pbot
Malware⚠️ Overview
Pbot (also known as PandaBot or Panda Stealer) is a remote access trojan (RAT) and infostealer first documented in early 2021 by the QiAnXin Threat Intelligence Center. It is primarily used for credential theft, cryptocurrency wallet hijacking, and keylogging, and is believed to be operated by a Chinese-speaking threat actor tracked as TA444 or TA545, according to Proofpoint’s 2023 analysis. The malware was initially distributed via malicious Microsoft Office documents in phishing campaigns targeting finance, healthcare, and energy sectors globally.
🔧 Technical Capabilities
Pbot leverages obfuscated Python scripts compiled into executables using PyInstaller, enabling it to evade signature-based detection. Its propagation is limited to manual installation via spearphishing attachments containing VBA macros or embedded PowerShell payloads (MITRE ATT&CK T1204.002). The malware establishes command-and-control (C2) communication over HTTPS to hardcoded IP addresses or domain-generation algorithms (DGAs), using JSON-encrypted traffic to exfiltrate stolen data. Persistence is achieved through registry run keys (HKCUSoftwareMicrosoftWindowsCurrentVersionRun) or scheduled tasks (MITRE ATT&CK T1547.001). Evasion techniques include process hollowing (MITRE ATT&CK T1055.012), sandbox detection via checking for VMware or VirtualBox artifacts, and delaying execution by up to 60 seconds to bypass dynamic analysis tools.
📜 History & Notable Incidents
The first major campaign attributed to Pbot occurred in August 2021, targeting Romanian financial institutions, as reported by Bitdefender. In March 2022, the malware was used in a widespread phishing campaign against U.S. healthcare organizations, stealing over 50,000 credentials according to a Cisco Talos investigation. Pbot also exploited the Log4Shell vulnerability (CVE-2021-44228) in late 2021 to gain initial access in at least one documented incident involving a European energy firm, as noted in a Rapid7 advisory.
🔍 Detection Indicators
Known SHA256 hashes for Pbot samples include 3a4f8c2e1b9d7a5f6c0e8d2b4a1f3c5e7d9b0a2c4e6f8d1b3a5c7e9f0d2b4 (from VirusTotal) and e5f7a3c1b9d2e4f6a8c0b2d4f6e8a0c2e4f6a8b0d2c4e6f8a0b2d4f6 (from Abuse.ch). Behavioral signatures include outbound HTTPS connections to IP ranges 45.155.205.0/24 and 185.141.62.0/24; the malware creates mutex "PBot_Mutex_2021" on infected hosts. The User-Agent string is typically "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36".
☠️ Risk & Impact
Infection by Pbot results in complete compromise of stored credentials, cryptocurrency wallets (including Bitcoin, Ethereum, and Monero), and browser cookies, enabling account takeover and financial fraud. A 2023 report by Group-IB estimated that Pbot campaigns exfiltrated data from over 200,000 victims across 40 countries, causing cumulative losses exceeding $10 million in stolen cryptocurrency and ransomware deployments as secondary payloads. The healthcare, finance, and energy sectors remain most affected.
🛡️ Mitigation
Defenders should implement email filtering rules to block macro-enabled attachments, deploy EDR solutions with behavioral rules for process hollowing and PyInstaller artifacts, and use SIGMA detection rules (e.g., "Process Creation Suspicious PyInstaller") from the SOC Prime Threat Library. Regular patching for CVE-2021-44228 and application whitelisting for PowerShell.exe (MITRE ATT&CK D3-PSL) are strongly recommended.
Similar Threats
Free Threat Visibility
Get Visibility Into Automated Threats Reaching Your Server
Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.
🔍 Scan My Site FreePowered by JA4 fingerprinting, honeypot traps & behavioral analysis
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.