S0330: Zeus Panda
Zeus Panda is a Trojan designed to steal banking information and other sensitive credentials for exfiltration. Zeus Panda’s original source code was leaked in 2011, allowing threat actors to use its source code as a basis for new malware variants. It is mainly used to target Windows operating systems ranging from Windows XP through Windows 10.[1][2]
Analyst context for executives and security teams
Zeus Panda matters because ATT&CK describes it as Windows banking Trojan malware built to steal banking information and other sensitive credentials for exfiltration. Its listed behaviors span credential collection, discovery, persistence through Registry Run Keys or Startup Folder, web-protocol command and control, tool/file transfer, obfuscation, and cleanup. For leaders, the practical issue is not just one malware name; it is whether Windows endpoint, identity, and SOC controls can detect and contain credential theft malware that blends discovery, stealth, and persistence behaviors.
Executive priority
Prioritize Zeus Panda as a validation case for Windows credential-theft resilience: endpoint visibility, registry-change monitoring, PowerShell/cmd governance, web egress review, and incident response playbooks for stolen credentials. Because ATT&CK provides no official detection text for this software, executives should ask whether coverage is proven through local telemetry and tests mapped to the related techniques, not assumed from malware signatures alone.
Technical view
ATT&CK lists Zeus Panda on Windows and relates it to techniques including Query Registry, Modify Registry, Registry Run Keys / Startup Folder, Command and Scripting Interpreter, PowerShell, Windows Command Shell, Portable Executable Injection, Keylogging, Credential API Hooking, Process Discovery, System Information Discovery, Security Software Discovery, File and Directory Discovery, System Time Discovery, System Language Discovery, Clipboard Data, Screen Capture, Web Protocols, Ingress Tool Transfer, File Deletion, obfuscated commands, encrypted/encoded files, and deobfuscation. SOC and IR teams should validate detection across the behavior chain: initial execution via shell or PowerShell, discovery commands, suspicious registry reads/writes and autoruns, process injection indicators, credential and user-data collection signals, outbound HTTP/S-like C2 patterns, downloaded files, and post-activity deletion.
Likely telemetry
- Windows process creation and command-line history for cmd.exe, PowerShell, and child processes
- PowerShell execution logs and script/block-level evidence where available
- Windows Registry read/write events, especially Run Keys and startup-related locations
- Endpoint file creation, modification, deletion, and encoded/encrypted artifact indicators
- Process access, memory allocation, thread creation, or other endpoint signals consistent with PE injection
Detection direction
- Do not rely only on Zeus Panda name-based or hash-based detections; the source code leak noted by ATT&CK means variants may exist, so behavior-level analytics are important.
- Tune detections around combinations of behaviors: shell or PowerShell execution followed by discovery, registry modification, persistence creation, file transfer, and web egress.
- Validate Registry Run Key and startup-folder monitoring for both user-context and elevated contexts; triage should distinguish legitimate software updaters from unusual persistence paths or newly introduced binaries.
- Correlate credential-access behaviors such as keylogging, API hooking, clipboard access, and screen capture with suspicious process lineage and network activity to reduce false positives.
- Review blind spots where command obfuscation, encoded files, or deobfuscation may weaken simple string or command-line matching.
Mitigation priorities
- Harden Windows endpoints against credential theft by prioritizing least privilege, application control where feasible, and rapid isolation procedures for suspected infected hosts.
- Restrict and monitor PowerShell and Windows command shell usage according to administrative need; preserve sufficient logging for investigation.
- Monitor and control Registry persistence locations and startup folders; investigate unauthorized changes promptly.
- Strengthen egress controls and proxy/DNS visibility for web-protocol command-and-control and tool-transfer patterns.
- Ensure endpoint protection and EDR policies are configured to capture process injection, suspicious file activity, and credential-access behaviors, not just known malware signatures.
Analyst notes and limits
This take is based on the supplied ATT&CK S0330 Zeus Panda object, its official description, external references from Talos and G DATA, and listed technique relationships. The strongest business relevance is credential theft from Windows systems and the need to validate behavior-based coverage across discovery, stealth, persistence, collection, command and control, and file transfer behaviors.
ATT&CK does not provide official detection text, aliases, labels, or explicit tactics for the Zeus Panda malware object in the supplied fields. Relationship descriptions are partially truncated in the source provided. Local environment evidence is required to determine actual exposure, detection coverage, affected Windows versions in use, and whether any observed activity is Zeus Panda versus another malware family using similar techniques.
Zeus Panda
Zeus Panda is a Trojan designed to steal banking information and other sensitive credentials for exfiltration. Zeus Panda’s original source code was leaked in 2011, allowing threat actors to use its source code as a basis for new malware variants. It is mainly used to target Windows operating systems ranging from Windows XP through Windows 10.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1056.004 | Credential API Hooking Sub-technique | Zeus Panda hooks processes by leveraging its own IAT hooked functions.CitationGDATA Zeus Panda June 2017 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Zeus Panda uses PowerShell to download and execute the payload.CitationTalos Zeus Panda Nov 2017 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | Zeus Panda checks to see if anti-virus, anti-spyware, or firewall products are installed in the victim’s environment.CitationTalos Zeus Panda Nov 2017CitationGDATA Zeus Panda June 2017 |
| Enterprise | T1057 | Process Discovery | Zeus Panda checks for running processes on the victim’s machine.CitationGDATA Zeus Panda June 2017 |
| Enterprise | T1113 | Screen Capture | Zeus Panda can take screenshots of the victim’s machine.CitationGDATA Zeus Panda June 2017 |
| Enterprise | T1105 | Ingress Tool Transfer | Zeus Panda can download additional malware plug-in modules and execute them on the victim’s machine.CitationGDATA Zeus Panda June 2017 |
| Enterprise | T1059 | Command and Scripting Interpreter | Zeus Panda can launch remote scripts on the victim’s machine.CitationGDATA Zeus Panda June 2017 |
| Enterprise | T1124 | System Time Discovery | Zeus Panda collects the current system time (UTC) and sends it back to the C2 server.CitationGDATA Zeus Panda June 2017 |
| Enterprise | T1614.001 | System Language Discovery Sub-technique | Zeus Panda queries the system's keyboard mapping to determine the language used on the system. It will terminate execution if it detects LANG_RUSSIAN, LANG_BELARUSIAN, LANG_KAZAK, or LANG_UKRAINIAN.CitationTalos Zeus Panda Nov 2017 |
| Enterprise | T1112 | Modify Registry | Zeus Panda modifies several Registry keys under |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Zeus Panda uses HTTP for C2 communications.CitationTalos Zeus Panda Nov 2017 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Zeus Panda has a command to delete a file. It also can uninstall scripts and delete files to cover its track.CitationGDATA Zeus Panda June 2017 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Zeus Panda encrypts strings with XOR. Zeus Panda also encrypts all configuration and settings in AES and RC4.CitationTalos Zeus Panda Nov 2017CitationGDATA Zeus Panda June 2017 |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | Zeus Panda obfuscates the macro commands in its initial payload.CitationTalos Zeus Panda Nov 2017 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Zeus Panda can launch an interface where it can execute several commands on the victim’s PC.CitationGDATA Zeus Panda June 2017 |
| Enterprise | T1115 | Clipboard Data | Zeus Panda can hook GetClipboardData function to watch for clipboard pastes to collect.CitationGDATA Zeus Panda June 2017 |
| Enterprise | T1012 | Query Registry | Zeus Panda checks for the existence of a Registry key and if it contains certain values.CitationGDATA Zeus Panda June 2017 |
| Enterprise | T1055.002 | Portable Executable Injection Sub-technique | Zeus Panda checks processes on the system and if they meet the necessary requirements, it injects into that process.CitationGDATA Zeus Panda June 2017 |
| Enterprise | T1082 | System Information Discovery | Zeus Panda collects the OS version, system architecture, computer name, product ID, install date, and information on the keyboard mapping to determine the language used on the system.CitationTalos Zeus Panda Nov 2017CitationGDATA Zeus Panda June 2017 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Zeus Panda adds persistence by creating Registry Run keys.CitationTalos Zeus Panda Nov 2017CitationGDATA Zeus Panda June 2017 |
| Enterprise | T1056.001 | Keylogging Sub-technique | Zeus Panda can perform keylogging on the victim’s machine by hooking the functions TranslateMessage and WM_KEYDOWN.CitationGDATA Zeus Panda June 2017 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Zeus Panda decrypts strings in the code during the execution process.CitationTalos Zeus Panda Nov 2017 |
| Enterprise | T1083 | File and Directory Discovery | Zeus Panda searches for specific directories on the victim’s machine.CitationGDATA Zeus Panda June 2017 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.4 | Current bundle | af83cc8fb717… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Talos Zeus Panda Nov 2017
Brumaghin, E., et al. (2017, November 02). Poisoning the Well: Banking Trojan Targets Google Search Results. Retrieved November 5, 2018.
Open source URL -
[2]
GDATA Zeus Panda June 2017
Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
Open source URL -
[3]
Zeus Panda
(Citation: Talos Zeus Panda Nov 2017)(Citation: GDATA Zeus Panda June 2017)
-
[4]
mitre-attack S0330Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.