Panda Stealer dropped in Excel files, spreads through Discord to steal user cryptocurrency

The malware hones in on cryptocurrency funds as well as VPN credentials.
Written by Charlie Osborne, Contributing Writer

A new cryptocurrency stealer variant is being spread through a global spam campaign and potentially through Discord channels. 

Dubbed Panda Stealer, Trend Micro researchers said this week that the malware has been found targeting individuals across countries including the US, Australia, Japan, and Germany. 

The malware begins its infection chain through phishing emails and samples uploaded to VirusTotal also indicate that victims have been downloading executables from malicious websites via Discord links. 

Panda Stealer's phishing emails pretend to be business quote requests. So far, two methods have been linked to the campaign: the first of which uses attached .XLSM documents that require victims to enable malicious macros.

If macros are permitted, a loader then downloads and executes the main stealer. 

In the second chain, an attached .XLS file contains an Excel formula that hides a PowerShell command. This command attempts to access a paste.ee URL to pull a PowerShell script to the victim's system and to then grab a fileless payload. 

"The CallByName export function in Visual Basic is used to call the load of a .NET assembly within memory from a paste.ee URL," Trend Micro says. "The loaded assembly, obfuscated with an Agile.NET obfuscator, hollows a legitimate MSBuild.exe process and replaces it with its payload: the hex-encoded Panda Stealer binary from another paste.ee URL."

Once downloaded, Panda Stealer will attempt to detect keys and addresses associated with cryptocurrency wallets holding funds including Ethereum (ETH), Litecoin (LTC), Bytecoin (BCN), and Dash (DASH). In addition, the malware is able to take screenshots, exfiltrate system data, and steal information including browser cookies and credentials for NordVPN, Telegram, Discord, and Steam accounts.

While the campaign has not been attributed to specific cyberattackers, Trend Micro says that an examination of the malware's active command-and-control (C2) servers led the team to IP addresses and a virtual private server (VPS) rented from Shock Hosting. The server has since been suspended. 


Panda Stealer is a variant of Collector Stealer, malware that has been sold in the past on underground forums and through Telegram channels. The stealer has since appeared to have been cracked by Russian threat actors going under the alias NCP/su1c1de.

The cracked malware strain is similar but uses different infrastructure elements such as C2 URLs and folders.

"Because the cracked Collector Stealer builder is openly accessible online, cybercriminal groups and script kiddies alike can use it to create their own customized version of the stealer and C2 panel," the researchers note. "Threat actors may also augment their malware campaigns with specific features from Collector Stealer."

Trend Micro says there are similarities in the attack chain and fileless distribution method to Phobos ransomware. Specifically, as described by Morphisec, the "Fair" variant of Phobos is similar in its distribution approach and is being constantly updated to reduce its footprint, such as reducing encryption requirements, in order to stay under the radar for as long as possible. 

The researchers also noted correlations between Phobos and LockBit in an April 2021 report

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards