The Pony trojan is best known for its involvement in stealing $200,000 in Bitcoin and other virtual currencies between 2013 and 2014, after its source code was released in the summer of 2013. The trojan is typically spread through spam campaigns, with the malware hidden in an executable file, a document such a PDF or Microsoft Office document, or a malicious link in the email. The spam messages typically use a money transfer or overdue invoice notice theme to manipulate the user. The Pony trojan employs obfuscation techniques that causes security tools to improperly read the malware code, as well as tactics to delay execution of the malware. It is often used as a downloader for other malware, and was most recently observed spreading the RAA ransomware variant in June and CryptoWall 4.0 in December 2015.


  • February 2014: The Pony Botnet was involved in the theft of $200,000 in digital currency and 700,000 usernames and passwords. (Threatpost)
  • December 2015: A cybercrime group reportedly combined the Pony trojan with Angler exploit kit and CryptoWall ransomware. (ComputerWorld)
  • June 2016: The Pony trojan was discovered delivering the RAA ransomware variant. (Bleeping Computer

Technical Details

  • InfoSec Institute provides technical details on the Pony trojan, available here.

One example of the Pony trojan. Image source: Malwarebytes