May 30, 2026
C2 Hosts: 8
KrBanker
Also known as: BlackMoon
ThreatPost describes KRBanker (Blackmoon) as a banking Trojan designed to steal user credentials from various South Korean banking institutions. It was discovered in early 2014 and since then has adopted a variety of infection and credential stealing techniques.
C2 Infrastructure
Hosting/VPS 77%
Business 15%
sinkhole 8%
Last 7 days
May 29, 2026
C2 Hosts: 8
May 28, 2026
C2 Hosts: 1
May 24, 2026
C2 Hosts: 1
| Date | C2 Hosts |
|---|---|
| May 30, 2026 | 8 |
| May 29, 2026 | 8 |
| May 28, 2026 | 1 |
| May 24, 2026 | 1 |
Further Reading
KRBanker Targets South Korea Through Adware and Exploit Kits
Unit 42 has been tracking KRBanker AKA 'Blackmoon', a campaign that targets banks of the Republic of Korea using adware and exploit kits.
researchcenter.paloaltonetworks.com
Analysis of BlackMoon (Banking Trojan)'s Evolution, And The Possibility of a Latest Version Under Development
Blog about computer security, malware and reverse engineering.
peppermalware.com
Old Blackmoon Trojan, NEW Monetization Approach | Rapid7 Blog
Rapid7 is tracking a new, more sophisticated and staged campaign using the Blackmoon trojan, which appears to have originated in November 2022.
rapid7.com
Trojan banking 47d18761d46d8e7c4ad49cc575b0acc2bb3f49bb56a3d29fb1ec600447cb89a4
Two days ago I blogged about the approach I used to start analysing the malware, today I spent some more time on the target trying to get an idea of its behaviours. According to VirusTotal the fileā¦
zairon.wordpress.com