Pandora RC
Pandora RC is described in the source as an open-source IT remote control software/installer observed as part of a broader intrusion toolkit. Check Point Research reported its use in 2025 intrusions assessed as GoldenSMTP activity, an evolution of the IndigoZebra APT targeting government organizations in Central Asia. In that reporting, GoldenSMTP intrusions used phishing with password-protected ZIP archives, DLL hijacking, and additional tooling including Pandora RC installer and the NPPSPY credential stealer, alongside an SMTP/IMAP implant communicating through attacker-controlled email accounts. Based on the provided content, Pandora RC functioned as a remote administration component within the intrusion chain. No specific standalone indicators of compromise for Pandora RC were provided in the content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
1 distinct technique documented for this family, organized by ATT&CK tactic.
Execution
1 technique
Execution
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Open-source remote control/administration software used as part of an intrusion toolkit to provide remote access.
Open-source remote control/IT administration software used as a supporting tool in the GoldenSMTP/IndigoZebra-related intrusion chain.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.