KrBanker

Also known as: BlackMoon

ThreatPost describes KRBanker (Blackmoon) as a banking Trojan designed to steal user credentials from various South Korean banking institutions. It was discovered in early 2014 and since then has adopted a variety of infection and credential stealing techniques.

C2 Infrastructure

Hosting/VPS86%

Business14%

Last 7 days

Apr 13, 2026

C2 Hosts: 5

Apr 11, 2026

C2 Hosts: 1

Apr 10, 2026

C2 Hosts: 3

Apr 9, 2026

C2 Hosts: 2

Apr 8, 2026

C2 Hosts: 1

Daily C2 host counts for the last 7 days
Date	C2 Hosts
Apr 13, 2026	5
Apr 11, 2026	1
Apr 10, 2026	3
Apr 9, 2026	2
Apr 8, 2026	1

Further Reading

KRBanker Targets South Korea Through Adware and Exploit Kits

Unit 42 has been tracking KRBanker AKA 'Blackmoon', a campaign that targets banks of the Republic of Korea using adware and exploit kits.

researchcenter.paloaltonetworks.com

Analysis of BlackMoon (Banking Trojan)'s Evolution, And The Possibility of a Latest Version Under Development

Blog about computer security, malware and reverse engineering.

peppermalware.com

Old Blackmoon Trojan, NEW Monetization Approach | Rapid7 Blog

Rapid7 is tracking a new, more sophisticated and staged campaign using the Blackmoon trojan, which appears to have originated in November 2022.

Trojan banking 47d18761d46d8e7c4ad49cc575b0acc2bb3f49bb56a3d29fb1ec600447cb89a4

Two days ago I blogged about the approach I used to start analysing the malware, today I spent some more time on the target trying to get an idea of its behaviours. According to VirusTotal the file…

zairon.wordpress.com