Panda Banker

Panda Banker, a Zeus-like banking trojan, was first reported by ProofPoint researchers in April 2016. This trojan targets users through malicious email attachments and via the Angler, Nuclear, and Neutrino exploit kits. It uses an Automatic Transfer System (ATS) – a banking web inject that automates online banking portal actions – against UK and Australian banks. The trojan uses an ATS/injects panel to show and monitor the status of grabber modules, ATS options, intercepts, and known infected machines. In August 2016, researchers discovered an email campaign in which the emails claimed to be from legitimate banks but contained malicious links leading to Microsoft Word documents with macros that, if enabled, downloaded Panda Banker. The email was translated into Dutch, German, Italian, and English. The trojan used web injects to intercept online banking traffic and modify banking sites on infected devices to carry out man-in-the-browser (MitB) attacks. The injects were used against Dutch, Italian, and German banks, and UK online casinos and international online payment systems.


  • August 2016: Panda Banker email campaign against several verticals. (ProofPoint)

Technical Details

  • ProofPoint provides technical analysis, including IOCs, on the Panda Banker, available here.

One example of the Panda Banker variant. Image Source: Proofpoint