Panda versus DELoader: Threat Actors Experiment to Find the Best Malware for the Job

Share Now


One important task for threat actors is the pursuit of new and innovative techniques for infiltrating their victims’ networks. A major aspect of this pursuit is the selection of a malware that can accomplish the mission at hand. For example, a ransomware threat actor may seek out the ransomware tool that guarantees the highest rate of ransom payment. However, threat actors with different missions might seek out tools using different success criteria. Threat actors can experiment and transition between these tools because, in many ways, these malware varieties represent interchangeable parts in an attack life cycle.

One of the challenges threat actors face is to find the best tool that allows them to infiltrate a system. Financial crimes malware, allows threat actors to steal sensitive credentials as well as money. However, most botnet malware has multiple purposes. These functions allow them to use these tools and take a step into a larger intrusion, such as an enterprise network. The tools can change over time and sometimes evolve. Because of this, the threat actors can explore new options that achieve a similar end goal.

One example of this principle at work is the alternation between the DELoader and Zeus Panda botnet malware observed in phishing emails. DELoader may already represent an evolution based on its distribution by emails that borrow the delivery methodology once used by the Vawtrak malware. However, threat actors have begun to intermittently replace DELoader with the Zeus Panda. While this is not a dramatic change, it demonstrates that threat actors are willing to explore different options to achieve their broader goals. DELoader and Zeus Panda are similar as financial crimes botnet malware. Both malware families stem from the legacy Zeus codebase and allow the threat actor to explore, adapt, and customize an intrusion. Only tactical differences like command and control communication format and persistence mechanism set them apart. As time goes on and the threat landscape changes, threat actors are bound to evolve their toolset. Because of this, a level of commoditization makes certain types of malware replaceable in a life cycle.

In an evolving threat landscape and marketplace of tools, threat actors explore alternative options; yet, ultimately if the mission is network intrusion or financial crimes the threat actors look for a tool that is best suited for this goal. The commoditization of these tools, mainly the fact they can be changed at any instance, means that the challenge as defender is not to defend against a single malware family, but instead to defend against strategy. One effective way to maintain a robust defense against these explorations is to combine tactical observations and atomic indicators with a strategic view of threat actors’ goals. Ultimately, the goal is not to mitigate any one attack vector or malware tool, but to anticipate the strategy threat actors use to accomplish their mission.

For many attackers, the strategy relies upon the successful deployment of phishing emails. This makes phishing a logical starting point for a robust defense. Observing how attackers craft and deploy these emails allows an organization to prepare and empower their email users. These users can then engage critically with those messages and report them to the security professionals responsible for defending that enterprise. When these internal reports are combined with intelligence from external sources, network defenders can begin to overcome threats at a tactical level and apply those tactics as part of a greater strategy to overcome any malware threat.

Learn why more than half of the Fortune 100 trusts PhishMe® for end-to-end phishing mitigation. Request a free demo today, no obligations, no software to install.

Read More Related Phishing Blog Posts


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.

This site is registered on as a development site.