Panda Banking Trojan Diversifies into Cryptocurrency, Porn, Other Targets

The Panda banking trojan, a spin-off from the infamous Zeus malware, is widening its net to attack more than just financial services targets, as seen in three ongoing campaigns discovered in May.

The Windows-focused Panda is far from the cuddly thing its name would suggest. It has a full arsenal of attack techniques, which include web injects, taking screenshots (up to 100 per mouse-click), keylogging, the ability to grab passwords from the clipboard and paste them into form fields and exploits for the Virtual Network Computing desktop-sharing system.

First seen in 2016 as one of the many variants that cropped up in the wake of the Zeus source code being leaked, Panda has more than adequately fulfilled its function as a banking trojan since then, looking to harvest and use credentials for online banking, payment and other financial portals.

Three New Active Campaigns

However, in three active campaigns spotted this month by F5 Labs, Panda has been observed attacking online cryptocurrency exchanges and brokerage services, social media and adult sites, among others. F5 researcher Doron Voolf postulated that the sheer size of these other industries translates to a siren song of potential revenue generation for fraudsters.

“Adult sites were also targeted by Panda… We have been seeing an expansion of banking trojan targets into other industries that collect payment information and other forms of personally identifiable information (PII), so this behavior is not surprising,” he said, in an analysis posted on Wednesday. “[T]his behavior is not surprising given the size of the adult industry and potential revenue generation for fraudsters.”

All three of the offensives (active in the U.S., Japan and Latin America) are propagating via Facebook and Twitter phishing attacks, and all three have added the same new targets to the mix, the researchers noted. However, there are different C2s for each campaign. Two of the attacks are acting from the same botnet version. Botnet 2.6.8 was found spreading Panda in both the U.S. and Japan.

The U.S. campaign so far has targets in eight industries. While 76 percent of the attacked services are for U.S. financial organizations such as Citibank and Wells Fargo, the actors behind the campaign have also added half a dozen Canadian financial organizations as targets. That’s followed notably by cryptocurrency sites. Also targeted are global social-media providers Facebook and Instagram along with MSN and, payroll companies, entertainment services (YouTube) and others, Voolf said.

“This campaign also targets the ecommerce giant Amazon; entertainment platform Youtube;,,,, likely targeting email accounts; the social media leaders Facebook and Twitter; as well as a Japanese adult site Dmm[.]co, and Pornhub,” researchers wrote.

In both of the initiatives, F5 said that the registrant is via a known threat actor network in Russia, and the domain for the email contact is, which is owned by ASN 47764 – an entity that Voolf said continually comes up in F5’s threat research.

As for the Latin American campaign, it’s primarily focused on banks in Argentina, Columbia and Ecuador. That is followed by similar social media targets (Facebook, Twitter, Instagram and Flickr) as well as MSN,, YouTube and Microsoft.

F5 said the botnet behind the Latin American campaign is called Cosmos3. Researchers note, while the domain is registered in China, the email registrant domain is and resolves to the German service provider 1&1.

Across all three campaigns, just 64 percent of targets were financial services targets. Cryptocurrency exchanges made up 26 percent. That’s a big change for this kind of malware, Voolf said.

“This is the first [Panda] campaign we have seen targeting cryptocurrency sites, but it’s a move that makes sense, given the popularity of cryptocurrency,” he concluded. “This act of simultaneous campaigns targeting several regions around the world and industries indicates these are highly active threat actors, and we expect their efforts to continue with multiple new campaigns coming out as their current efforts are discovered and taken down.”

Panda isn’t the first banking trojan to turn its interest to cryptocurrency; IBM X-Force noted in February that the TrickBot trojan has been diversifying its interests as well.



‘DayZ’ Creative Director Brian Hicks Is Leaving Bohemia Interactive

“DayZ” creative director Brian Hicks is leaving developer Bohemia Interactive, he announced in a status report on Tuesday.

“I feel ‘DayZ’ has reached a point in which I, much like how [‘DayZ’ creator Dean Hall] felt years back — am no longer needed,” he wrote in a farewell message to fans.

Hicks said he’d been slowly taking more and more of a back seat during development of “DayZ’s” .63 update. “Over that year I have made plans for what is next for me and worked for free with Peter Nespešný in a design consultant role,” he added.

“DayZ” is an open-world online survival game based on an “Arma 3” mod created by Hall. It’s now in early access alpha on Steam. The .63 update will bring a number of changes and will officially launch the game’s beta testing phase.

“I won’t lie — it hasn’t been easy, and there have been times where Peter and I both were uncertain about how .63 would be received, or how it would perform under full-scale load,” Hicks said. “I don’t want to be a broken record — but I am so happy that all of those concerns have been washed away.”

Hicks said he’s played 7,000 hours of “DayZ” between two accounts, which makes it hard to just walk away. But, he said he’s looking forward to opportunities back home in the U.S. and being closer to family.

“I have to thank Brian for his contribution to ‘DayZ’ over the years and wish him the best in his future endeavors. His passion is an inspiration to many. And I’m pretty sure we will be seeing each other in ‘DayZ’ all the time,” said lead producer Eugen Harton. “I know we both wish for the game to grow and improve and finally testing the 0.63 has been a step in the right direction although a lot of work remains to be done.”