{ "id": "d326bc37-1107-46dd-8515-ea04259e33f6", "created_at": "2026-04-06T00:12:14.70772Z", "updated_at": "2026-04-10T03:35:53.041632Z", "deleted_at": null, "sha1_hash": "1791883bc5093ded0c68a033964c0f659f749c02", "title": "Carbanak", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 88950, "plain_text": "Carbanak\r\nBy Contributors to Wikimedia projects\r\nPublished: 2015-02-15 · Archived: 2026-04-05 12:55:46 UTC\r\nFrom Wikipedia, the free encyclopedia\r\nCarbanak is an APT-style campaign targeting (but not limited to) financial institutions,[1] that was discovered in\r\n2014[2] by the Russian cyber security company Kaspersky Lab.\r\n[3]\r\n It utilizes malware that is introduced into\r\nsystems running Microsoft Windows[4] using phishing emails,[3][5] which is then used to steal money from banks\r\nvia macros in documents. The hacker group is said to have stolen over 900 million dollars from the banks as well\r\nas money from over a thousand private customers.[citation needed]\r\nThe criminals were able to manipulate their access to the respective banking networks in order to steal the money\r\nin a variety of ways. In some instances, ATMs were instructed to dispense cash without having to locally interact\r\nwith the terminal. Money mules, which were hired through the Moldavian mafia, would collect the money and\r\ntransfer it over the SWIFT network to the criminals’ accounts, Kaspersky said. The Carbanak group went so far as\r\nto alter databases and pump up balances on existing accounts and pocketing the difference unbeknownst to the\r\nuser whose original balance is still intact.[6][7]\r\nTheir intended targets were primarily in Russia, followed by the United States, Germany, China and Ukraine,\r\naccording to Kaspersky Lab. One bank lost $7.3 million when its ATMs were programmed to spew cash at certain\r\ntimes that henchmen would then collect, while a separate firm had $10 million taken via its online platform.\r\n[citation needed]\r\nKaspersky Lab is helping to assist in investigations and countermeasures that disrupt malware operations and\r\ncybercriminal activity. During the investigations they provide technical expertise such as analyzing infection\r\nvectors, malicious programs, supported command and control infrastructure and exploitation methods.[8]\r\nFireEye published research tracking further activities, referring to the group as FIN7, including an SEC-themed\r\nspear phishing campaign.[9] Proofpoint also published research linking the group to the Bateleur backdoor, and\r\nexpanded the list of targets to U.S.-based chain restaurants, hospitality organizations, retailers, merchant services,\r\nsuppliers and others beyond their initial financial services focus.[10]\r\nOn 26 October 2020, PRODAFT (Switzerland) started publishing internal details of the Fin7/Carbanak group and\r\ntools they use during their operation.[11] Published information is claimed to be originated from a single OPSEC\r\nfailure on the threat actor's side.[12]\r\nOn March 26, 2018, Europol claimed to have arrested the \"mastermind\" of the Carbanak and associated Cobalt or\r\nCobalt Strike group in Alicante, Spain, in an investigation led by the Spanish National Police with the cooperation\r\nof law enforcement in multiple countries as well as private cybersecurity companies. The group's campaigns\r\nhttps://en.wikipedia.org/wiki/Carbanak\r\nPage 1 of 3\n\nappear to have continued, however, with the Hudson's Bay Company breach using point of sale malware in 2018\r\nbeing attributed to the group.[13]\r\nSome controversy exists around the Carbanak attacks, as they were seemingly described several months earlier in\r\na report by the Internet security companies Group-IB (Singapore) and Fox-IT (The Netherlands) that dubbed the\r\nattack Anunak.\r\n[14]\r\n The Anunak report shows also a greatly reduced amount of financial losses and according to a\r\nstatement issued by Fox-IT after the release of The New York Times article, the compromise of banks outside\r\nRussia did not match their research.[15] Also in an interview conducted by Russian newspaper Kommersant the\r\ncontroversy between the claims of Kaspersky Lab and Group-IB come to light where Group-IB claims no banks\r\noutside of Russia and Ukraine were hit, and the activity outside of that region was focused on Point of Sale\r\nsystems.[16]\r\nReuters issued a statement referencing a Private Industry Notification issued by the FBI and USSS (United States\r\nSecret Service) claiming they have not received any reports that Carbanak has affected the financial sector.\r\n[17]\r\nTwo representative groups of the US banking industry FS-ISAC and ABA (American Bankers Association) in an\r\ninterview with Bank Technology News say no US banks have been affected.[18]\r\n1. ^ Kaspersky Labs' Global Research \u0026 Analysis Team (GReAT) (February 16, 2015). \"The Great Bank\r\nRobbery: the Carbanak APT\". Securelist. Archived from the original on February 17, 2015.\r\n2. ^ \"Carbanak_APT Analysis\" (PDF). Kaspersky. Archived from the original (PDF) on 19 March 2017.\r\nRetrieved 12 June 2017.\r\n3. ^ Jump up to: a\r\n \r\nb\r\n David E. Sanger and Nicole Perlroth (14 February 2015). \"Bank Hackers Steal Millions\r\nvia Malware\". The New York Times.\r\n4. ^ CARBANAK Week Part One: A Rare Occurrence FireEye, 2019\r\n5. ^ Fingas, Jon (February 14, 2015). \"Subtle malware lets hackers swipe over $300 million from banks\".\r\nengadget. Archived from the original on February 15, 2015.\r\n6. ^ \"Carbanak Ring Steals $1 Billion from Banks\". Threatpost. 15 February 2015.\r\n7. ^ \"Carbanak – Darknet Diaries\". darknetdiaries.com. Retrieved 2025-01-11.\r\n8. ^ \"The Great Bank Robbery: the Carbanak APT\". Securelist. 16 February 2015.\r\n9. ^ \"FIN7 Evolution and the Phishing LNK\". FireEye.\r\n10. ^ \"FIN7/Carbanak threat actor unleashes Bateleur JScript backdoor | Proofpoint US\".\r\nwww.proofpoint.com. July 31, 2017.\r\n11. ^ \"OpBlueRaven: Unveiling Fin7/Carbanak - Part I : Tirion\". Prodaft.com.\r\n12. ^ \"OpBlueRaven: Unveiling Fin7/Carbanak - Part II : BadUSB Attacks\". PRODAFT.\r\n13. ^ Newman, Lily Hay. \"THE BILLION-DOLLAR HACKING GROUP BEHIND A STRING OF BIG\r\nBREACHES\". Wired.\r\n14. ^ \"Anunak APT against Financial institutions\" (PDF). Fox-IT. 22 December 2014. Archived from the\r\noriginal (PDF) on 22 March 2015. Retrieved 4 March 2015.\r\n15. ^ \"Anunak aka Carbanak update\". Fox-IT. 16 February 2015.\r\n16. ^ \"Group-IB and Kaspersky have conflicting views\". Kommersant. 23 February 2015.\r\n17. ^ \"FBI, Secret service, no signs of Carbanak\". Reuters. 18 February 2015. Archived from the original on\r\n24 September 2015. Retrieved 30 June 2017.\r\n18. ^ \"Carbanak overhyped, no US banks hit\". BankTechnologyNews. 19 February 2015.\r\nhttps://en.wikipedia.org/wiki/Carbanak\r\nPage 2 of 3\n\nSource: https://en.wikipedia.org/wiki/Carbanak\r\nhttps://en.wikipedia.org/wiki/Carbanak\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://en.wikipedia.org/wiki/Carbanak" ], "report_names": [ "Carbanak" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "3fad11c6-4336-4b28-a606-f510eca5452e", "created_at": "2022-10-25T16:07:24.346573Z", "updated_at": "2026-04-10T02:00:04.948823Z", "deleted_at": null, "main_name": "Turbine Panda", "aliases": [ "APT 26", "Black Vine", "Bronze Express", "Group 13", "JerseyMikes", "KungFu Kittens", "PinkPanther", "Shell Crew", "Taffeta Typhoon", "Turbine Panda", "WebMasters" ], "source_name": "ETDA:Turbine Panda", "tools": [ "Agent.dhwf", "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "Derusbi", "Destroy RAT", "DestroyRAT", "FF-RAT", "FormerFirstRAT", "Hurix", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mivast", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sakula", "Sakula RAT", "Sakurel", "Sogu", "StreamEx", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon", "ffrat" ], "source_id": "ETDA", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "46a151bd-e4c2-46f9-aee9-ee6942b01098", "created_at": "2023-01-06T13:46:38.288168Z", "updated_at": "2026-04-10T02:00:02.911919Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "DEEP PANDA", "Codoso", "KungFu Kittens", "Group 13", "G0009", "G0073", "Checkered Typhoon", "Black Vine", "TEMP.Avengers", "PinkPanther", "Shell Crew", "BRONZE FIRESTONE", "Sunshop Group" ], "source_name": "MISPGALAXY:APT19", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434334, "ts_updated_at": 1775792153, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1791883bc5093ded0c68a033964c0f659f749c02.pdf", "text": "https://archive.orkl.eu/1791883bc5093ded0c68a033964c0f659f749c02.txt", "img": "https://archive.orkl.eu/1791883bc5093ded0c68a033964c0f659f749c02.jpg" } }