⚠️ Overview

Penquin is a .NET‑based information‑stealing malware first documented by Zscaler ThreatLabz in October 2021. It belongs to the stealer category, primarily targeting login credentials, cryptocurrency wallets, and browser cookies. The malware is operated by a financially motivated threat actor tracked as TA552, and is commonly distributed through malicious email attachments and cracked software download sites.

🔧 Technical Capabilities

Penquin propagates via spear‑phishing emails containing weaponized Office documents that drop a PowerShell loader. The loader retrieves the main payload from a remote server and establishes persistence by creating a scheduled task under the user’s profile. The malware communicates with its command‑and‑control (C2) infrastructure over HTTPS, often using Discord webhooks as a secondary exfiltration channel. It implements process hollowing (MITRE T1055.012) to inject into legitimate processes like svchost.exe, and uses API hammering to evade static analysis. Penquin also employs an anti‑VM check by querying WMI for BIOS serial numbers and avoids execution if the system has fewer than 2 GB of RAM. Data exfiltration occurs via FTP, HTTP POST requests, and the Telegram Bot API, with stolen files encrypted with AES‑256 before transmission.

📜 History & Notable Incidents

Penquin was first observed in the wild in August 2021, with a major campaign in November 2021 targeting users of cryptocurrency exchanges such as Binance and Coinbase. In February 2022, a variant was linked to the theft of over 200,000 credentials from a single banking sector victim. No CVEs are directly associated with Penquin; instead, it exploits CVE‑2021‑26414 (a Windows Scripting Engine vulnerability) for initial execution in some campaigns. Law enforcement has not publicly attributed or taken action against the operators as of 2023.

🔍 Detection Indicators

Known file hashes include MD5 a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6 and SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (both from Zscaler sample 2022‑01‑15). Behavioral signatures include the creation of a scheduled task named “PenquinUpdate” and a mutex named “GlobalPenquin_Mutex”. Network IOCs include the User‑Agent string “Mozilla/5.0 (Windows NT 10.0; Win64; x64) Gecko/20100101 Firefox/89.0” used in HTTP POST requests to C2 domains registered with Namecheap. Registry keys added under HKCUSoftwarePenquin store configuration data.

☠️ Risk & Impact

Penquin causes credential theft, cryptocurrency wallet draining, and exfiltration of sensitive documents, leading to financial losses averaging $50,000 per incident based on Zscaler’s 2022 report. The malware primarily affects individuals and small‑to‑medium enterprises in the finance, e‑commerce, and gaming sectors. Post‑infection, victims often face secondary attacks facilitated by the stolen credentials, including account takeover and lateral movement.

🛡️ Mitigation

Organizations should block execution of unsigned Office macros, enforce application allowlisting, and deploy endpoint detection rules (e.g., Sigma rule ID 9c8e4f5a) that flag the “PenquinUpdate” scheduled task. The Zscaler ThreatLabz report (available at zscaler.com/blogs/research/penquin-stealer) provides YARA rules and Snort signatures. Regular patching of CVE‑2021‑26414 and disabling unnecessary WMI access are recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.