'Panda' Malware Targets Crypto Wallets and Users' Discord, Telegram Accounts

The main "new" aspect here is the target of the data theft.

AccessTimeIconMay 10, 2021 at 10:03 p.m. UTC
Updated Sep 14, 2021 at 12:53 p.m. UTC

A new ransomware attack is going after cryptocurrency wallets, along with account credentials from other applications such as NordVPN, Telegram, Discord and Steam.

Dubbed “Panda,” the new information-stealing malware (also called infostealer for short) was discovered by Trend Micro, a cybersecurity software company. 

“Crypto wallets are now as big of a target for online theft as banking accounts are,” said the Trend Micro researchers who discovered the attack. “With more people getting into cryptocurrencies and the values of said cryptocurrencies still increasing, this will only become a greater threat moving forward.”

They also said there is more risk here because unlike with a bank robbery or credit card theft, there may not be a central authority that can undo malicious transactions. Once you lose your money and the transaction goes on the blockchain, it's likely gone forever.

The malware attack

At a high level, according to the researchers, the attack begins with spam messages that contain a malicious attachment. The attachment uses PowerShell scripts, a task automation and configuration management coding language Microsoft, to download the actual Panda Stealer malware (in encoded form), which is then loaded without files onto the affected system.

“None of this is particularly novel in and of itself – malicious Office documents are well known, so is fileless loading,” the researchers said. “The main 'new' aspect here is the target of the data theft.”

Beyond just targeting cryptocurrency wallets with malware, attackers are now setting their sights on applications like Discord and Telegram – popular communications platforms for cryptocurrency communities. 

The attack campaign, which was active in April, uses spam emails and the same rare fileless distribution method as a separate recent attack. Morphisec, another cybersecurity firm, discovered a Phobos ransomware campaign in early April that uses an identical fileless distribution method to Panda, making it more difficult for security tools to spot.

"The fileless distribution used in this case means there is no signature for antivirus software to detect the threat, and it can bypass detection,” said Michael Gorelik, chief technology officer and head of threat intelligence at Morphisec. “Therefore, it's dangerous for both consumers' wallets and even enterprises, with more lines of security set up."

Follow best security practices

The Trend Micro researchers said following long-standing security practices still applies here. Not opening up attachments sent via email, making sure you don’t click on unknown links and keeping software upgraded still are basic security measures people can take to avoid malware and other security breaches. 

Specific to cryptocurrencies, they said the best advice is to secure your cryptocurrency wallets. They weren’t able to give specific recommendations given the wide array of wallets on the market, but recommended using strong, unique passwords. 

“If the wallet you're using offers multifactor authentication (and many do – if anything, they may support multiple methods), use them,” the researchers said.  “For investors who are more interested in holding cryptocurrencies for the long term instead of actively trading them, the use of hardware-based/offline wallets may well be safer, if less convenient to add to or sell from.”


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.