{
	"id": "829f35b6-46bd-4ba8-9d77-a7273ee04be0",
	"created_at": "2026-04-06T00:21:23.235284Z",
	"updated_at": "2026-04-10T03:22:50.246916Z",
	"deleted_at": null,
	"sha1_hash": "91940ae4ad0e651e6b380bc2722faa24c948ac5a",
	"title": "Kronos Reborn | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2843704,
	"plain_text": "Kronos Reborn | Proofpoint US\r\nBy July 24, 2018 Proofpoint Staff\r\nPublished: 2018-07-24 · Archived: 2026-04-05 15:06:57 UTC\r\nOverview\r\nThe Kronos banking Trojan was first discovered in 2014 [1] and was a steady fixture in the threat landscape for a few\r\nyears before largely disappearing. Now a new variant has appeared, with at least three distinct campaigns targeting\r\nGermany, Japan, and Poland respectively, to date.\r\nIn April 2018, the first samples of a new variant of the banking Trojan appeared in the wild [2]. The most notable new\r\nfeature is that the command and control (C\u0026C) mechanism has been refactored to use the Tor anonymizing network.\r\nThere is some speculation and circumstantial evidence suggesting that this new version of Kronos has been rebranded\r\n“Osiris” and is being sold on underground markets. In this blog, we present information on the German, Japanese,\r\nand Polish campaigns as well as a fourth campaign that looks to be a work in progress and still being tested.\r\nCampaign Analysis\r\nCampaign targeting Germany, June 27-30, 2018\r\nIn June 27, 2018, we observed an email campaign targeting German users with malicious documents. The messages\r\n(Figure 1) were purportedly sent from German financial companies and contained subjects such as:\r\nAktualisierung unsere AGBs (translated: “Updating our terms and conditions”)\r\nMahnung: 9415166 (translated: “Reminder: 9415166”)\r\nThe attached documents had a similar theme with file names such as:\r\nagb_9415166.doc\r\nMahnung_9415167.doc\r\nhttps://www.proofpoint.com/us/threat-insight/post/kronos-reborn\r\nPage 1 of 12\n\nFigure 1: Example email used in the German campaign\r\nThe Word documents contained macros that, if enabled, downloaded and executed a new variant of the Kronos\r\nbanking Trojan. In some cases, the attack used an intermediate Smoke Loader. Kronos was configured to use\r\nhttp://jhrppbnh4d674kzh[.]onion/kpanel/connect.php as its C\u0026C URL and downloaded webinjects targeting five\r\nGerman financial institutions. Figure 2 shows an example webinject.\r\nhttps://www.proofpoint.com/us/threat-insight/post/kronos-reborn\r\nPage 2 of 12\n\nFigure 2: Example webinject from the German campaign\r\nCampaign targeting Japan, July 13, 2018\r\nBased on a tweet [3] from a security researcher, we investigated a malvertising chain sending victims to a site\r\ncontaining malicious JavaScript injections. This JavaScript redirected victims to the RIG exploit kit, which was\r\ndistributing the SmokeLoader downloader malware. The C\u0026Cs for this downloader were:\r\nhxxp://lionoi.adygeya[.]su\r\nhxxp://milliaoin[.]info\r\nBased on our previous tracking of the threat actor involved in this campaign, we expected to see the chain deliver the\r\nZeus Panda banking Trojan (Figure 3). However, in this case, the final payload was the new version of Kronos\r\n(Figure 4).\r\nhttps://www.proofpoint.com/us/threat-insight/post/kronos-reborn\r\nPage 3 of 12\n\nFigure 3: Previous campaigns distributing SmokeLoader and Zeus Panda for this threat actor\r\nFigure 4: New Kronos campaign from this threat actor on July 14\r\nIn this campaign, Kronos was configured to use http://jmjp2l7yqgaj5xvv[.]onion/kpanel/connect.php as its C\u0026C and\r\nits webinjects were targeting thirteen Japanese financial institutions. Figure 5 shows an example webinject from this\r\ncampaign.\r\nhttps://www.proofpoint.com/us/threat-insight/post/kronos-reborn\r\nPage 4 of 12\n\nFigure 5: Example webinject from the Japanese campaign\r\nCampaign targeting Poland, July 15-16, 2018\r\nStarting on July 15, 2018, we observed an email campaign targeting users in Poland with malicious documents. The\r\nmessages used subjects related to fake invoices, such as “Faktura 2018.07.16”, and contained an attachment named\r\n“faktura 2018.07.16.doc” (Figure 6). The document used CVE-2017-11882 (the “Equation Editor” exploit) to\r\ndownload and execute the new version of Kronos from http://mysit[.]space/123//v/0jLHzUW.\r\nFigure 6: Example of malicious document used in the Polish campaign\r\nThis instance of Kronos was configured to use http://suzfjfguuis326qw[.]onion/kpanel/connect.php as its C\u0026C; at the\r\ntime of this research it was not returning any webinjects.\r\n“Work in progress” campaign, July 20, 2018\r\nhttps://www.proofpoint.com/us/threat-insight/post/kronos-reborn\r\nPage 5 of 12\n\nOn July 20, 2018, we observed a new campaign that looked be a work in progress and still being tested. We are not\r\nyet aware of the exact vector for this campaign but this instance of Kronos is configured to use\r\nhxxp://mysmo35wlwhrkeez[.]onion/kpanel/connect.php as its C\u0026C and could be downloaded by clicking on the\r\n“GET IT NOW” button of a website claiming to be a streaming music player (Figure 7).\r\nFigure 7: Website distributing new version of Kronos in “Work in progress” campaign\r\nAt the time of research, this campaign was using a test webinject shown in Figure 8.\r\nFigure 8: Webinject used in “Work in progress” campaign\r\nhttps://www.proofpoint.com/us/threat-insight/post/kronos-reborn\r\nPage 6 of 12\n\nMalware Analysis\r\nKronos malware has been well-documented previously ([4] [5] [6] [7]). It is a banking Trojan that uses man-in-the-browser techniques along with webinject rules to modify the web pages of financial institutions, facilitating the theft\r\nof user credentials, account information, other user information, and money through fraudulent transactions. It also\r\nhas keylogging and hidden VNC functionality to help with its “banker” activities.\r\nThe new 2018 version shares many similarities with older versions:\r\nExtensive code overlap\r\nSame Windows API hashing technique and hashes\r\nSame string encryption technique\r\nExtensive string overlap\r\nSame C\u0026C encryption mechanism\r\nSame C\u0026C protocol and encryption\r\nSame webinject format (Zeus format)\r\nSimilar C\u0026C panel file layout\r\nPerhaps the most telling sign that the new malware is Kronos is that it still includes a self-identifying string (Figure\r\n9).\r\nFigure 9: Self-identifying Kronos string\r\nOne of the major differences between the new and old versions is the use of .onion C\u0026C URLs along with Tor to help\r\nanonymize communications. C\u0026Cs are stored encrypted (Figure 10) and can be decrypted using the process shown in\r\nFigure 11.\r\nhttps://www.proofpoint.com/us/threat-insight/post/kronos-reborn\r\nPage 7 of 12\n\nFigure 10: Encrypted C\u0026Cs\r\nFigure 11: Example of C\u0026C decryption using Python\r\nOsiris Banking Trojan\r\nAround the same time samples of the new version of Kronos were appearing in the wild, an ad for a new banking\r\nTrojan called “Osiris” (the Egyptian god of rebirth, among others) appeared on an underground hacking forum\r\n(Figure 12).\r\nhttps://www.proofpoint.com/us/threat-insight/post/kronos-reborn\r\nPage 8 of 12\n\nFigure 12: Text from an ad for the Osiris banking Trojan\r\nSome of the features highlighted in the ad (written in C++, banking Trojan, uses Tor, has form grabbing and\r\nkeylogger functionality, and uses Zeus-formatted webinjects) overlap with features we observed in this new version\r\nof Kronos.\r\nThe ad mentions the size of the bot to be 350 KB which is very close to the size (351 KB) of an early, unpacked\r\nsample of the new version of Kronos we found in the wild [8]. This sample was also named “os.exe” which may be\r\nshort for “Osiris”.\r\nAdditionally, some file names used in the Japanese campaign discussed above made reference to the same name:\r\nhxxp://fritsy83[.]website/Osiris.exe\r\nhxxp://oo00mika84[.]website/Osiris_jmjp_auto2_noinj.exe\r\nWhile these connections are speculative, they are something to keep in mind as research into this threat continues.\r\nConclusion\r\nThe reappearance of a successful and fairly high-profile banking Trojan, Kronos, is consistent with the increased\r\nprevalence of bankers across the threat landscape. The first half of this year has been marked by substantial diversity\r\namong malicious email campaigns but banking Trojans in particular have predominated. The Kronos banking Trojan\r\nhas a relatively long and interesting history and it looks like it will continue as a fixture in the threat landscape for\r\nnow. This post was an overview of a new version of the malware that has emerged recently, the primary new feature\r\nof which is the use of Tor. While there is significant evidence that this malware is a new version or variant of Kronos,\r\nthere is also some circumstantial evidence suggesting it has been rebranded and is being sold as the Osiris banking\r\nTrojan.\r\nReferences\r\nhttps://www.proofpoint.com/us/threat-insight/post/kronos-reborn\r\nPage 9 of 12\n\n[1] https://securityintelligence.com/the-father-of-zeus-kronos-malware-discovered/\r\n[2] https://twitter.com/tildedennis/status/982354212695584768\r\n[3] https://twitter.com/nao_sec/status/1017810198931517440\r\n[4] https://www.lexsi.com/securityhub/overview-kronos-banking-malware-rootkit/?lang=en\r\n[5] https://www.lexsi.com/securityhub/kronos-decrypting-the-configuration-file-and-injects/?lang=en\r\n[6] https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware/\r\n[7] https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/\r\n[8]\r\nhttps://www.virustotal.com/en/file/e1347d1353775c4b18dc83fbf22f7ba248e1a27f255d7487782dc6f9fee0607d/analysis/\r\nIndicators of Compromise (IOCs)\r\nIOC\r\nIOC\r\nType\r\nDescription\r\nbb308bf53944e0c7c74695095169363d1323fe9ce6c6117feda2ee429ebf530d SHA256\r\nMahnung_9415171.doc\r\nused in German\r\ncampaign\r\nhttps://dkb-agbs[.]com/25062018.exe URL\r\nMahnung_9415171.doc\r\npayload used in\r\nGerman campaign\r\n4af17e81e9badf3d03572e808e0a881f6c61969157052903cd68962b9e084177 SHA256\r\nNew version of Kronos\r\nused in German\r\ncampaign\r\nhttp://jhrppbnh4d674kzh[.]onion/kpanel/connect.php URL\r\nKronos C\u0026C used in\r\nGerman campaign\r\nhttps://startupbulawayo[.]website/d03ohi2e3232/ URL\r\nWebinject C\u0026C used in\r\nthe German campaign\r\nhttps://www.proofpoint.com/us/threat-insight/post/kronos-reborn\r\nPage 10 of 12\n\nhttp://envirodry[.]ca URL\r\nContains malicious\r\nredirect to RIG EK\r\nused in the Japan\r\ncampaign\r\n5[.]23[.]54[.]158 IP\r\nRIG EK used in the\r\nJapan campaign\r\n3cc154a1ea3070d008c9210d31364246889a61b77ed92b733c5bf7f81e774c40 SHA256\r\nSmokeLoader used in\r\nthe Japan campaign\r\nhttp://lionoi.adygeya[.]su URL\r\nSmokeLoader C\u0026C\r\nused in the Japan\r\ncampaign\r\nhttp://milliaoin[.]info URL\r\nSmokeLoader C\u0026C\r\nused in the Japan\r\ncampaign\r\nhttp://fritsy83[.]website/Osiris.exe URL\r\nNew version of Kronos\r\ndownload link used in\r\nthe Japan campaign\r\nhttp://oo00mika84[.]website/Osiris_jmjp_auto2_noinj.exe URL\r\nNew version of Kronos\r\ndownload link used in\r\nthe Japan campaign\r\n3eb389ea6d4882b0d4a613dba89a04f4c454448ff7a60a282986bdded6750741 SHA256\r\nNew version of Kronos\r\nused in the Japan\r\ncampaign\r\nhttp://jmjp2l7yqgaj5xvv[.]onion/kpanel/connect.php URL\r\nKronos C\u0026C used in\r\nthe Japan campaign\r\nhttps://www.proofpoint.com/us/threat-insight/post/kronos-reborn\r\nPage 11 of 12\n\nhttps://kioxixu.abkhazia[.]su/ URL\r\nWebinject C\u0026C used in\r\nthe Japan campaign\r\n045acd6de0321223ff1f1c579c03ea47a6abd32b11d01874d1723b48525c9108 SHA256\r\n“Faktura\r\n2018.07.16.doc” used\r\nin the Poland campaign\r\nhttp://mysit[.]space/123//v/0jLHzUW URL\r\nNew version of Kronos\r\ndownload link used in\r\nthe Poland campaign\r\ne7d3181ef643d77bb33fe328d1ea58f512b4f27c8e6ed71935a2e7548f2facc0 SHA256\r\nNew version of Kronos\r\nused in the Poland\r\ncampaign\r\nhttp://suzfjfguuis326qw[.]onion/kpanel/connect.php URL\r\nKronos C\u0026C used in\r\nthe Poland campaign\r\nhttp://gameboosts[.]net/app/Player_v1.02.exe URL\r\nNew version of Kronos\r\ndownload link used in\r\n“Work in progress”\r\ncampaign\r\n93590cb4e88a5f779c5b062c9ade75f9a5239cd11b3deafb749346620c5e1218 SHA256\r\nNew version of Kronos\r\nused in “Work in\r\nprogress” campaign\r\nhttp://mysmo35wlwhrkeez[.]onion/kpanel/connect.php URL\r\nKronos C\u0026C used in\r\n“Work in progress”\r\ncampaign\r\nSource: https://www.proofpoint.com/us/threat-insight/post/kronos-reborn\r\nhttps://www.proofpoint.com/us/threat-insight/post/kronos-reborn\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.proofpoint.com/us/threat-insight/post/kronos-reborn"
	],
	"report_names": [
		"kronos-reborn"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434883,
	"ts_updated_at": 1775791370,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/91940ae4ad0e651e6b380bc2722faa24c948ac5a.pdf",
		"text": "https://archive.orkl.eu/91940ae4ad0e651e6b380bc2722faa24c948ac5a.txt",
		"img": "https://archive.orkl.eu/91940ae4ad0e651e6b380bc2722faa24c948ac5a.jpg"
	}
}