MalwareUsed by 5 actorsExploits 2 CVEs

Blackmoon

BlackMoon, also known as KRBanker/KrBanker, is a banking trojan first observed targeting South Korean banking users, with reporting placing early analysis in 2014 and widespread activity from 2015 onward. Its original core behavior was credential theft via pharming and browser redirection: modifying the local Hosts file or later installing a local proxy auto-config (PAC) configuration to redirect victims from legitimate South Korean banking sites to attacker-controlled phishing pages. Reported phishing workflows collected banking credentials and personal information, and some variants also searched for South Korean NPKI certificate stores, archived certificate material with a hardcoded password, and exfiltrated it via HTTP POST.

Documented early distribution methods included drive-by downloads, adware, and exploit kits. Multiple reports describe BlackMoon using staged downloader frameworks and anti-analysis features. Observed techniques include encoded configuration retrieval from external sites such as lofter[.]com or social-media-hosted content, case-swapped Base64-style obfuscation, registry run-key persistence, PAC abuse via HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL, anti-debugging with vectored exception handlers, hardware breakpoints, timing checks, and process injection/process hollowing into suspended processes such as CACLS.EXE or svchost.exe.

Later reporting shows BlackMoon evolving beyond pure banking fraud into a multi-stage malware platform. A campaign tracked from November 2022 targeted businesses primarily in the United States and Canada and emphasized persistence, defense evasion, lateral movement, and monetization rather than only credential theft. In that activity, BlackMoon established persistence through a malicious Port Monitor tied to the Windows Print Spooler service, dropped RunDllExe.dll in C:\Windows\Logs, set HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\RunDllExe, modified Spooler privileges, disabled Windows Defender via HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware, blocked inbound RPC/SMB traffic with netsh ipsec rules, and injected a downloader into svchost.exe. Retrieved payloads included Hooks.exe, MpMgSvc.dll, MpMgSvc.exe, and WmiPrvSER.exe; the campaign deployed a spreader using EternalBlue/DoublePulsar-style components, scanned for ports 3306/445/1433, installed an XMRig Monero miner, and dropped traffic-sharing tools including ctfmoon.exe and Traffmonetizer.exe. Command-and-control in that campaign included hxxp://down.ftp21[.]cc/Update.txt.

BlackMoon has also appeared in India-focused phishing operations impersonating the Income Tax Department. In reporting from late 2025 to early 2026, tax-themed ZIP archives led to DLL sideloading and multi-stage payload retrieval, after which a BlackMoon variant was used specifically to evade Avast Free Antivirus by automating GUI actions to add malicious files to Avast exclusions. In those campaigns, BlackMoon activity was associated with deployment of the legitimate Chinese enterprise tool SyncFuture TSM, repurposed as an espionage framework for persistence, monitoring, remote control, and data exfiltration. eSentire stated that campaign had not been attributed to a known threat actor.

High-confidence indicators and artifacts mentioned in reporting include the mutexes \BaseNamedObjects\Brute_2022 and BaseNamedObjects\Win__Host; dropped paths such as C:\WINDOWS\8000 and C:\Windows\Logs\RunDllExe.dll; PAC-related registry changes under HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL; Defender policy modification at HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware; and C2/IP infrastructure including down.ftp21[.]cc, lofter[.]com-hosted configuration retrieval, 8.217.152[.]225:80, eaxwwyr[.]cn, 49.204.200[.]100, and historical IPs such as 100.43.129[.]107, 98.126.19[.]178, 174.139.200[.]164, 174.139.200[.]165, 174.139.203[.]180, 100.43.185.34, 174.139.0.211, 107.151.158.196, 206.161.216.35, 207.226.136.14, 100.43.185.42, 174.139.194.82, and 205.209.141.84. Reported sample hashes include MD5 7e67216628d9a171be0ce18c51fda8ce and 84e2d574085c77f47e801f5326e83d73, among others.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

EXPLOITED CVES

Vulnerabilities exploited

2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

2 CVES

CVE-2015-3133Memory Corruption in Adobe Flash Player and AIR (CVE-2015-3133)Exploited in the wild

malicious JavaScript through compromised web sites or advertisements led to the EK that exploited Adobe Flash vulnerabilities CVE-2014-0569 or CVE-2015-3133. We confirmed that final payload in both cases was KRBanker.

via palo alto networks unit 42 blogunit42.paloaltonetworks.com

CVE-2014-0569Integer Overflow RCE in Adobe Flash Player and Adobe AIRExploited in the wild

via palo alto networks unit 42 blogunit42.paloaltonetworks.com

THREAT ACTORS

Groups observed using it

5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Silver Fox