New ‘Panda’ Malware Strain is After Your Cryptocoins

A man wearing a panda head holds a large Ethereum coin
(Image credit: Erik Mclean from Pexels)

A new type of malware, dubbed ‘Panda Stealer’ by researchers, is spreading through spam emails and malicious Discord links, and has its sights set firmly on your ever valuable cryptocurrency. According to Trend Micro, the phishing emails appear as business quote requests, with an XLSM file attached that’s loaded with malign macros. 

Various cryptocurrencies lay on a table

(Image credit: Rūdolfs Klintsons from Pexels)

Panda Stealer appears as an innocent XLSM file with macros that once enabled download a "loader" which executes the main "stealer" application. Alternatively, an XLS file may be downloaded, containing a formula that hides a Powershell command that accesses, a Pastebin alternative, to download a further PowerShell command. Once running, Panda Stealer tries to detect keys, addresses, and other data associated with cryptocurrency transactions and wallets holding funds including Dash, Bytecoin, Litecoin, and Ethereum. Right now we are unsure if the latest cryptocurrency, Chia is affected. It will also attempt to steal credentials from other applications such as NordVPN, Telegram, Discord, and Steam. It’s capable of taking screenshots of the infected computer, and sucking data from browsers like cookies, passwords, and cards.

Panda Stealer seems to be a variant of Collector Stealer, a cracked build of which is freely available online. While there’s no evidence yet of a particular criminal group behind Panda Stealer, Trend Micro was able to identify an IP address being used by the malware for command and control. It led to a rented Shock Hosting virtual server, and having been reported, the server has been suspended. 

This may not be enough to quell the threat, however, as VirusTotal found 264 similar files in its database, calling home to 140 C&C servers and from more than 10 download sites, some of them from Discord, which may be being used to share the malware between criminals.

Ian Evenden
Freelance News Writer

Ian Evenden is a UK-based news writer for Tom’s Hardware US. He’ll write about anything, but stories about Raspberry Pi and DIY robots seem to find their way to him.

  • Exploding PSU
    Reading the title, I thought my Panda antivirus is turning against me heh
  • Phaaze88
    It's just one thing after another...
    Dollars, Euros, Pounds, etc, get lost, stolen and used for ransom, and so does crypto...