Panda Malware After Cryptocurrency Wallets, VPN, Discord and Telegram Accounts

Person sitting behind laptop checking email

Security researchers recently spotted a new type of information-stealing malware strain, dubbed Panda Stealer. The malware is mainly distributed via spam emails in the US, Australia, Japan, and Germany, and potentially also spreads via Discord channels. Cybercriminals use Panda to steal people’s cryptocurrency wallets as well as their VPN, Discord and Telegram credentials.

New Type of Malware Strain

In Early April, Trend Micro observed a new information stealer, called Panda Stealer, being delivered via phishing emails. In these emails, cybercriminals include luring business quotes, to try and trick potential victims into executing malicious Excel files.

The researchers have identified two chains of infection:

  • The first is an .XSLM attachment containing macros that download a loader. This loader then downloads and runs Panda Stealer
  • The second is an .XLS attachment containing an Excel formula that uses a PowerShell command to open (a type of online content hosting service, where users, cybercriminals in this case, can store and share text or code). This then accesses a second coded PowerShell command

Trend Micro research shows that Panda Stealer also uses fileless techniques to bypass detection mechanisms.

What Kind of Data Is Panda Stealer After?

The malware is interested in various data. “Once installed, Panda Stealer can collect details like private keys and records of past transactions from its victim’s various digital currency wallets, including Dash, Bytecoin, Litecoin, and Ethereum”, explains the report. “It’s capable of taking screenshots of the infected computer and exfiltrating data from browsers like cookies, passwords, and cards.”

Moreover, Panda does not only target cryptocurrency wallets. “It can also steal credentials from other applications such as NordVPN, Steam, Telegram, and Discord.” The latter two are popular communication platforms for cryptocurrency communities.

Meanwhile, Trend Micro has identified some of the IP addresses used by the threat actor behind Panda Stealer. One of the addresses belongs to a virtual private server (VPS) rented from Shock Hosting. Apparently, the actor infected this server for testing purposes. Trend Micro informed Shock Hosting and they confirmed that they had suspended the IP address in question.

Similarities with Other Malware

It is noteworthy that Panda Stealer has similarities with another malware strain, known as Collector Stealer. Collector Stealer is listed for sale on the dark web and on Telegram. Although similar in many ways, the two stealers have different command and control URLs, build tags, and execution directories.

Both pieces of malware exfiltrate details such as cookies, victims’ login credentials, and web data. And both store this information in a SQLite3 database. SQLite database files are commonly used as containers to transfer content between systems and as a long-term archival format files.

Another remarkable discovery is that Panda Stealer has something in common with other malware strains in terms of fileless distribution. It has borrowed this feature from the so-called Fair variant produced by Phobos ransomware. Once the host is infected, the malware runs in memory instead of storing the files on the hard drive. Thus, making it far more difficult for security tools to spot.

IT communication specialist
Sandra has many years of experience in the IT and tech sector as a communication specialist. She's also been co-director of a company specializing in IT, editorial services and communications project management. For she follows relevant cybercrime and online privacy developments. She rigorously tests the quality of VPN services using's dedicated VPN testing protocol that has been finetuned and optimized over the years.