{
	"id": "dbf64722-f652-4001-8687-d23467bddfc7",
	"created_at": "2026-04-06T00:18:05.058149Z",
	"updated_at": "2026-04-10T03:22:02.75896Z",
	"deleted_at": null,
	"sha1_hash": "cd4c9841b9fca71d95c6814a1a92ceb65e7a580a",
	"title": "Malware | PandaZeuS’s Christmas Gift: Change in the Encryption scheme",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1003207,
	"plain_text": "Malware | PandaZeuS’s Christmas Gift: Change in the Encryption\r\nscheme\r\nArchived: 2026-04-05 16:12:17 UTC\r\nIntroduction\r\nSpamhaus Malware Labs - Spamhaus's malware research unit - recently observed a wave of new PandaZeuS\r\nmalware samples being distributed during the Christmas season. PandaZeuS, also known as Panda Banker, is an\r\nebanking Trojan that evolved from the notorious ZeuS trojan and is being used by different threat actors to\r\ncompromise ebanking credentials, used by cybercriminals to commit ebanking fraud.\r\nLooking into two recent PandaZeuS campaigns that have just been spread before Christmas revealed that the most\r\nrecent version of PandaZeuS comes with a few minor changes. An important one is the change in the encryption\r\nscheme of PandaZeuS’s Base Config. While PandaZeuS is still using the RC4 binary encryption scheme, it comes\r\nwith some tiny modifications. First of all, the versioning of PandaZeuS got updated to 2.6.1:\r\nNew version 2.6.1 In the previous\r\nversion, the base config was AES-265-CBC and RC4 encrypted . While this is still the case of the most recent\r\nversion of PandaZeuS too, a slight modification in RC4 has been done:\r\nhttps://www.spamhaus.org/news/article/771/\r\nPage 1 of 6\n\nPandaZeuS code snipped The screenshot above documented the changes made to by the developers of PandaZeuS\r\nto the code:\r\n1. Initial Key Stream Array is initialized\r\n2. The State Array is modified 4 * 30 times and the keystream value is omitted\r\n3. Reusing the previous indexes, State Array is modified and keystream values obtained is XORed with\r\nencrypted byte.\r\nThis can be represented in Python code as:\r\nfor i in range(256):\r\n j = (j + S[i] + ord(key[i % len(key)])) % 256\r\n S[i], S[j] = S[j], S[i]\r\n \r\n i = j = 0\r\n for x in range(0, 30 * 4):\r\n i = (i + 1) % 256\r\n j = (j + S[i]) % 256\r\n S[i], S[j] = S[j], S[i]\r\n \r\n for p in data:\r\n i = (i + 1) % 256\r\n j = (j + S[i]) % 256\r\n S[i], S[j] = S[j], S[i]\r\nWhile we can only speculate about the reason of this minor change in the encryption scheme of PandaZeuS, we\r\nsuspect the intent behind this code change is to break malware extractors used by malware researchers to extract\r\nhttps://www.spamhaus.org/news/article/771/\r\nPage 2 of 6\n\nbotnet controllers from PandaZeuS malware samples.\r\nLooking into sinkhole data of one of these PandaZeuS campaigns shows that the botnet is mainly targeting\r\nEnglish-speaking internet users:\r\nIn addition, the associated botnet domain names are poorly detected:\r\n262d65fc7f47.tk VT detection rate: 2/66\r\n922b031aac47.tk VT detection rate: 3/66\r\nIndicators of Compromise (IOC)\r\nCampaign #1\r\nPandaZeuS botnet controller URLs:\r\nhxxps://922B031AAC47.tk/2egublocatolaubhaqiec.dat\r\nhxxps://262D65FC7F47.tk/3fefavyamzaosanocheyt.dat\r\nhttps://www.spamhaus.org/news/article/771/\r\nPage 3 of 6\n\nhxxps://262D65FC7F98.ml/4uryctexaesleikbosoil.dat\r\nhxxps://262D65FC7F10.ga/5texyiwkuoffokirefeub.dat\r\nhxxps://262D65FC7F98.cf/6huqefeaplefoucvyudow.dat\r\nPandaZeuS botnet controller domain names (blocked by Spamhaus RPZ):\r\n262D65FC7F10.ga\r\n262D65FC7F47.tk\r\n262D65FC7F98.cf\r\n262D65FC7F98.ml\r\n922B031AAC47.tk\r\nPandaZeuS botnet controllers (blocked by Spamhaus BCL):\r\n89.18.27.155\r\n94.156.128.207\r\n155.94.67.27\r\nRelated malware samples (MD5):\r\n0d1150d89f94701b54c7feb81d83a8fd\r\n3e7632e36c96a5be6721f57828dbc7f5\r\nCampaign #2\r\nPandaZeuS botnet controller URLs:\r\nhxxps://gromnes.top/1iqrozoymydfykiabloyx.dat\r\nhxxps://aklexim.top/2pugyomxixiusqoxuvein.dat\r\nhxxps://kichamyn.top/3efqykyfeetraygyhytuz.dat\r\nhxxps://myrasno.top/4tieseqpaowosputoezyl.dat\r\nhttps://www.spamhaus.org/news/article/771/\r\nPage 4 of 6\n\nhxxps://brumnoka.top/5ybveogaqydriumytzaun.dat\r\nhxxps://bqwernod.top/6efudpigoreudtygoedco.dat\r\nPandaZeuS botnet controller domain names (blocked by Spamhaus RPZ):\r\naklexim.top\r\nbqwernod.top\r\nbrumnoka.top\r\ngromnes.top\r\nkichamyn.top\r\nmyrasno.top\r\nPandaZeuS botnet controllers (blocked by Spamhaus BCL):\r\n27.102.67.144\r\n5.8.88.133\r\nRelated malware samples (MD5):\r\n02ac00fe985091b78eaeb64ee697d57f\r\n9be7c5e014c560db231518a13b18dfea\r\na3a4ef76764c9e3e9c91698b7adbd795\r\nb42d194091de01d9645b323cd8ac425f\r\n48e4f66aeb6dcb991ae57ac8294d2911\r\n9ff828a80d8408a1e5533ecc304c7e9e\r\nHelp and recommended content\r\nSee below for helpful articles and recommended content\r\nOperation Endgame | Botnets disrupted after international action\r\nhttps://www.spamhaus.org/news/article/771/\r\nPage 5 of 6\n\nOn Thursday, May 30th, 2024, a coalition of international law enforcement agencies announced \"Operation\r\nEndgame\". This effort targeted multiple botnets, such as IcedID, Smokeloader, SystemBC, Pikabot, and\r\nBumblebee, as well as their operators, and Spamhaus is assisting with the remediation efforts.\r\nNews • May 30, 2024 • The Spamhaus Team\r\nSource: https://www.spamhaus.org/news/article/771/\r\nhttps://www.spamhaus.org/news/article/771/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.spamhaus.org/news/article/771/"
	],
	"report_names": [
		"771"
	],
	"threat_actors": [],
	"ts_created_at": 1775434685,
	"ts_updated_at": 1775791322,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cd4c9841b9fca71d95c6814a1a92ceb65e7a580a.pdf",
		"text": "https://archive.orkl.eu/cd4c9841b9fca71d95c6814a1a92ceb65e7a580a.txt",
		"img": "https://archive.orkl.eu/cd4c9841b9fca71d95c6814a1a92ceb65e7a580a.jpg"
	}
}