New Version of Panda Banker Trojan Attacks Japan


Arbor Networks security experts warned about a new threat actor which attacks financial institutions in Japan via the Panda Banker banking trojan (aka PandaBot, Zeus Panda).

The security researchers at Fox-IT first noticed Panda Banker in 2016. According to them, the malware borrows code from the Zeus banking Trojan.

Last November, the creators of Zeus Panda used black Search Engine Optimization (SEO) to offer malicious links in the search results. The main focus of the hackers were the financial-related keyword queries.

The main characteristic of the Panda Banker trojan is its ability to steal users credentials and account numbers. The malware is capable of stealing its victims’ money by implementing “man in the browser” attack.

Panda Banker is sold as a kit on the underground forums, and its latest variant was used in the last attacks against Japan if the version 2.6.6 implements the same features as the previous releases.

“A threat actor using the well-known banking malware Panda Banker (a.k.a Zeus Panda, PandaBot) has started targeting financial institutions in Japan.” the Arbor Networks analysis states.

“Based on our data and analysis this is the first time that we have seen Panda Banker injects targeting Japanese organizations.”

What is interesting about the latest campaign targeting Japan, is the fact that none of the indicators of compromise (IOC) was associated with the previous attacks.

The banking trojan was delivered via malvertising, redirecting the victims to the domains that hosted the RIG-v exploit kit.

The attackers used multiple domains and C&C servers, however, during the time of the analysis, only one of them appeared to be active. The active domain hillaryzell[.]xyz was registered to a Petrov Vadim and the associated email address was

Apart from Japan, the recent malware campaign also attacked websites in the United States, search engines, social media websites, an email site, a video search engine, an online shopping site, and an adult content hub.

“The threat actor named this campaign “ank”.” the analysis reads. “At the time of research, the C2 server returned 27 webinjects that can be broken down into the following categories:

  • 17 Japanese banking websites mostly focusing on credit cards
  • 1 US based web email site
  • 1 US based video search engine
  • 4 US based search engines
  • 1 US based online shopping site
  • 2 US based social media sites
  • 1 US based adult content hub”

The webinjects which were employed in the campaign use the Full Info Grabber automated transfer system (ATS) to steal account information and user credentials.

Nelly Vladimirova
Nelly Vladimirova has been working as a journalist since 1998 with a main focus on Finance, Economics, and IT. In 2004 she graduated the University of Plovdiv, Bulgaria, as a Bachelor in English Philology and Master in Linguistics and Translation. Later, Nelly received a postgraduate certificate in Business Management from Scott's College, UK. Presently, she is presenting the latest news related to computer security at


Please enter your comment!
Please enter your name here

Time limit is exhausted. Please reload CAPTCHA.