When researchers saw that a Zeus admin panel was infected, they initially believed fraudsters were sabotaging one another. But after digging further into the incident, they determined that a cybercriminal had unknowingly uploaded the admin panel from a personal computer infected with malware.

On Monday, Lior Ben-Porat of RSA FirstWatch, blogged about the case, writing that the Zeus Robot admin panel, called Zeus Panther, had an “unusual add-on” – more specifically, the well-known Ramnit worm.

“On further analysis, our researchers determined that this infection file is actually an instance dating from mid-2013 of a Ramnit worm, and one of the main functionalities of the worm is to add the VBS code to all HTML files found on the system,” Ben-Porat said, which could potentially allow outsiders to update and reconfigure the botnet control panel or identify an operator’s malware.