Skip to content

S0330 Zeus Panda

Zeus Panda is a Trojan designed to steal banking information and other sensitive credentials for exfiltration. Zeus Panda’s original source code was leaked in 2011, allowing threat actors to use its source code as a basis for new malware variants. It is mainly used to target Windows operating systems ranging from Windows XP through Windows 10.12

Item Value
ID S0330
Associated Names
Version 1.3
Created 29 January 2019
Last Modified 22 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Zeus Panda uses HTTP for C2 communications.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Zeus Panda adds persistence by creating Registry Run keys.12
enterprise T1115 Clipboard Data Zeus Panda can hook GetClipboardData function to watch for clipboard pastes to collect.2
enterprise T1059 Command and Scripting Interpreter Zeus Panda can launch remote scripts on the victim’s machine.2
enterprise T1059.001 PowerShell Zeus Panda uses PowerShell to download and execute the payload.1
enterprise T1059.003 Windows Command Shell Zeus Panda can launch an interface where it can execute several commands on the victim’s PC.2
enterprise T1140 Deobfuscate/Decode Files or Information Zeus Panda decrypts strings in the code during the execution process.1
enterprise T1083 File and Directory Discovery Zeus Panda searches for specific directories on the victim’s machine.2
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Zeus Panda has a command to delete a file. It also can uninstall scripts and delete files to cover its track.2
enterprise T1105 Ingress Tool Transfer Zeus Panda can download additional malware plug-in modules and execute them on the victim’s machine.2
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Zeus Panda can perform keylogging on the victim’s machine by hooking the functions TranslateMessage and WM_KEYDOWN.2
enterprise T1056.004 Credential API Hooking Zeus Panda hooks processes by leveraging its own IAT hooked functions.2
enterprise T1112 Modify Registry Zeus Panda modifies several Registry keys under HKCU\Software\Microsoft\Internet Explorer\ PhishingFilter\ to disable phishing filters.2
enterprise T1027 Obfuscated Files or Information Zeus Panda encrypts strings with XOR. Zeus Panda also encrypts all configuration and settings in AES and RC4.12
enterprise T1027.010 Command Obfuscation Zeus Panda obfuscates the macro commands in its initial payload.1
enterprise T1057 Process Discovery Zeus Panda checks for running processes on the victim’s machine.2
enterprise T1055 Process Injection -
enterprise T1055.002 Portable Executable Injection Zeus Panda checks processes on the system and if they meet the necessary requirements, it injects into that process.2
enterprise T1012 Query Registry Zeus Panda checks for the existence of a Registry key and if it contains certain values.2
enterprise T1113 Screen Capture Zeus Panda can take screenshots of the victim’s machine.2
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery Zeus Panda checks to see if anti-virus, anti-spyware, or firewall products are installed in the victim’s environment.12
enterprise T1082 System Information Discovery Zeus Panda collects the OS version, system architecture, computer name, product ID, install date, and information on the keyboard mapping to determine the language used on the system.12
enterprise T1614 System Location Discovery -
enterprise T1614.001 System Language Discovery Zeus Panda queries the system’s keyboard mapping to determine the language used on the system. It will terminate execution if it detects LANG_RUSSIAN, LANG_BELARUSIAN, LANG_KAZAK, or LANG_UKRAINIAN.1
enterprise T1124 System Time Discovery Zeus Panda collects the current system time (UTC) and sends it back to the C2 server.2