Pulse Detail — Threat Intelligence

PULSE NAME

ToxicPanda: a new banking trojan from Asia hit Europe and LATAM

WHITE ToxicPanda AlienVault 2024-11-06 Modified: 2024-11-06

IOCs

MEDIUM VOLUME

A new Android banking Trojan called ToxicPanda has emerged, targeting Europe and Latin America. Originating from Chinese-speaking threat actors, it has infected over 1500 devices across Italy, Portugal, Spain, and other countries. ToxicPanda exploits accessibility services for account takeovers and on-device fraud. It can intercept OTPs, remotely control devices, and collect sensitive data. The malware uses AES encryption for C2 communication and has a sophisticated control panel. While less advanced than some trojans, ToxicPanda's expansion into new regions marks a significant shift in the threat landscape.

MITRE ATT&CK & Malware Families

MALWARE FAMILIES

ToxicPanda TgToxic

Indicators of Compromise (24)

All FileHash-MD5 domain

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	2f5c4325f77280b2b58be981f9051f04	—	2024-11-06
FileHash-MD5	4295dfdd9d9fad74ee08d48d13e2b856	—	2024-11-06
FileHash-MD5	68139c9e7960d3eb956472bdc5ed5ad2	—	2024-11-06
FileHash-MD5	6e0a7e94ce0a1fe70d43fe727dc41061	—	2024-11-06
FileHash-MD5	f5c44a7044572e39e8fb9fa8e1780924	—	2024-11-06
domain	99spedmart.me	—	2024-11-06
domain	atnp.lol	—	2024-11-06
domain	bnwu.lol	—	2024-11-06
domain	cgtp.lol	—	2024-11-06
domain	ckysp.top	—	2024-11-06
domain	dblpap1.top	—	2024-11-06
domain	dblpap2.top	—	2024-11-06
domain	dblpap3.top	—	2024-11-06
domain	dbltest.top	—	2024-11-06
domain	dbltest6.top	—	2024-11-06
domain	dbltest8.top	—	2024-11-06
domain	dblxz.lol	—	2024-11-06
domain	dksu.top	—	2024-11-06
domain	dpds.lol	—	2024-11-06
domain	fgta.lol	—	2024-11-06
domain	freebasic.cn	—	2024-11-06
domain	kmpct.top	—	2024-11-06
domain	mixcom.one	—	2024-11-06
domain	mwscg.top	—	2024-11-06

References (1)

↗ https://www.cleafy.com/cleafy-labs/toxicpanda-a-new-banking-trojan-from-asia-hit-europe-and-latam