Home > List all groups > Bamboo Spider, TA544

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Other threat group: Bamboo Spider, TA544

NamesBamboo Spider (CrowdStrike)
TA544 (Proofpoint)
Gold Essex (SecureWorks)
MotivationFinancial crime
First seen2016
DescriptionZeus Panda, Panda Banker, or Panda is a variant of the original Zeus under the banking Trojan category. Its discovery was in 2016 in Brazil around the time of the Olympic Games. The majority of the code is derived from the original Zeus trojan, and maintains the coding to carry out man-in-the-browser, keystroke logging, and form grabbing attacks. ZeuS Panda launches attack campaigns with a variety of exploit kits and loaders by way of drive-by downloads and phishing emails, and also hooking internet search results to infected pages. Stealth capabilities make not only detecting but analyzing the malware difficult.

GozNym has been observed to be distributed via the Avalanche botnet.

Zeus Panda has been observed to be distributed by Emotet (operated by Mummy Spider, TA542), Smoke Loader (operated by Smoky Spider), Cutwail (operated by Narwhal Spider) and Kelihos (operated by Zombie Spider).
ObservedSectors: Financial, Hospitality, IT, Manufacturing, Retail, Technology.
Countries: Brazil, Canada, Germany, Italy, Japan, Netherlands, Poland, Spain, UK, USA and other.
Tools usedChthonic, Gozi ISFB, GozNym, Nymaim, Zeus OpenSSL, Zeus Panda, Smoke Loader, URLZone, ZLoader.
Operations performedApr 2016Attacks against more than 24 U.S. and Canadian banks
Apr 2016Attacks on banks in Poland
Jun 2016Attacks on banks in the USA
Jun 2016LinkedIn information used to spread banking malware in the Netherlands
Jul 2016Zeus Panda Delivered By Sundown - Targets UK Banks
Aug 2016Banking Trojan Zeus Panda shambles into Brazil ahead of Olympics
Aug 2016Attacks on banks in Germany
Oct 2017Poisoning the Well: Banking Trojan Targets Google Search Results
Dec 2017Zeus Panda Banking Trojan Targets Online Holiday Shoppers
Mar 2018Panda Banker Zeros in on Japanese Targets
Jun 2018Zeus Panda Advanced Banking Trojan Gets Creative to Scam Affluent Victims in Italy
Jul 2018Emotet infection traffic with Zeus Panda Banker
Aug 2018For the past weeks our Threat Intelligence team has been following an enxtesive campaign, possibly operated by the same group, targeting a large amount of financial institutions, cyptocurrency wallets and the occasional Google and Apple accounts.
Mar 2020Zeus Sphinx Trojan Awakens Amidst Coronavirus Spam Frenzy
May 2020Zeus Sphinx Back in Business: Some Core Modifications Arise
Counter operationsMay 2019GozNym Malware: Cybercriminal Network Dismantled in International Operation

Last change to this card: 07 January 2021

Download this actor card in PDF or JSON format

Previous: Avalanche
Next: Bismuth

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
PGP Download PGP key