A Wave of New ‘Panda Stealer’ Strain Infections Troubling Crypto-Holders

Last updated June 23, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

There’s a new crypto-stealer circulating out there called ‘Panda Stealer.’ According to researchers at Trend Micro, it is a modified fork of ‘Collector Stealer,’ following the same file-less approach to evade AV detection. According to telemetry data analyzed by the security company, the new wave of attacks targets mostly the United States, Australia, Japan, and Germany.

Comparison between Collector Stealer and Panda Stealer, Source: Trend Micro

The distribution method is spam emails that involve some form of business quote requests and have Excel file attachments. These files are laced with malicious macros that download a loader, and finally, that loader fetches and executes ‘Panda Stealer.’ Alternatively, there are attachments of Excel files containing a formula that utilizes a PowerShell command, accesses the paste.ee service, runs a second encrypted PowerShell command, hollows a legitimate MSBuild.exe, and replaces it with the Panda Stealer payload (also fetched via paste.ee).

Source: Trend Micro

In terms of capabilities, the Panda Stealer can collect the following data from a compromised system:

The malware drops files under the %Temp% folder, stores them under a random file name, and then packages them before sending them to the C2 server. Trend Micro was able to discover more than 140 C2 servers and over ten download sites - so for a full list, make sure to check out the detailed report.

Source: Trend Micro

In terms of attribution, we’ve had an interesting tip from Morphisec’s CTO, Michael Gorelik, who has indications that ‘Panda Stealer’ is actually linked to the Phobos ransomware group. A month ago, we reported about an update on the way Phobos was being delivered, and we saw a suspiciously similar PowerShell script using base64 encoding to fetch a payload through paste.ee and then perform a string replacement to a hollowed MSBuild.exe process.

Gorelik believes that malicious actors are now treating info stealers as a standard space to maintain a presence in due to the value spikes that the cryptocurrency universe is going through at the moment. Thus, hackers are quick to adapt and use their existing arsenal with trusted methods to create powerful info stealers and grab a piece of the pie. Morphisec reports that over the last 12 months, 31% of all attempted endpoint attacks came from info stealers.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: