Panda Banker

Panda Banker, a Zeus-like banking trojan, was first reported by ProofPoint researchers in April 2016. This trojan targets users through malicious email attachments and via the Angler, Nuclear, and Neutrino exploit kits. It uses an Automatic Transfer System (ATS) – a banking web inject that automates online banking portal actions – against UK and Australian banks. The trojan uses an ATS/injects panel to show and monitor the status of grabber modules, ATS options, intercepts, and known infected machines. In August 2016, researchers discovered an email campaign in which the emails claimed to be from legitimate banks but contained malicious links leading to Microsoft Word documents with macros that, if enabled, downloaded Panda Banker. The email was translated into Dutch, German, Italian, and English. The trojan used web injects to intercept online banking traffic and modify banking sites on infected devices to carry out man-in-the-browser (MitB) attacks. The injects were used against Dutch, Italian, and German banks, and UK online casinos and international online payment systems.


  • August 2016: Panda Banker email campaign against several verticals. (ProofPoint)
  • November 2017: Threat actors leveraged Search Engine Optimization to convince users to click on a links that redirect them and downloads a Word document onto their machine. If the user enables Macros on the document, Panda Banker is installed. (Cisco Talos)
  • December 2017: Zeus Panda Banking Trojan Targets Online Holiday Shoppers. (Proofpoint)
  • May 2018: Panda Banker Campaign Hits U.S. Banks. (Security Week)

Technical Details

  • ProofPoint provides technical analysis, including IOCs, on the Panda Banker, available here.

One example of the Panda Banker variant. Image Source: Proofpoint