Kronos is a banking trojan first seen in 2014 and reemerged in November 2016, distributed through email campaigns. In a campaign on November 8, the trojan was delivered with links leading to the RIG-V exploit kit and a redirect to a ZIP-compressed .pif for Smoke Loader, used to download additional malware, and the ZeuS trojan. On November 10 and 14, researchers at Proofpoint observed email campaigns, each tens of thousands of messages, targeting hospitality, higher education, financial services, and healthcare organizations. The primary targets were in the United Kingdom and North America. The emails contain document attachments claiming association with Microsoft SharePoint. Clicking the link downloads the document containing a malicious macro to download Kronos. The trojan receives tasks to download additional payloads that contain two Smoke Loader and ScanPOS malware payloads. ScanPOS is a point-of-sale malware capable of exfiltrating credit card numbers found by searching the memory of running processes. The campaigns distributing ScanPOS heavily targeted the hospitality sector. As of November 2016, Kronos was available for purchase in the Underground forum for $7,000 with a one week test for $1,000.


  • July 2014: Kronos trojan is stealing financial information from online banking websites. (PCWorld)
  • November 2016: Kronos banking trojan used to deliver new point-of-sale malware. (Proofpoint)
  • July 2018: A new version of Kronos banking trojan has been discovered using Tor-hosted C&C control panels, with campaigns targeting Germany, Japan, and Poland. (Proofpoint)

Technical Details

  • Proofpoint provides technical analysis of the Kronos banking trojan, here.

One example of the Kronos variant. Image Source: Proofpoint

Trojan VariantsNJCCICKronos