{
	"id": "9b6fc3be-3206-4762-b678-78619fdca021",
	"created_at": "2026-04-06T00:07:11.799977Z",
	"updated_at": "2026-04-10T13:13:01.589187Z",
	"deleted_at": null,
	"sha1_hash": "7c1d7978c0f9c2759d3ceb22ccbf803953440f33",
	"title": "CoreBot banking trojan malware returns after two-year break",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 53694,
	"plain_text": "CoreBot banking trojan malware returns after two-year break\r\nBy Written by Danny Palmer, Senior WriterSenior Writer Nov. 3, 2017 at 7:18 a.m. PT\r\nArchived: 2026-04-05 17:30:09 UTC\r\nVideo: Ransomware using trojan trick to expand threat\r\nA form of banking trojan malware has suddenly reappeared after a two-year break and is targeting online banking\r\ncustomers.\r\nTech Pro Research\r\nCoreBot trojan was mainly active in the summer of 2015, after suddenly switching its focus to target banks. After\r\na relatively short campaign, the malware seemingly disappeared until making a sudden reappearance this week.\r\nSpotted by researchers at Deep Instinct, a new version of CoreBot is being distributed in spam email campaigns\r\nwith the intention of stealing information from customers of Canadian banking websites.\r\nCustomers of TD, Des-Jardins, RBC, Scotia Bank, Banque National are all targeted by those behind the campaign,\r\nwith successful execution of the malware allowing the attackers to steal the credentials of infected users as they\r\nlogin into these sites.\r\nThe new CoreBot campaign claims to be an invoice and thanks the target for making a payment - a common tactic\r\nused in phishing campaigns which aims to panic the victim into thinking they've lost money.\r\ncorebot-lire.png\r\nCoreBot email lure.\r\nImage: Deep Instinct\r\nThe email contains a 'view invoice' link, which if clicked initiates the download of the malicious payload. This is\r\ndifferent to previous CoreBot campaigns which distributed spam emails with malicious Word documents\r\ncontaining the payload.\r\nThis version of CoreBot also comes with with new evasion techniques in an attempt to avoid analysis of the\r\nmalware code, indicating those behind it have spent time developing their malicious product to be stealthier.\r\nhttps://www.zdnet.com/article/corebot-banking-trojan-malware-returns-after-two-year-break/\r\nPage 1 of 3\n\nResearchers also note that the command and control server domain has switched to a different IP address since the\r\nlast known CoreBot campaign. Meanwhile, the IP addresses delivering the malware appear to be based in France\r\nand Canada.\r\nInitial examination of the new CoreBot malware suggests it's related to other active banking malware campaigns,\r\nalthough researchers haven't yet stated which.\r\nIt's also uncertain who is behind this criminal campaign, but artefacts in the code could potentially point to a\r\nChinese link, Deep Instinct told ZDNet.\r\nAnalysis of CoreBot is still ongoing, but bank customers are instructed to be cautious of any messages about an\r\nunexpected payment.\r\nistock-468347435.jpg\r\nArtefacts in the code could potentially point to a Chinese link.\r\nImage: Getty Images/iStockphoto\r\nPrevious and related coverage\r\nCoreBot malware evolves overnight into virulent banking Trojan\r\nIt didn't take long for hackers to take advantage of the malware's bolt-on structure and transform it into something\r\ndangerous.\r\nTrickBot banking Trojan steps up attacks against UK targets\r\nIBM X-Force researchers warn that this sophisticated malware family is fast becoming one of the most prevalent\r\nforms of data-stealing banking Trojans\r\nQuick glossary: Malware[Tech Pro Research]\r\nThis list of 22 terms will help you grasp the vocabulary that describes malware and the technology that spawns it.\r\nRead more on cybercrime\r\nHacking group targets banks with stealthy trojan malware campaign\r\nBanking Trojan tests new attack techniques against high-profile targets\r\nChinese trojan detected spreading through fake base stations [CNET]\r\nNew Trojan malware campaign sends users to fake banking site that looks just like the real thing\r\nNearly undetectable Microsoft Office exploit installs malware without an email attachment [TechRepublic]\r\nhttps://www.zdnet.com/article/corebot-banking-trojan-malware-returns-after-two-year-break/\r\nPage 2 of 3\n\nEditorial standards\r\nSource: https://www.zdnet.com/article/corebot-banking-trojan-malware-returns-after-two-year-break/\r\nhttps://www.zdnet.com/article/corebot-banking-trojan-malware-returns-after-two-year-break/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.zdnet.com/article/corebot-banking-trojan-malware-returns-after-two-year-break/"
	],
	"report_names": [
		"corebot-banking-trojan-malware-returns-after-two-year-break"
	],
	"threat_actors": [],
	"ts_created_at": 1775434031,
	"ts_updated_at": 1775826781,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7c1d7978c0f9c2759d3ceb22ccbf803953440f33.pdf",
		"text": "https://archive.orkl.eu/7c1d7978c0f9c2759d3ceb22ccbf803953440f33.txt",
		"img": "https://archive.orkl.eu/7c1d7978c0f9c2759d3ceb22ccbf803953440f33.jpg"
	}
}