Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

BlackMoon

63
Global rank
24 infographic chevron month
Month rank
29 infographic chevron week
Week rank
0
IOCs

BlackMoon also known as KrBanker is a trojan aimed at stealing payment credentials. It specializes in man-in-the-browser (MitB) attacks, web injection, and credential theft to compromise users' online banking accounts. It was first noticed in early 2014 attacking banks in South Korea and has impressively evolved since by adding a number of new infiltration techniques and information stealing methods.

Trojan
Type
Unknown
Origin
1 February, 2014
First seen
11 February, 2025
Last seen
Also known as
KrBanker

How to analyze BlackMoon with ANY.RUN

Type
Unknown
Origin
1 February, 2014
First seen
11 February, 2025
Last seen

IOCs

Last Seen at

Recent blog posts

post image
I Used a Sandbox to Strengthen Bank’s Securit...
watchers 53
comments 0
post image
Instant URL Analysis: Use Safebrowsing via AN...
watchers 559
comments 0
post image
Cyber Attacks on DeepSeek AI: What Really Hap...
watchers 1430
comments 0

What is BlackMoon malware

BlackMoon (KRBanker) is one of the most sophisticated banking trojans, exploiting MitB attacks and web injections to steal financial data. Its stealthy evasion techniques, 2FA bypasses, and browser manipulation make it highly dangerous. Initially used in attacks targeting South Korea, it has since spread all over the world and threatens individuals and organizations in any region.

At the dawn of its “career" in 2015-2016, it employed a “pharming” technique to steal banking credentials. It redirected users to a fake website that imitated one of the banking sites and invited visitors to submit their payment data. The data is sent to C2 servers controlled by attackers, 2FA is bypassed by injecting fake OTP fields or session hijacking.

Beside luring information out of users, the malware generates fake alerts on banking websites prompting users to download a malicious security tool. BlackMoon employs a number of anti-detection and persistence mechanics. It injects itself into legitimate system processes, modifies Windows Registry, schedules tasks and startup entries. It also changes signatures to evade static detection, uses code obfuscation and targets specific banking URLs to minimize noise in network logs.

Blackmoon is detectable with threat intelligence tools by a number of indicators: associated domains, IPs, hashes, as well as known behavioral patterns. Network monitoring tools are triggered by outbound traffic to suspicious C2 servers, abnormal DNS queries, HTTP requests with suspicious headers related to web injections.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Technical details of BlackMoon malware

BlackMoon has some unique and some typical for malware of this type features that make it effective and hard to oppose.

  • Its infiltration methods of choice are phishing emails, social engineering, and malvertising as ways of delivering malicious attachments or links to fake banking login pages.
  • It also is distributed via malicious software disguised as legitimate banking or security tools.
  • It establishes itself in the system by modifying registry keys and injecting itself into legitimate system processes like explorer.exe.
  • It infiltrates into popular browsers and modifies banking login pages.
  • Fake login forms send users’ credentials to attackers’ C2 servers.
  • The information BlackMoon is aimed to steal includes online banking credentials (usernames, passwords), credit card details, personal identification information. It may gather them by logging keystrokes, capturing screenshots, and intercepting data entered into web forms.
  • KRBanker can provide attackers with remote access to the infected system to execute commands, upload additional malware, or exfiltrate data.
  • The measures of protection against BlackMoon must include proactive hunting for the malware indicators within the network using threat intelligence and forensic tools. Patch management, endpoint protection, multi-factor authentication, network segmentation must be employed.

The Execution process of BlackMoon

Within ANY.RUN's Interactive Sandbox, we can observe the malware's entire execution chain in a safe virtual environment.

BlackMoon malware in the ANY.RUN Sandbox KRBanker detonated in ANY.RUN’s Interactive Sandbox

BlackMoon malware employs a multi-stage execution chain specifically designed for financial theft, frequently targeting South Korean banking institutions. The infection process typically begins with a dropper file delivered through phishing campaigns or exploit kits that leverage browser vulnerabilities.

Once executed, this dropper retrieves additional components necessary for the BlackMoon Trojan’s full functionality. The malware’s operation is divided into three distinct stages. In the first stage, the Mini Downloader fetches a second component, which in turn initiates the next phase. The second stage uses the KRDownloader to complete the installation.

After successfully downloading its payload, KRDownloader executes it and then self-deletes to evade detection. The payload commonly includes credential theft features, often deploying man-in-the-browser techniques to intercept user credentials during interactions with banking websites. Once installed, BlackMoon persists on the system by modifying registry keys and, in some cases, altering the local Hosts file. These changes redirect users attempting to access legitimate banking sites to attacker-controlled phishing pages.

BlackMoon TTPs in the ANY.RUN Sandbox The tactics and techniques of Blackmoon mapped in the sandbox

The use of a Proxy Auto-Config (PAC) file further enhances stealth, allowing BlackMoon to intercept and manipulate web traffic without immediately arousing suspicion. Beyond credential theft and phishing, BlackMoon maintains communication with its command-and-control (C&C) servers to receive updates and instructions. It retrieves encoded configuration blocks from hardcoded URLs, dictating operational parameters and target websites. This communication channel is critical for retaining control over infected devices and adjusting to new targets or evasion methods.

Overall, BlackMoon’s carefully orchestrated, multi-stage downloader framework maximizes stealth and efficiency in delivering its malicious payload. This layered approach not only complicates analysis for security researchers but also enhances its effectiveness in compromising financial institutions and stealing sensitive user information.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Collect Threat Intelligence on BlackMoon Ransomware

Explore BlackMoon’s IOCs, IOBs and IOAs via ANY.RUN’s Threat Intelligence Lookup searches and collect data for setting up detection and response in your network.

BlackMoon in the ANY.RUN TI Lookup TI Lookup overview of a malicious file associated with Blackmoon attacks

Leverage TI feeds to track C2 infrastructure, malware hashes, keep a watch over evolving tactics of KRBanker via MITRE ATT&CK mappings. For example, we can use the following query filePath:"ZhuDongFangYu.exe" to find sandbox reports featuring the file named ZhuDongFangYu commonly used in BlackMoon attacks.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

BlackMoon malware distribution methods

KRBanker typically spreads through:

  • Drive-by Downloads: Users visiting compromised or malicious websites can get infected via exploit kits that use browser vulnerabilities.
  • Phishing Emails & Social Engineering: Victims receive malicious attachments or links leading to fake banking login pages.
  • Trojanized Software: Users install malware disguised as legitimate banking or security tools.

Conclusion

BlackMoon remains highly dangerous because it leads directly to financial losses through critical data theft. Its stealthy evasion techniques, 2FA bypasses, and browser manipulation also put it in the high-risk group. Using threat intelligence-driven detection and response, security teams can monitor IOCs, implement behavioral analytics, and harden authentication mechanisms to combat this evolving banking malware threat.

Sign up for ANY.RUN to analyze malware and phishing threats for free.

HAVE A LOOK AT

Raspberry Robin screenshot
Raspberry Robin
raspberryrobin
Raspberry Robin is a trojan that primarily spreads through infected USB drives and exploits legitimate Windows commands. This malware is known for its advanced obfuscation techniques, anti-debugging mechanisms, and ability to gain persistence on infected systems. Raspberry Robin often communicates with command-and-control servers over the TOR network and can download additional malicious payloads.
Read More
GootLoader screenshot
GootLoader
gootloader
GootLoader is an initial-access-as-a-service malware that operates by delivering the GootKit banking trojan and other malicious payloads. It utilizes techniques such as fileless execution and process injection to avoid detection. The malware is often distributed through SEO poisoning and compromised websites, deceiving users into downloading infected files.
Read More
Orcus RAT screenshot
Orcus RAT
orcus rat trojan
Orcus is a modular Remote Access Trojan with some unusual functions. This RAT enables attackers to create plugins using a custom development library and offers a robust core feature set that makes it one of the most dangerous malicious programs in its class.
Read More
PureCrypter screenshot
PureCrypter
purecrypter
First identified in March 2021, PureCrypter is a .NET-based loader that employs obfuscation techniques, such as SmartAssembly, to evade detection. It has been used to distribute malware families including AgentTesla, RedLine Stealer, and SnakeKeylogger. The malware is typically delivered through phishing campaigns and malicious downloads, often masquerading as legitimate files with extensions like .mp4 or .pdf. PureCrypter utilizes encryption and compression to conceal its payloads and can inject malicious code into legitimate processes to maintain persistence on the infected system.
Read More
DeerStealer screenshot
DeerStealer
deerstealer
DeerStealer is an information-stealing malware discovered in 2024 by ANY.RUN, primarily targeting sensitive data such as login credentials, browser history, and cryptocurrency wallet details. It is often distributed through phishing campaigns and fake Google ads that mimic legitimate platforms like Google Authenticator. Once installed, it exfiltrates the stolen data to a remote command and control (C2) server. DeerStealer’s ability to disguise itself as legitimate downloads makes it particularly dangerous for unsuspecting users.
Read More
Grandoreiro screenshot
Grandoreiro
grandoreiro
Grandoreiro is a Latin American banking trojan first observed in 2016. It targets mostly Spanish-speaking countries, such as Brazil, Spain, Mexico and Peru. This malware is operated as a Malware-as-a-Service (MaaS), which makes it easily accessible for cybercriminals. Besides, it uses advanced techniques to evade detection.
Read More