{
	"id": "65f2c5fe-a710-448f-823d-192256eb1c17",
	"created_at": "2026-04-06T00:12:01.431497Z",
	"updated_at": "2026-04-10T13:11:40.898237Z",
	"deleted_at": null,
	"sha1_hash": "f3275a8739c9c404a94c9081db7533da0b84430d",
	"title": "Zeus Panda - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 59007,
	"plain_text": "Zeus Panda - Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 12:39:56 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Zeus Panda\n Tool: Zeus Panda\nNames\nZeus Panda\nZeusPanda\nPandaBanker\nCategory Malware\nType Banking trojan, Info stealer, Credential stealer, Downloader, Botnet\nDescription\n(Proofpoint) Banking Trojans work by injecting code into web pages as they are viewed\non infected machines, allowing the malware to harvest banking credentials and credit\ncard information as victims interact with legitimate sites. Most often, the injects -- the\ncode that actually performs the man-in-the-browser attacks -- are configured for region-specific banking sites. More recently, we have seen injects for online payment sites,\ncasinos, retailers, and more appearing in banking Trojan campaigns.\nSince November -- a period of time that includes Thanksgiving, Black Friday, Cyber\nMonday and now leading up to Christmas -- we have observed Zeus Panda banking\nTrojan campaigns that have an increasing focus on non-banking targets with an\nextensive list of injects clearly designed to capitalize on holiday shopping and activities.\nInformation\n\nbanks\u003e\nMITRE ATT\u0026CK Malpedia AlienVault OTX Last change to this tool card: 28 December 2022\nDownload this tool card in JSON format\nAll groups using tool Zeus Panda\nChanged Name Country Observed\nOther groups\n Bamboo Spider, TA544 [Unknown] 2016-Apr 2022\n TA516 [Unknown] 2016-Feb 2020\n2 groups listed (0 APT, 2 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=863ac646-bf1b-4f62-8a85-7b4569a88808\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=863ac646-bf1b-4f62-8a85-7b4569a88808\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=863ac646-bf1b-4f62-8a85-7b4569a88808"
	],
	"report_names": [
		"listgroups.cgi?u=863ac646-bf1b-4f62-8a85-7b4569a88808"
	],
	"threat_actors": [
		{
			"id": "c91f7778-69aa-45fa-be0e-4ee33daf8fbd",
			"created_at": "2023-01-06T13:46:39.110148Z",
			"updated_at": "2026-04-10T02:00:03.216613Z",
			"deleted_at": null,
			"main_name": "NARWHAL SPIDER",
			"aliases": [
				"GOLD ESSEX",
				"TA544",
				"Storm-0302"
			],
			"source_name": "MISPGALAXY:NARWHAL SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "03a8107a-f669-41af-ba79-41b1cbdc4654",
			"created_at": "2023-01-06T13:46:39.228649Z",
			"updated_at": "2026-04-10T02:00:03.25247Z",
			"deleted_at": null,
			"main_name": "BAMBOO SPIDER",
			"aliases": [],
			"source_name": "MISPGALAXY:BAMBOO SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "9b34a837-9f3f-4451-b8bf-adf424655df5",
			"created_at": "2023-01-06T13:46:39.310096Z",
			"updated_at": "2026-04-10T02:00:03.283332Z",
			"deleted_at": null,
			"main_name": "TA516",
			"aliases": [],
			"source_name": "MISPGALAXY:TA516",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "aeda543e-ce27-41a9-9719-d6e2941b7dbf",
			"created_at": "2022-10-25T16:07:24.57632Z",
			"updated_at": "2026-04-10T02:00:05.038892Z",
			"deleted_at": null,
			"main_name": "TA516",
			"aliases": [
				"SmokingDro"
			],
			"source_name": "ETDA:TA516",
			"tools": [
				"AZORult",
				"AndroKINS",
				"Chthonic",
				"Dofoil",
				"PandaBanker",
				"PuffStealer",
				"Rultazo",
				"Sharik",
				"Smoke Loader",
				"SmokeLoader",
				"Zeus Panda",
				"ZeusPanda"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "956fc691-b6c6-4b09-b69d-8f007c189839",
			"created_at": "2025-08-07T02:03:24.860251Z",
			"updated_at": "2026-04-10T02:00:03.656547Z",
			"deleted_at": null,
			"main_name": "GOLD ESSEX",
			"aliases": [
				"Narwhal Spider ",
				"Storm-0302 ",
				"TA544 "
			],
			"source_name": "Secureworks:GOLD ESSEX",
			"tools": [
				"Cutwail",
				"Pony",
				"Pushdo"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "1f679d2e-c5c9-49e9-b854-2eca06a870e4",
			"created_at": "2022-10-25T16:07:24.453427Z",
			"updated_at": "2026-04-10T02:00:04.997515Z",
			"deleted_at": null,
			"main_name": "Bamboo Spider",
			"aliases": [
				"Bamboo Spider",
				"TA544"
			],
			"source_name": "ETDA:Bamboo Spider",
			"tools": [
				"AndroKINS",
				"Bebloh",
				"Chthonic",
				"DELoader",
				"Dofoil",
				"GozNym",
				"Gozi ISFB",
				"ISFB",
				"Nymaim",
				"PandaBanker",
				"Pandemyia",
				"Sharik",
				"Shiotob",
				"Smoke Loader",
				"SmokeLoader",
				"Terdot",
				"URLZone",
				"XSphinx",
				"ZLoader",
				"Zeus OpenSSL",
				"Zeus Panda",
				"Zeus Sphinx",
				"ZeusPanda",
				"nymain"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434321,
	"ts_updated_at": 1775826700,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f3275a8739c9c404a94c9081db7533da0b84430d.pdf",
		"text": "https://archive.orkl.eu/f3275a8739c9c404a94c9081db7533da0b84430d.txt",
		"img": "https://archive.orkl.eu/f3275a8739c9c404a94c9081db7533da0b84430d.jpg"
	}
}