{
	"id": "6f55e5e9-2fef-457d-a33f-67bfce79c2dc",
	"created_at": "2026-04-06T00:10:46.945265Z",
	"updated_at": "2026-04-10T03:24:29.791943Z",
	"deleted_at": null,
	"sha1_hash": "9382ba75c87114e56b460db75ff02adc30663e41",
	"title": "Criminals in a festive mood",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 105007,
	"plain_text": "Criminals in a festive mood\r\nBy Global Threat Intelligence\r\nPublished: 2017-12-12 · Archived: 2026-04-05 17:07:43 UTC\r\nThis morning the Fox-IT Security Operations Center observed a large number of phishing e-mails that contained a\r\nlink to a downloadable zip file. Anyone downloading and opening that zip file would infect themselves with\r\nbanking malware, that would subsequently try to lure the victim into divulging their credit card information.\r\nSo far nothing new: e-mail as attack vector, distribution of the Zeus Panda banking trojan, targeting the same\r\ninstitutions.\r\nExcept that this time, it appears the criminals are preparing for the festive season. What stood out to us is the\r\ninclusion of a number of local retailers that are now targeted by this banking trojan. Some targeted websites which\r\nwere extracted from the configuration are:\r\nCoolblue\r\nBooking.com\r\nOtto\r\nAmazon\r\nDe Volksbank (SNS, ASN \u0026 Regiobank)\r\nING\r\nABN Amro\r\nKnab\r\nTriodos\r\nSo now, when someone has infected themselves with this malware by opening the malicious zip file, not only will\r\nthe malware ask for their credit card details when they visit their bank’s website, but also when they visit an online\r\nretailer for (Christmas) shopping.\r\nRead on for recommendations, notable observations, stats and screenshots and technical details including\r\nindicators of compromise.\r\nRecommendations\r\nThe usual recommendations for end users apply: be alert for criminals attacking you by sending legitimate looking\r\ne-mails with links and attachments. And be alert for websites behaving differently and asking for credit card\r\ndetails or other personal data where they normally don’t. If you suspect an infection, you may check out a website\r\nfrom a different device to see if it behaves the same. If it doesn’t, you may be infected.\r\nThe e-mail itself is nothing out of the ordinary. It appears to be targeting the Netherlands and Germany, using\r\nDutch text and faking the Dutch DHL Group. This is what it looks like:\r\nhttps://blog.fox-it.com/2017/12/12/criminals-in-a-festive-mood/\r\nPage 1 of 4\n\nBeste heer/mevrouw,\r\nUW ZENDING IS ONDERWEG ,Informatie Over Uw Zending is in dokument.\r\nControleer hieronder uw zending- en contactgegevens. Klik op om te bevestigen.\r\nBedankt dat u heeft gekozen voor On Demand Delivery.\r\nDHL Express – Excellence. Simply delivered.\r\nNederlandse Post DHL Group\r\nFor organisations, the recommendations are also familiar: isolate any infected systems prior to cleaning them,\r\nchange any password that was used after infection and consider client certificates on that system compromised.\r\nYou may refer to the indicators of compromise later on in this post.\r\nAdditional interesting observations\r\nThe malware that is being distributed is called Zeus Panda, which we’ve followed for almost two years now. This\r\nis a variant of the Zeus family of malware that Fox-IT has observed since around 2006, for the purpose of\r\nprotecting its own customers. The name Zeus Panda comes from the web panel used by the malware operators.\r\nAt the time of writing, the two malicious zip file referred in the emails received a little over 48 thousand clicks,\r\nmostly in the Netherlands, but also in other parts of Western Europe and some in North America. Out of those 48\r\nthousand clicks, only 11 thousand came from a Window system, which is the only platform that the malware runs\r\non. The other 37 thousands people were safe! A clear example and proof of the shotgun approach that criminals\r\nstill successfully use.\r\nAlso interesting is the clunky nature of the injects. As shown in the screenshots below, the code that the criminals\r\ninject into the website on the infected system looks, well, unfinished.\r\nFull statistics\r\nThe link in the email is a Google Shortened URL, which downloads the zip-file from\r\nhxxp://partytimeevents.nl/contactgegevens%2012_2017_10_00_.zip\r\nhxxp://stegengaweb.nl/files/contactgegevens%2012_2017_10_00_.zip\r\nBy default Google shortened URL’s keeps track of the following statistics:\r\n– Amount of clicks\r\n– Used Browsers\r\n– Referrers\r\n– Countries\r\n– Platforms\r\nRequesting the statistics of the shortened URL results in the following statistics for:\r\nScreenshot of the inject asking for credit card details\r\nFrom an infected system, Zeus Panda will inject extra code into a website. Once the code is injected into one of\r\nthe targeted web pages, an extra form is added for creditcard information. For example, Coolblue’s webshop page\r\nwould look like this, clunky and unfinished. Please note that Coolblue has no control over the fact that criminals\r\nattempt to inject code into their website from infected machines.\r\nhttps://blog.fox-it.com/2017/12/12/criminals-in-a-festive-mood/\r\nPage 2 of 4\n\nZeus Panda Banker web inject\r\nEDIT: the total click count for both domains has increased to a total of 66 thousand, even though both ZIP-files\r\nare not available anymore.\r\nIndicators of Compromise\r\n—Dropper—\r\nhxxp://partytimeevents.nl/contactgegevens%2012_2017_10_00_.zip (compromised website)\r\nhxxp://stegengaweb.nl/files/contactgegevens%2012_2017_10_00_.zip (compromised website)\r\nhxxp://axprofessional.it/onenl.exe\r\n—Command-and-Control—\r\nhxxps://avimart.ru/3inexowtoqiyzlonyunku.dat\r\nhxxps://astronatal.ru/2odirnaogfaugdoxiwoex.dat\r\nhxxps://abci.ru/1yhubydnopyakleqinyyx.dat\r\n185.224.133.57 (SSL connection)\r\n—External panel for injects—\r\nhxxps://adsfun.club/\r\n—Hashes—\r\ncontactgegevens 2012_2017_10_00.zip\r\nMD5: aefc0fe15836165291cb66eac5ffd177\r\nSHA256: 588e31ac96bd6318f787602e87f86b75d4b5537679e11ba5a509589148033275\r\ncontactgegevens 12_2017_10_00_.js\r\nMD5: deb9a0aa69270a0b263b80ed13880b24\r\nSHA256: eb65b1d5f5b3ccc263a4984275c084b63b0a262a87d55887d6a4d744a75e4112\r\nonenl.exe\r\nMD5: 4ac38a4efa276f8d64c1ed39a53e7ab8\r\nhttps://blog.fox-it.com/2017/12/12/criminals-in-a-festive-mood/\r\nPage 3 of 4\n\nSHA256: e556273db50d4588d7e4b5183d06d39b0ebedbb094fc2a39b59416212c829324\r\nPublished December 12, 2017December 13, 2017\r\nSource: https://blog.fox-it.com/2017/12/12/criminals-in-a-festive-mood/\r\nhttps://blog.fox-it.com/2017/12/12/criminals-in-a-festive-mood/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.fox-it.com/2017/12/12/criminals-in-a-festive-mood/"
	],
	"report_names": [
		"criminals-in-a-festive-mood"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434246,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9382ba75c87114e56b460db75ff02adc30663e41.pdf",
		"text": "https://archive.orkl.eu/9382ba75c87114e56b460db75ff02adc30663e41.txt",
		"img": "https://archive.orkl.eu/9382ba75c87114e56b460db75ff02adc30663e41.jpg"
	}
}