{
	"id": "3855e6fd-11dc-4713-96eb-ceede89d3969",
	"created_at": "2026-04-06T00:16:03.260831Z",
	"updated_at": "2026-04-10T13:11:50.486207Z",
	"deleted_at": null,
	"sha1_hash": "f2bfb6a528b3716548ca13692b4791521b929040",
	"title": "Panda Banker Zeros in on Japanese Targets | NETSCOUT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 58148,
	"plain_text": "Panda Banker Zeros in on Japanese Targets | NETSCOUT\r\nArchived: 2026-04-05 16:36:55 UTC\r\nKey Findings\r\nA threat actor using the well-known banking malware Panda Banker (a.k.a Zeus Panda, PandaBot) has\r\nstarted targeting financial institutions in Japan.\r\nBased on our data and analysis this is the first time that we have seen Panda Banker injects targeting\r\nJapanese organizations.\r\nIt is likely a new campaign or actor started using Panda Banker since in addition to the previously unseen\r\nJapanese targeting, Arbor has not seen any indicator of compromise (IOC) overlaps with previous Panda\r\nBanker campaigns.\r\nThe sample used in this campaign was the first sample we observed in the wild to use the newest version of\r\nPanda Banker, version 2.6.6.\r\nOverview\r\nPanda Banker is based on the Zeus malware family. One of its main functions is stealing user credentials, account\r\nnumbers, and ultimately money from financial institutions. It does this by using a technique known as “man in the\r\nbrowser” along with “webinjects” that specify what websites to target and how. This banking malware was first\r\nseen in the wild in the beginning of 2016 (version 2.1.x) and has had consistent, incremental development since\r\nthen. While some details have changed, our “Who Let the Pandas Out? Zeus, Zeus, Zeus, Zeus” blog post is still a\r\ngood introduction to the technical details of the malware. Panda Banker is sold as a kit on underground forums so\r\nthere are multiple users of the malware. Cybercrime threat actors tend to focus their campaigns on particular\r\ncountries—usually dependent on their ability to convert stolen credentials and account details from those locations\r\ninto real money. Over the years we’ve seen Panda Banker campaigns focus on financial institutions in: Italy,\r\nCanada, Australia, Germany, United States, United Kingdom, and now Japan.\r\nCampaign Analysis\r\nA new version of Panda Banker, version 2.6.6, was observed being distributed in the wild on March 26th:\r\nSHA256: 8db8f6266f6ad9546b2b5386a835baa0cbf5ea5f699f2eb6285ddf401b76ccb7\r\nCompilation date: 2018-03-26 09:54:57 While we didn’t see any significant changes to the malware itself\r\n(possibly just a “bug fix” release), the campaign using this sample stood out for two reasons:\r\n1. No IOC overlap with any previous Panda Banker campaigns that we’ve seen.\r\n2. Webinjects targeting Japan, a country we haven’t seen targeted by Panda Banker before.\r\nCommand \u0026 Control (C2) The C2 servers configured for this sample are listed below:\r\nhttps://www.netscout.com/blog/asert/panda-banker-zeros-japanese-targets\r\nPage 1 of 3\n\nhttps://hillaryzell[.]xyz/1wekenauhivwauvaxquor.dat\r\nhttps://buscamapa1[.]top/2yrfuupcovylaawubitvy.dat\r\nhttps://buscamapa2[.]top/3toaxkatoindyepidikuv.dat\r\nhttps://buscamapa3[.]top/4heequktuepahvoyfofit.dat\r\nhttps://buscamapa4[.]top/5ufyfegtuobekpykobeul.dat\r\nhttps://buscamapa5[.]top/6lubanuoxapywinlaokow.dat\r\nAt the time of research, only hillaryzell[.]xyz was operational and it was registered to a “Petrov Vadim” using an\r\nemail address of “yalapinziw@mail.ru”. Campaign Name The threat actor named this campaign “ank”. Webinjects\r\nAt the time of research, the C2 server returned 27 webinjects that can be broken down into the following\r\ncategories:\r\n17 Japanese banking web sites mostly focusing on credit cards\r\n1 US based web email site\r\n1 US based video search engine\r\n4 US based search engines\r\n1 US based online shopping site\r\n2 US based social media sites\r\n1 US based adult content hub\r\nAn example, redacted webinject for this campaign looks like the following: [caption id=\"attachment_9530\"\r\nalign=\"aligncenter\" width=\"700\"]\r\nExample webinject targeting Japan.[/caption] The webinjects in this campaign make use of a “grabber” /\r\nautomated transfer system (ATS) system known as “Full Info Grabber” to capture credentials and account\r\ninformation. As can be seen in figures above, the threat actor is using a path of “jpccgrab” possibly meaning\r\n“Japanese credit card grabber”. Given the targeting, this name makes some sense. Distribution (update March 28,\r\n2018) Security researcher kafeine has released more details on how this threat is being distributed in the wild: a\r\nhttps://www.netscout.com/blog/asert/panda-banker-zeros-japanese-targets\r\nPage 2 of 3\n\nmalicious advertisement (malvertising) is redirecting victims to a RIG exploit kit which is distributing the Panda\r\nBanker malware.\r\nConclusion\r\nJapan is no stranger to banking malware. Based on recent reports, the country has been plagued by attacks using\r\nthe Ursnif and Urlzone banking malware. This post was our first analysis of the first Panda Banker campaign that\r\nwe’ve seen to target financial institutions in Japan.\r\nSource: https://www.netscout.com/blog/asert/panda-banker-zeros-japanese-targets\r\nhttps://www.netscout.com/blog/asert/panda-banker-zeros-japanese-targets\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.netscout.com/blog/asert/panda-banker-zeros-japanese-targets"
	],
	"report_names": [
		"panda-banker-zeros-japanese-targets"
	],
	"threat_actors": [],
	"ts_created_at": 1775434563,
	"ts_updated_at": 1775826710,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f2bfb6a528b3716548ca13692b4791521b929040.pdf",
		"text": "https://archive.orkl.eu/f2bfb6a528b3716548ca13692b4791521b929040.txt",
		"img": "https://archive.orkl.eu/f2bfb6a528b3716548ca13692b4791521b929040.jpg"
	}
}