• A threat actor dubbed Panda has been observed to have used remote access tools (RATs) and cryptomining malware to make thousands of dollars in Monero cryptocurrency.
  • This malware is notorious for the ‘MassMiner’ campaign it launched in the summer of 2018.

Panda has constantly updated its infrastructure, exploits, and payloads. It is believed that this malware is capable of spreading cryptocurrency miners and hence poses a major threat.

The history

Panda was first spotted in July 2018 and was associated with the ‘MassMiner’ campaign.

  • It returned in January 2019 to exploit a recently disclosed vulnerability in ThinkPHP web framework (CNVD-2018-24942).
  • In March, the malware was seen to be using a new infrastructure, including various subdomains of domain hognoob[.]se.
  • Panda returned in May after updating its primary payload.
  • June saw this malware exploiting a WebLogic vulnerability.
  • In August, researchers observed that Panda had added a new set of domains to C2 and payload-hosting infrastructure.

Observations from researchers

Threat traps indicate that Panda is using exploits that were used by Shadow Brokers and Mimikatz.

  • Researchers believe that this malware may infiltrate and misuse systems for cryptocurrency mining or harvest valuable information.
  • This malware is believed to have made Monero cryptocurrency worth approximately $100,000.
  • Panda’s operation is not very sophisticated, with most of the domains hosted on the same IPs and the TTPs remaining fairly constant throughout various campaigns.

“They attempt to hide their miners using the exact same popular techniques we see with other groups. Their infrastructure is predictable: I can usually peg a new Panda domain as soon as I see it in the data; they tend to just be iterations of each other,” Cisco’s Evans told Threatpost.


Although Panda does not have any advanced operations in place, it remains a major threat to organizations as it is consistent and exploits known vulnerabilities.

Cisco has published a list of Indicators of Compromise (IOCs) on their blog that you can monitor.

Cyware Publisher