{
	"id": "bc2a1dc3-ba2a-486a-8e67-d0cf9f675782",
	"created_at": "2026-04-06T00:10:56.528091Z",
	"updated_at": "2026-04-10T03:20:21.542544Z",
	"deleted_at": null,
	"sha1_hash": "a8f18372aa61eb15a7d97605ce040c745997d311",
	"title": "Panda Malware Broadens Targets to Cryptocurrency Exchanges and Social Media",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 86872,
	"plain_text": "Panda Malware Broadens Targets to Cryptocurrency Exchanges\r\nand Social Media\r\nBy Authors \u0026 ContributorsDoron Voolf (Author)Malware Analyst, F5About DoroncloseAll Articles\r\nArchived: 2026-04-05 18:29:10 UTC\r\nSeven years after it first appeared, the Zeus banking trojan is still active through its latest spin-off: Panda. Panda,\r\nfirst discovered in early 2016 by Fox IT and later analyzed by Proofpoint,1 spreads through phishing attacks and\r\ntargets Windows operating systems (OS). Its main attack techniques include web injects, screen shots of user\r\nactivity (up to 100 per mouse click), logging of keyboard input, Clipboard pastes (to grab passwords and paste\r\nthem into form fields), and exploits to the Virtual Network Computing (VNC) desktop sharing system. All of these\r\nattack methods are supported by ATSEngine,2 which Ramnit, another prolific banking trojan, also used in its 2017\r\nholiday campaign.\r\nPanda is primarily focused on financial services organizations, but it is expanding its industry targets with\r\neach new campaign.\r\nPanda was heavily focused on cryptocurrency sites in February.\r\nPanda is currently targeting Facebook and Twitter in all three campaigns active in May.\r\nThere are different C\u0026Cs for each campaign, three of which are connected through a known threat actor\r\nnetwork in Russia, the fourth is hosted in China.\r\nWe analyzed four campaigns that were active between February and May of 2018. The three May campaigns are\r\nstill active at the time of this writing. Two of the four campaigns are acting from the same botnet version but have\r\ndifferent targets and different command and control (C\u0026C) servers.\r\nPanda is still primarily focused on targeting global financial services, but following the worldwide cryptocurrency\r\nhype, it has expanded its targets to online cryptocurrency exchanges and brokerage services. Social media, search,\r\nemail, and adult sites are also being targeted by Panda.\r\nFigure 1: Panda campaign targets by industry\r\nThe campaigns that targeted Italian, US, and Canadian financial organizations were the same ones that targeted\r\ncryptocurrency sites. The campaign that focused on Japanese financial organizations had the broadest set of\r\nindustry targets. Across all campaigns in May, the same social media, search, email, ecommerce, and tech\r\nproviders were targeted.\r\nFigure 2: Panda industry targets by campaign\r\nAdult sites were also targeted by Panda in May. We have been seeing an expansion of banking trojan targets into\r\nother industries that collect payment information and other forms of personally identifiable information (PII), so\r\nhttps://f5.com/labs/articles/threat-intelligence/malware/panda-malware-broadens-targets-to-cryptocurrency-exchanges-and-social-media\r\nPage 1 of 8\n\nthis behavior is not surprising given the size of the adult industry and potential revenue generation for fraudsters.\r\nFebruary Campaign - Botnet “Onore2” Targets Italian Financial Services and Cryptocurrency\r\nSites Equally\r\nThe Panda configuration we analyzed from February was marked as botnet “onore2.” This campaign leverage the\r\nsame attack techniques as previously described, and it is able to keylog popular web browsers and VNC in order\r\nto hijack user interaction session and steal personal information.\r\nFigure 3: Italian campaign, botnet Onore2 dynamic configuration\r\nThe Onore2 campaign targeted two industries: financial services and cryptocurrency sites. The majority of the\r\ntargets were financial services sites in Italy at 51%, followed closely by cryptocurrency targets used worldwide at\r\n49%.\r\nFigure 4: The February Panda Onore2 campaign targeted Italian financial services and cryptocurrency sites\r\nThe cryptocurrency sites Panda focused on in February were primarily targeted through screenshots versus the\r\ntypical web inject. We assume this was to document and spy on user interaction at cryptocurrency accounts, side\r\nby side to the web injection list. The list of cryptocurrency sites targeted includes but is not limited to:\r\nAnycoindirect.eu\r\nBtcc.com\r\nBitstamp.net\r\nBethumb.com\r\nBitpanda\r\nBitbey.net\r\nBity.com\r\nBlockchain.info\r\nCex.io\r\nCoinbase.com\r\nCoinsbank.com\r\nCryptocompare.com\r\nExmo.com\r\nGatecoin.com\r\nGdax.com\r\nhttps://f5.com/labs/articles/threat-intelligence/malware/panda-malware-broadens-targets-to-cryptocurrency-exchanges-and-social-media\r\nPage 2 of 8\n\nHitbtc.com\r\nHolytransaction.com\r\nKraken.com\r\nLitebit.eu\r\nLivecoin.net\r\nLocalbitcoins.com\r\nMinergate.com\r\nOkcoin.com\r\nSlushpool.com\r\nThe financial services sites included in the Onore2 campaign were targeted through webinjects and socks. They\r\nincluded but were not limited to:\r\nAllianzbank.it\r\nBcc.it\r\nBnl.it\r\nBancacrfirenze.it\r\nBancagenerali.it\r\nBankingforyou.it\r\nCarifvg.it\r\nCaript.it\r\nCedacri.it\r\nCredem.it\r\nCsebo.it\r\nIcb.mps.it\r\nInbank.it\r\nPoste.it\r\nRelaxbanking.it\r\nTecmarket.it\r\nhttps://f5.com/labs/articles/threat-intelligence/malware/panda-malware-broadens-targets-to-cryptocurrency-exchanges-and-social-media\r\nPage 3 of 8\n\nCommand and Control (C\u0026C) Servers\r\nThe C\u0026C server for this campaign is: hxxps://0a109ec2ab47[.]com/. Note the use of HTTPS for the malware\r\nphoning home through encryption to hide its exploits from traditional intrusion inspection controls.\r\nFigure 5: Italian campaign C\u0026C Whois\r\nThe domain is registered through Namesilo.com to a registrant with a fake address in the US, and an email contact\r\nat minex-coin.com. Minex-coin is also registered with Namesilo.com, but the Whois is privacy protected. The\r\nname servers are in Russia: samara.ens.mail.ru under a provider (ASN 47764) that comes up often in F5 Labs’\r\nthreat research.\r\nMay Campaign - Botnet “2.6.8” Targets US Financials\r\nThe latest sample analyzed from May 1, 2018 was marked as botnet “2.6.8”. Comparing this botnet configuration\r\nto the Onore2 campaign and the other 2.6.8 campaign targeting Japanese financials (see next section), it has a\r\ndifferent C\u0026C address, and a “keylog_process.” Instead of adding the Internet browsers, “putty.exe” was added.\r\nFigure 6: US campaign “2.6.8” dynamic configuration\r\nThis is not the first time Panda has targeted US-based financial organizations. This campaign had targets in 8\r\nindustries, 76% of which were US financial organizations. This campaign also targeted half a dozen Canadian\r\nfinancial organizations, followed by cryptocurrency sites, global social media providers, search and email\r\nproviders, payroll, entertainment, and tech providers.\r\nFigure 7: May Panda campaign “2.6.8” targets US and Canadian financial services, social media, search and\r\nemail providers, cryptocurrency sites, and payroll sites\r\nPanda is hitting the typical large financial targets in the US, such as:\r\nAdp.com\r\nBankofamerica.com\r\nCiti.com\r\nPaychex.com\r\nWellsfargo.com\r\nThe Canadian financial organizations targeted are:\r\nbmo.com\r\ndesjardins.com\r\nroyalbank.com\r\nscotiabank.com\r\nhttps://f5.com/labs/articles/threat-intelligence/malware/panda-malware-broadens-targets-to-cryptocurrency-exchanges-and-social-media\r\nPage 4 of 8\n\nThe cryptocurrency sites targeted are:\r\nBlockchain.info\r\nbbt.com\r\nThis campaign is also targeting major social media platforms like Facebook and Instagram, as well as messaging\r\napps like Skype, and entertainment platforms like Youtube. Additionally, Panda is targeting Microsoft.com,\r\nbing.com, and msn.com.\r\nC\u0026C Server\r\nThe C\u0026C server for this campaign is: hxxps://adshiepkhach[.]top/. Note the use of HTTPS again to hide from\r\ntraditional intrusion inspection controls.\r\nThe registrant is in Russia. The domain for the email contact is bk.ru, which is owned by the same ASN 47764\r\nthat continually comes up in our threat research.\r\nFigure 8: US Campaign C\u0026C Whois\r\nMay Campaign - Botnet “2.6.8” Also Targets Japanese Financials\r\nThis sample was also analyzed from May 1, 2018 and was also marked as botnet “2.6.8”. Comparing the two\r\nbotnet configurations, there is an interesting change: when Zeus.Panda is targeting Japan, the authors removed the\r\nContent Security Policy (CSP) headers: remove_csp - 1 : The CSP header is a security standard for preventing\r\ncross-site scripting (XSS), clickjacking and other code injection attacks that could execute malicious code from an\r\notherwise trusted site.3\r\nFigure 9: Japan campaign ”2.6.8” dynamic configuration\r\nIn parallel with the US targeted campaign, this Panda campaign is targeting the following Japanese financial\r\nservices organizations, most of which are credit card providers:\r\nsaisoncard.co.jp\r\nidemitsucard.com\r\nmufg.jp\r\naeon.co.jp\r\nlifecard.co.jp\r\npocketcard.co.jp\r\ncedyna.co.jp\r\neposcard.co.jp\r\nhttps://f5.com/labs/articles/threat-intelligence/malware/panda-malware-broadens-targets-to-cryptocurrency-exchanges-and-social-media\r\nPage 5 of 8\n\norico.co.jp\r\nrakuten*.co.jp\r\nsmbc-card.com\r\nThis campaign also targets the ecommerce giant Amazon; entertainment platform Youtube; Microsoft.com,\r\nLive.com, Yahoo.com, Google.com, likely targeting email accounts; the social media leaders Facebook and\r\nTwitter; as well as a Japanese adult site Dmm.co, and Pornhub.\r\nFigure 10: May Panda “2.6.8” campaign targets Japanese financial services, search and email providers, social\r\nmedia, and adult sites\r\nC\u0026C Server\r\nThe C\u0026C server for this campaign is: hxxps://antrefurniture[.]top/. Again, note the use of HTTPS to hide activity\r\nfrom traditional intrusion inspection controls. It’s also a .top top-level domain (TLD) like the US campaign.\r\nSpamhaus.org says 40% of .top TLDs are used for abusive purposes.4\r\nThe registrant is also in Russia, and the domain for the email contact is bk.ru like the US campaign, which again is\r\nowned by ASN 47764 that continually comes up in F5 Labs’ threat research.\r\nFigure 11: Japan campaign C\u0026C Whois\r\nMay Campaign - Botnet “Cosmos3” Targets Latin America Financial Services\r\nThe third parallel attack campaign, marked as botnet “cosmos3,” is currently active and targeting financial\r\ninstitutions in Latin America.\r\nFigure 12: LATAM campaign “Cosmos3” dynamic configuration\r\nThis campaign primarily focused on banks in Argentina, Columbia, and Ecuador, followed by the same social\r\nmedia (Facebook, Twitter, Instagram, Flickr), search, email (MSN, Bing), entertainment (YouTube) and tech\r\nprovider (Microsoft) targets as the other campaigns.\r\nFigure 13: May Panda \"Cosmos3\" campaign targets LATAM financial services, social media, search, email, and\r\ntech providers\r\nThe Latin American targets in this campaign are:\r\navvillas.com.co\r\nbbvanet.com.co\r\nbancodebogota.com\r\nbancocredicoop.coop\r\nbancopatagonia.com.ar\r\nhttps://f5.com/labs/articles/threat-intelligence/malware/panda-malware-broadens-targets-to-cryptocurrency-exchanges-and-social-media\r\nPage 6 of 8\n\nbanco.colpatria.com.co\r\ndavivienda.com\r\npichincha.com\r\nsantanderrio.com.ar\r\ntransaccionesbancolombia.com\r\nC\u0026C Server\r\nThe C\u0026C server for this campaign is: hxxps:// cotrus[.]co/. Note the use of HTTPS again to hide from traditional\r\nintrusion inspection controls.\r\nThe domain is registered in China. The email registrant domain GMZ.com resolves to the German service\r\nprovider 1\u00261.\r\nFigure 14: LATAM campaign C\u0026C Whois\r\nQA in Production Tests\r\nContinual maintenance is required to keep the fraud operations going and making money. Like any business, this\r\ninvolves testing, and sometimes testing in production like we saw in this campaign where the threat actors were\r\ninfecting computers with different versions of the configuration.\r\nThis testing in production was against campaign 2.6.1 and had minor changes from the Onore2 campaign:\r\n“onore2” botnet was configured to grab cookies and cache\r\n“2.6.1” was marked to delete cookies and cache\r\nGrabber pause was marked 2, which is the indication on how long panda grabber will wait before starting\r\nthe actual module.\r\nGrabber flags:\r\nGrab_del_cookie - 0\r\nGrab_del_cache - 0\r\nFigure 15: QA Test “2.6.1” dynamic configuration\r\nTo make sure the injection was working correctly, the Panda authors tested against an Australian domain. Once the\r\nURL was detected, it sent an injection JS alert “Page Injected!”\r\nFigure 16: QA Injection alert, “Page Injected!”\r\nConclusion\r\nhttps://f5.com/labs/articles/threat-intelligence/malware/panda-malware-broadens-targets-to-cryptocurrency-exchanges-and-social-media\r\nPage 7 of 8\n\nPanda’s expansion beyond traditional banking targets is following the trend we noticed during the 2017 holiday\r\nseason.5 This is the first campaign we have seen targeting cryptocurrency sites, but it’s a move that makes sense,\r\ngiven the popularity of cryptocurrency. This act of simultaneous campaigns targeting several regions around the\r\nworld and industries indicates these are highly active threat actors, and we expect their efforts to continue with\r\nmultiple new campaigns coming out as their current efforts are discovered and taken down. We will continue to\r\nlook for patterns by monitoring this activity and the networks and services from which they are choosing to launch\r\ntheir activities. In the meantime, we highly recommend all businesses maintain up-to-date patches on endpoints\r\nand ensure AV controls are continuously updated so their systems don’t get infected with this malware. To protect\r\nyour business from infected consumers that cause costly fraud investigations, monetary returns, and so on, we\r\nrecommend instituting advanced web fraud protections because this customized security control is not just for\r\nbanks anymore!\r\nIndicators of Compromise\r\nMD5\r\nItaly and cryptocurrencies targets — e9d881b40d94a541b11fad44f1efbb7c\r\nUSA — 35a7e666942eb0c70e73d5dc502a97d2\r\nJapan — 3b78b983ed00cfa580c0b1c9beda4ca2\r\nLatin America — 8822dc8e66b51344b623c6cd29a91db1\r\nQA in production — 5d4c4668567b0b3321b0125779bdb3ae\r\nC\u0026C servers\r\nItaly: hxxps://0a109ec2ab47[.]com\r\nUS: hxxps://adshiepkhach[.]top\r\nJapan: hxxps://antrefurniture[.]top\r\nLatin America: hxxps://cotrus[.]co\r\nSource: https://f5.com/labs/articles/threat-intelligence/malware/panda-malware-broadens-targets-to-cryptocurrency-exchanges-and-social-medi\r\na\r\nhttps://f5.com/labs/articles/threat-intelligence/malware/panda-malware-broadens-targets-to-cryptocurrency-exchanges-and-social-media\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://f5.com/labs/articles/threat-intelligence/malware/panda-malware-broadens-targets-to-cryptocurrency-exchanges-and-social-media"
	],
	"report_names": [
		"panda-malware-broadens-targets-to-cryptocurrency-exchanges-and-social-media"
	],
	"threat_actors": [],
	"ts_created_at": 1775434256,
	"ts_updated_at": 1775791221,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a8f18372aa61eb15a7d97605ce040c745997d311.pdf",
		"text": "https://archive.orkl.eu/a8f18372aa61eb15a7d97605ce040c745997d311.txt",
		"img": "https://archive.orkl.eu/a8f18372aa61eb15a7d97605ce040c745997d311.jpg"
	}
}