstonevikte[.]com Domain Chthonic C\u0026C\r\n[hxxp://www.viscot[.]com/system/helper/bzr.exe] URL Chthonic 2nd Stage hosting\r\n10d159b0ddb92e9f4b395e90f9cfaa554622c4e77f66f7da176783777db5526a SHA256 Chthonic 2nd Stage (AZORult)\r\n[91.215.154[.]202/AZORult/gate.php] URL AZORult C\u0026C\r\nSelect ET Signatures that would fire on such traffic:\r\n2810099 || ETPRO TROJAN Chthonic CnC Beacon\r\n2811901 || ETPRO TROJAN Chthonic CnC Beacon \r\n2821358 || ETPRO TROJAN Win32/Zbot Variant Checkin\r\nThe information below was added based on additional background research conducted by Proofpoint analysts.\r\nOn July 31, Proofpoint researchers discovered an advertisement in an underground forum for the AZORult information\r\nstealer. This was the second-stage payload that Chthonic delivered to infected machines. The original ad in mixed Russian\r\nand English appears on top with our translation below:\r\nOriginal Ad\r\n[AZORult - Passwords, cookies, bitcoin, desktop files, etc stealer]\r\nМногофункциональный стиллер.\r\nФункционал:\r\n• Stealer сохраненных паролей из следующих программ(browsers, email, ftp, im):\r\nСпойлер\r\nGoogle Chrome\r\nGoogle Chrome x64\r\nYandexBrowser\r\nOpera\r\nMozilla Firefox\r\nInternetMailRu\r\nComodoDragon\r\nAmigo\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan\r\nPage 4 of 11\n\nBromium\r\nChromium\r\nOutlook\r\nThunderbird\r\nFilezilla\r\nPidgin\r\nPSI\r\nPSI Plus\r\n• Stealer cookies(Стиллер куков) из браузеров + данные автозаполнения форм(formhistory, autofill)\r\nПоддерживаемые браузеры:\r\nСпойлер\r\nGoogle Chrome\r\nGoogle Chrome x64\r\nYandexBrowser\r\nOpera\r\nMozilla Firefox\r\nInternetMailRu\r\nComodoDragon\r\nAmigo\r\nBromium\r\nChromium\r\nКуки в следующем формате, для удобного экспорта(Netscape cookie file format):\r\nСпойлер\r\nInstagram[.]com    FALSE     /    FALSE     11129062731157896     csrftoken ebc08a134952abc6a5c36fb54c1aaaa\r\n.microsoft[.]com   TRUE /    FALSE     13140111158000000  TocPosition     1\r\nwww.searchengines[.]ru  FALSE     /    FALSE     11138811175911879     OAИCAP    640.1\r\nvsokovikov.narod[.]ru   FALSE     /    FALSE     11168272384aaa000     __utma   \r\n1.211136481.14511109932.14658111726.1496725111.1\r\nvsokovikov.narod[.]ru   FALSE     /    FALSE     13111168384000111     __utmz     1.1250111526.1.1.utmcsr=\r\n(direct)|utmccn=(direct)|utmcmd=(none)\r\n• Bitcoin clients files\r\nСобирает файлы wallet.dat популярных биткоин клиентов (bitcoin, litecoin, etc)\r\n• Skype message history.\r\nГрабит файл с базой данных переписки. Файл читается специальными утилитами.\r\n• Desktop files grabber.\r\nСобирает файлы указанных расширений с рабочего стола. Фильтр по размеру файла. Также рекурсивно ищет файлы\r\nво вложенных папках.\r\n• Список установленных программ.\r\n• Список запущенных процессов.\r\n• Username, compname, OS, RAM\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan\r\nPage 5 of 11\n\nНеобходимый функционал можно включать/выключать в админке.\r\nВ админке просматривается список поступивших отчетов, список сохраненных паролей из этих отчетов. Фильтры\r\nпо дате, по типу паролей, поиск по базе.\r\nОстальные данные сохраняются в zip архив(отдельный для каждого отчета). Данные в архиве разложны по папкам.\r\nВ архиве хранятся все данные, в админке только список отчетов и пароли.\r\nСпойлер\r\n[]Browsers\r\n-[]Autocomplete\r\n--Google_Chrome_Default.txt\r\n-[]Cookies\r\n--Google_Chrome_Default.txt\r\n--MozillaFirefox_tpsasn.default-111340945411.txt\r\n[]Coins\r\n-[]Bitcoin\r\n--wallet.dat\r\n-[]Litecoin\r\n--wallet.dat\r\n...\r\nInfo.txt\r\nPasswords.txt\r\nProcess.txt\r\nProgramms.txt\r\nСофт поставляется в виде:\r\n.EXE - при запуске собирается необходимая инфа и отправляется на сервер\r\n.DLL - при подгрузке dll (DLL_PROCESS_ATTACH) собирается необходимая инфа и отправляется на сервер\r\n.DLL(thread) - при подгрузке dll (DLL_PROCESS_ATTACH) создается отдельный поток, в котором производится\r\nнеобходимая работа(собирается необходимая инфа и отправляется на сервер). Например для использования как\r\nплагина для популярных лоадеров.\r\nСкриншоты:\r\nСпойлер\r\n[Screenshots linked in the original ad – displayed here]\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan\r\nPage 6 of 11\n\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan\r\nPage 7 of 11\n\nЦена: $100\r\nРебилд: $30\r\nСвязь(jabber): [Redacted]@exploit[.]im\r\n**************************************\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan\r\nPage 8 of 11\n\nTranslation:\r\n[AZORult - Passwords, cookies, bitcoin, desktop files, etc stealer]\r\nMultifunctional Stealer.\r\nFunctions:\r\n• Stealer of saved passwords from following programs (browsers, email, ftp, im):\r\nGoogle Chrome\r\nGoogle Chrome x64\r\nYandexBrowser\r\nOpera\r\nMozilla Firefox\r\nInternetMailRu\r\nComodoDragon\r\nAmigo\r\nBromium\r\nChromium\r\nOutlook\r\nThunderbird\r\nFilezilla\r\nPidgin\r\nPSI\r\nPSI Plus\r\n• Stealer of cookies from browsers and forms (form history, autofill)\r\nSupported Browsers:\r\nGoogle Chrome\r\nGoogle Chrome x64\r\nYandexBrowser\r\nOpera\r\nMozilla Firefox\r\nInternetMailRu\r\nComodoDragon\r\nAmigo\r\nBromium\r\nChromium\r\nCookies are in following format, for easy export (Netscape cookie file format):\r\ninstagram[.]com  FALSE /\r\nFALSE 11129062731157111\r\ncsrftoken yyyc08a1349526c46a5c36fb54c1ayyy\r\n.microsoft[.]com  TRUE /\r\nFALSE 11140260158000111\r\nTocPosition 1\r\nwww.searchengines[.]ru  FALSE /\r\nFALSE 11138826175965111\r\nOAИCAP 111.1\r\nvsokovikov.narod[.]ru  FALSE /\r\nFALSE 11168272384000111\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan\r\nPage 9 of 11\n\n__utma 1.111136481.1458509111.1465826111.1496725111.1\r\nvsokovikov.narod[.]ru  FALSE /\r\nFALSE 13120968384000111\r\n__utmz 1.1110722526.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)\r\n• Bitcoin clients files\r\nCollects wallet.dat files from popular bitcoin clients (bitcoin, litecoin, etc)\r\n• Skype message history.\r\nGrabs files from chat history. Files are read with special utilities.\r\n• Desktop files grabber.\r\nCollects files with specified extensions from Desktop. Filter by file size. Recursively searches files in folders.\r\n• List of installed programs\r\n• List of running processes\r\n• Username, compname, OS, RAM\r\nNecessary functions that can be turned on and of in admin panel\r\nThe admin panel has a list of received reports, list of saved passwords from those reports. Has filters by date, type of\r\npassword, search in the base.\r\nThe rest of data from reports is save as a zip aarchive, different one for each report. The data is sorted into folders. The\r\narchive contains all data, while the admin panel only list of reports and passwords.\r\n[]Browsers\r\n-[]Autocomplete\r\n--Google_Chrome_Default.txt\r\n-[]Cookies\r\n--Google_Chrome_Default.txt\r\n--MozillaFirefox_tpasdn.default-111140945111.txt\r\n[]Coins\r\n-[]Bitcoin\r\n--wallet.dat\r\n-[]Litecoin\r\n--wallet.dat\r\n...\r\nInfo.txt\r\nPasswords.txt\r\nProcess.txt\r\nProgramms.txt\r\nSoftware is delivered as:\r\n.EXE - when started, collects necessary info and sends to server\r\n.DLL - when started the dll (DLL_PROCESS_ATTACH) collects necessary info and sends to server\r\n.DLL(thread) - when started dll (DLL_PROCESS_ATTACH) creates a new thread which does the work (collects necessary\r\ninfo and sends to server)\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan\r\nPage 10 of 11\n\nPrice: $100\r\nRebuild: $30\r\nContact(jabber): [Redacted]@exploit[.]im\r\nSource: https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan" ], "report_names": [ "threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434895, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/687319a1eb691ff1004846ce8047698e34afb9ae.pdf", "text": "https://archive.orkl.eu/687319a1eb691ff1004846ce8047698e34afb9ae.txt", "img": "https://archive.orkl.eu/687319a1eb691ff1004846ce8047698e34afb9ae.jpg" } }