{ "id": "94a179be-1f9a-41a7-935f-bf14021939b6", "created_at": "2026-04-06T00:09:27.932633Z", "updated_at": "2026-04-10T03:35:53.002505Z", "deleted_at": null, "sha1_hash": "32e5783381e5fe1fb21a4771d8277e29e1502f9c", "title": "Arrests Put New Focus on CARBON SPIDER Adversary Group", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 359584, "plain_text": "Arrests Put New Focus on CARBON SPIDER Adversary Group\r\nBy paul.moon\r\nArchived: 2026-04-05 13:18:41 UTC\r\nIn an indictment unsealed by the U.S. Department of Justice (DoJ) on Aug. 1, 2018, three Ukrainian nationals\r\nhave been charged with conspiracy, wire fraud, computer hacking, access device fraud and aggravated identity\r\ntheft. Dmytro Fedorov, 44, Fedir Hladyr, 33, and Andrii Kopakov, 30, are suspected to be key members within\r\nCARBON SPIDER’s point of sale (POS) subgroup. The arrests took place between January and June 2018, and\r\ncoincided with a slowdown in CARBON SPIDER activity. The DoJ announcement also details the group’s use of\r\na front company, named Combi Security, to recruit developers and intrusion specialists for its operations. Given\r\nthat other members of this subgroup remain at large, it is likely that the tactics, techniques and procedures (TTPs)\r\nmay change but activity will continue. CARBON SPIDER, more widely known as the Carbanak group, is a long-standing criminal enterprise responsible for compromising banks to transfer funds to mule accounts, performing\r\nATM jackpotting attacks, and conducting mass compromise of debit and credit cards from POS terminals in large\r\nenterprises. They have been active in some form since at least 2013. During that time, the group has focused on\r\nthe banking, financial, media, technology, hospitality, and food and beverage verticals, using targeted campaigns\r\nto reach their objectives.\r\nUntangling the CARBON SPIDER Web\r\nThe structure of CARBON SPIDER is very complex and was initially suspected to be a single group, based on\r\ntheir use of several custom tools and specific TTPs. However, further research into the structure indicates that\r\nthere are several clusters of activity likely made up of subgroups serving different missions, potentially with\r\naccess to a shared development environment and pool of resources. A complex structure such as this is difficult to\r\nmanage and speaks to the sophistication of the actor. This blog aims to examine CARBON SPIDER over time and\r\nattempts to describe their changing relationship within the eCrime ecosystem.\r\nCustom Tools\r\nCARBON SPIDER has leveraged many custom tools since it began activity in 2013, including its primary implant\r\nSekur (a.k.a. Anunak). These include the following:\r\nSekur\r\nName Sekur\r\nAliases Anunak and Carbanak RAT\r\nFirst Seen February 2014 (based on compile time)\r\nLast Seen November 2017 (based on compile time)\r\nhttps://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/\r\nPage 1 of 9\n\nPurpose Primary remote access toolkit (RAT) for monitoring victim systems of interest\r\nType Microsoft Windows executable\r\nExample Hash f70cef297efe9ec0abea369b3c1235f14220a6165b48f6e8aa054296078122c8\r\nFalcon EPP protection\r\nMachine learning: Cloud-based, on-sensor indicators of attack(IOAs):\r\nSuspicious activity\r\nMITRE ATT\u0026CK™\r\ntechnique analysis from\r\nHybrid Analysis\r\nSekur has been CARBON SPIDER’s primary tool for several years, although usage over the last year appears to\r\nhave declined. It contains all the functionality you would expect from a RAT, allowing the adversary to execute\r\ncommands, manage the file system, manage processes, and collect data. In addition, it can record videos of victim\r\nsessions, log keystrokes, enable remote desktop, or install Ammyy Admin or VNC modules. From July 2014 on,\r\nsamples were compiled with the capability to target Epicor POS systems and to collect credit card data.\r\nAgent ORM\r\nName Agent ORM\r\nAliases Toshliph and DRIFTPIN\r\nFirst Seen June 2015 (based on compile time)\r\nLast Seen May 2016 (based on compile time)\r\nPurpose First-stage information collection and downloading next-stage payloads\r\nType Microsoft Windows executable\r\nExample Hash 36937e5e744873b3646c9d345e8cf50fb969029dc77525acfe63d5a9d28b73f2\r\nFalcon EPP protection Machine learning: Cloud-based, on-sensor IOAs: Suspicious activity\r\nMITRE ATT\u0026CK™\r\ntechnique analysis from\r\nHybrid Analysis\r\nAgent ORM began circulating alongside Sekur in campaigns throughout the second half of 2015. The malware\r\ncollects basic system information and is able to take screenshots of victim systems. It is used to download next-stage payloads when systems of interest are identified. It is strongly suspected that Agent ORM has been\r\ndeprecated in favor of script-based first-stage implants (VB Flash, JS Flash, and Bateleur).\r\nhttps://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/\r\nPage 2 of 9\n\nVB Flash\r\nName VB Flash\r\nAliases HALFBAKED\r\nFirst Seen September 2015 (based on observed distribution)\r\nLast Seen May 2017 (based on observed distribution)\r\nPurpose First-stage information collection and downloading next-stage payloads\r\nType VBScript\r\nExample Hash a7a927bd44040817ae39e15aeb3f0b69ca943d4ce5b00d12eed6fae5b1c325d0\r\nFalcon EPP protection IOAs: Attacker methodology; Suspicious activity\r\nVB Flash was first observed being deployed alongside Agent ORM in September 2015. It is likely that this was\r\ndeveloped as a replacement to Agent ORM and contained similar capabilities. The first observed instance of VB\r\nFlash included comments and was easy to analyze—later versions soon began to integrate multiple layers of\r\nobfuscation. Several versions of VB Flash were developed including ones that utilized Google Forms, Google\r\nMacros, and Google Spreadsheets together to make a command-and-control (C2) channel. This variant would\r\nPOST victim data to a specified Google form, then make a request to a Google macro script, receiving an address\r\nfor a Google Spreadsheet from which to request commands.\r\nJS Flash\r\nName JS Flash\r\nAliases JavaScript variant of HALFBAKED\r\nFirst Seen May 2017 (based on observed distribution)\r\nLast Seen November 2017 (based on observed distribution)\r\nPurpose First-stage information collection and downloading next-stage payloads\r\nType JavaScript\r\nExample Hash ffebcc4d2e851baecd89bf11103e3c9de86f428fdeaf0f8b33d9ea6f5ef56685\r\nFalcon EPP protection IOAs: Attacker methodology; Suspicious activity\r\nJS Flash capabilities closely resemble those of VB Flash and leverage interesting techniques in deployment via\r\nbatch scripts embedded as OLE objects in malicious documents. Many iterations of JS Flash were observed being\r\ntested before deployment, containing minor changes to obfuscation and more complex additions, such as the\r\nability to download TinyMet (a cutdown of the Metasploit Meterpreter payload). PowerShell was also used\r\nhttps://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/\r\nPage 3 of 9\n\nheavily for the execution of commands and arbitrary script execution. No JS Flash samples were observed being\r\ndeployed after November 2017.\r\nBateleur\r\nName Bateleur\r\nAliases N/A\r\nFirst Seen June 2017 (based on observed distribution)\r\nLast Seen April 2018 (based on observed distribution)\r\nPurpose First-stage information collection and downloading next-stage payloads\r\nType JavaScript\r\nExample Hash da70df51aa80414fcba9bf7322e44e8ea5ed6a3725f342cd05c733376c6f2121\r\nFalcon EPP protection IOAs: Malicious document; Establishing persistence.\r\nMITRE ATT\u0026CK™\r\ntechnique analysis from\r\nHybrid Analysis\r\nBateleur deployments began not long after JS Flash and were also written in JavaScript. Deployments were more\r\ninfrequent and testing was not observed. It is likely that Bateleur was run in parallel as an alternative tool and\r\neventually replaced JS Flash as CARBON SPIDER’s first stage tool of choice. Although much simpler in design\r\nthan JS Flash, all executing out of a single script with more basic obfuscation, Bateleur has a wealth of capabilities\r\n—including the ability to download arbitrary scripts and executables, deploy TinyMet, execute commands via\r\nPowerShell, deploy a credential stealer, and collect victim system information such as screenshots.\r\nClusters of Activity\r\nBased on the use of these tools, it is possible to group the CARBON SPIDER activity into several clusters. These\r\nclusters may represent different groups with a common tool supply chain, or isolated campaigns from the same\r\ngroup, using separate individuals to carry out attacks with a different focus.\r\nPoint of Sale (POS) Targeting\r\nTarget\r\nRegion\r\nPrimarily U.S. and Western Europe\r\nTarget Sector\r\nEnterprises that process many card transactions (in particular casinos, hotels, and restaurant\r\nchains)\r\nActive From At least mid 2015\r\nhttps://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/\r\nPage 4 of 9\n\nActive To Current\r\nThe POS cluster is the most prolific associated to the CARBON SPIDER actor and is also known as FIN7. This\r\ncluster has used all the custom tools described with VB Flash, JS Flash, and Bateleur that are unique to them.\r\nOver time, they have used targeted spear phishing emails to deploy malicious documents that initially used\r\nexploits; more recently, they have used macros and OLE embedded objects. The primary method of cash out for\r\nthis group is the acquisition and sale of credit and debit card dumps from POS devices. Many of the stolen cards\r\nare sold as collectives on the eCrime marketplace, Joker’s Stash.\r\nTargeting of Russian Financial Institutions\r\nTarget Region Russia\r\nTarget Sector Financial and banking\r\nActive From Late 2013\r\nActive To Early 2015\r\nThis cluster can also be described as the original Carbanak group. It is suspected that they stole large sums of\r\nmoney using several cash out methods against Russian banks, at which point the group may have diverged. It is\r\nlikely that they developed the primary CARBON SPIDER implant Sekur and were, at the point of being\r\noperational, probably the only users of it.\r\nTargeting of Middle Eastern Financial Institutions\r\nTarget Region Middle East and South Asia\r\nTarget Sector Financial and banking\r\nActive From October 2014\r\nActive To Activity reported up to at least early 2016\r\nAlthough the targeting profile is the same as the Russian banking cluster, the TTPs are very different. In particular,\r\nthe use of tooling stands out from other clusters of CARBON SPIDER activity. As with other clusters, the primary\r\ninfection vector is targeted spear phishing emails that use exploits for a variety of vulnerabilities in Microsoft\r\nOffice:\r\nCVE-2015-2545\r\nCVE-2014-4114\r\nCVE-2015-1770\r\nCVE-2015-1641\r\nhttps://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/\r\nPage 5 of 9\n\nA custom .NET first stage payload is deployed that in some cases deploys Agent ORM or Sekur, but is also used\r\nto deploy NetWire. Instances of DarkComet and Morphine RAT use some custom .NET downloader servers as\r\ntheir C2. One possibility is that CARBON SPIDER outsourced deployment of their malware for this campaign.\r\nAn alternative theory is that this is a separate group also using CARBON SPIDER tools. Little is reported publicly\r\nabout the successfulness of this cluster of activity, and no cash out methods are known.\r\nTargeting of Eastern European Financial Institutions\r\nTarget Region Ukraine and Eastern Europe\r\nTarget Sector Likely financial and banking\r\nActive From Mid-2015\r\nActive To Last known activity in late 2015\r\nThe Eastern European banking cluster is based on a single campaign using a strategic web compromise of an\r\nItalian bank in Ukraine to deploy instances of Agent ORM to likely Ukrainian targets. It is likely that this cluster\r\nlinks to one of the other clusters of Sekur activity, possibly the unattributed activity discussed below. However, no\r\nfollow-on actions have been observed past Agent ORM deployment.\r\nUnattributed\r\nTarget Region Where known (appears to be Ukraine)\r\nTarget Sector Not known in most cases (one case focused on news and media organizations)\r\nActive From May 2015\r\nActive To At least January 2017\r\nThe unattributed activity is based on a cluster of Sekur activity that runs in parallel with the POS cluster of\r\nactivity, but does not exhibit the same TTPs (with differences in Sekur configuration, campaigns, and\r\ninfrastructure selection). Many of these samples were submitted from Ukraine; additionally, one of them was\r\ndeployed using a malicious document with a decoy that suggests Ukrainian news and media targeting. It is\r\npossible that this activity relates to the Eastern European bank cluster of Agent ORM activity; yet without further\r\nevidence of follow-on activity, it is not possible to determine this cluster’s action on objectives.\r\nTimeline\r\nhttps://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/\r\nPage 6 of 9\n\nBelow is a timeline showing the activity of each of the five clusters of CARBON SPIDER activity:\r\nThe timeline shows that several of these clusters of activity started just after public reporting of the group (around\r\nmid-2015) and that the divergence in activity may have been the result of this exposure. It also highlights that\r\nCARBON SPIDER now likely operates multiple parallel missions focusing on different regions and sectors.\r\nLinks to Other Targeted eCrime Groups\r\nBeyond the described clusters of CARBON SPIDER activity based around their custom tools, there are also\r\ninteresting links to other tracked, targeted eCrime activity. This includes the group dubbed RATPAK SPIDER\r\n(also known as Buhtrap) that targets Russian and Ukrainian financial institutions, a group dubbed Odinaff\r\ntargeting SWIFT systems particularly in Eastern Europe, and the group COBALT SPIDER (also known as Cobalt)\r\nthat, again, specializes in targeting Russian banks.\r\nRATPAK SPIDER\r\nOperation Buhtrap had a similar target scope (Russian financial) to the first cluster of CARBON SPIDER activity.\r\nAlthough these have always been tracked as separate groups, there is a technical link between payload\r\ndeployments. A custom macro dropper that would encode the payload using VB Script notation, and contained the\r\nstrings “After OnTime” and “FUCK AV,” was observed in only 19 unique samples across Crowdstrike sample\r\nstores. One of the payloads was an instance of Agent ORM used to targeted casinos; a second payload also used\r\nby CARBON SPIDER was an instance of Sekur. The other six unique payloads observed being deployed using\r\nthis custom macro dropper were instances of the Nullsoft Scriptable Install System (NSIS) downloader attributed\r\nto the Buhtrap group. Initially, this led to tracking both threats as CARBON SPIDER. Although it now appears\r\nthat Buhtrap is likely a separate entity, the use of this shared deployment mechanism — unique to these two\r\ngroups — suggests a common supply chain or developer and a closer working relationship, especially given some\r\nsimilarities in target scope.\r\nOdinaff\r\nhttps://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/\r\nPage 7 of 9\n\nA SWIFT compromise was observed in mid-2016, targeting a Ukrainian bank that at the time was unattributed.\r\nBased on similar TTPs, it was hypothesised that this could be CARBON SPIDER activity; however, although\r\ncommon off-the-shelf tools (such as Meterpreter and Cobalt Strike) were used, the custom CARBON SPIDER\r\narsenal was not present. Later, this group was reported in open source as Odinaff. In addition to similar TTPs,\r\nthere appeared to be some infrastructure overlap with two IP addresses. One Odinaff C2 was also reported to be in\r\nprevious use as a Sekur plugin server. A second IP was also reported to be used by CARBON SPIDER in a\r\nprevious campaign. Again, this may just be a shared hosting provider, but the TTP similarity makes this\r\ninfrastructure overlap more noteworthy.\r\nCOBALT SPIDER\r\nThe Cobalt group, tracked by CrowdStrike intelligence as COBALT SPIDER, bears many similarities in the\r\ntargeting of banks to the Russian cluster of CARBON SPIDER activity. Both groups also use Cobalt Strike and\r\nseveral other pen-testing tools in their operations; nevertheless, the two groups appear to be distinct outside of\r\nthis. On March 26, 2018, an announcement was made that a Russian citizen identified by authorities as “Denis K.”\r\nwas arrested by the Spanish national police in Alicante, Spain. He was reportedly involved in early CARBON\r\nSPIDER targeting of Russian banks and is suspected of being one of the members of COBALT SPIDER. Although\r\nreports suggest that he may have been a leader of COBALT SPIDER, activity has continued from this group,\r\nsuggesting his role was not a key one within this organization. This suggests a link between the two groups\r\nbetween 2013 and likely, 2015. This is around the time that the dominant focus for CARBON SPIDER became\r\ntargeting the POS systems of Western enterprises. It is possible that at least one individual left CARBON SPIDER\r\nand either joined forces with or created COBALT SPIDER.\r\nSummary\r\nCARBON SPIDER is the pioneer of targeted eCrime activity with some of the largest publicly attributed success.\r\nTheir level of sophistication across the clusters of activity makes them a key player in the eCrime ecosystem.\r\nAlthough there is not enough evidence to directly link CARBON SPIDER to other targeted criminal groups, it is\r\nassessed with high confidence (based on analysis of artifacts and infrastructure over time) that CARBON SPIDER\r\nshares resources with other notable criminal groups. There are two possible hypotheses as to how the clusters of\r\nCARBON SPIDER activity are linked. One theory is that they were originally one group that splintered into\r\nseveral with different focuses. Several of the splinter groups may have maintained access to their custom tools\r\n(e.g., Sekur), while others moved on to work with other actors (e.g., COBALT SPIDER). A second theory is that\r\nCARBON SPIDER operates as distinct groups with different focuses, but they report to a single management\r\nstructure. Resources may be shared between the groups, but each has its own members. At this stage, the first\r\ntheory appears to be the most likely. Based on recently observed tooling and operations, CARBON SPIDER\r\nappears to be focusing their efforts on the POS cluster of activity against the hospitality and restaurant sector, with\r\nno recently reported activity against banks. They also appear to be moving away from their custom tooling, with\r\nno Sekur samples compiled since November 2017 and fewer samples appearing in live operations.\r\nGoing forward, it is likely that CARBON SPIDER will continue operations to target sectors that give the best\r\nfinancial return for their efforts. For the short term, this will likely mean a continued focus on POS systems and\r\nlarge enterprises that process them. It is possible that they may return to target banks, but this would likely be on a\r\nhttps://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/\r\nPage 8 of 9\n\nsmall scale with very focused operations. CARBON SPIDER will likely move completely away from their old\r\ncustom toolset, either developing new tools or using commodity off-the-shelf packages to achieve their objectives.\r\nThis is even more assured given the arrests of three members of the most prolific CARBON SPIDER subgroup.\r\nAs CARBON SPIDER adversary groups retool and alter their TTPs, CrowdStrike will continue to track this\r\nadversary leveraging CrowdStrike CrowdStrike Falcon® Intelligence capabilities to combine endpoint protection,\r\nautomation and malware analysis to prevent CARBON SPIDER from breaching our customer networks.\r\nTo learn more about how to incorporate intelligence on threat actors like CARBON SPIDER into your security\r\nstrategy, please visit the Falcon Intelligence product page. Download the CrowdStrike 2020 Global Threat Report\r\nSource: https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/\r\nhttps://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/" ], "report_names": [ "arrests-put-new-focus-on-carbon-spider-adversary-group" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "01d569b1-f089-4a8f-8396-85078b93da26", "created_at": "2023-01-06T13:46:38.411615Z", "updated_at": "2026-04-10T02:00:02.963422Z", "deleted_at": null, "main_name": "BuhTrap", "aliases": [], "source_name": "MISPGALAXY:BuhTrap", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "220e1e99-97ab-440a-8027-b672c5c5df44", "created_at": "2022-10-25T16:47:55.773407Z", "updated_at": "2026-04-10T02:00:03.649501Z", "deleted_at": null, "main_name": "GOLD KINGSWOOD", "aliases": [ "Cobalt Gang ", "Cobalt Spider " ], "source_name": "Secureworks:GOLD KINGSWOOD", "tools": [ "ATMSpitter", "Buhtrap", "Carbanak", "Cobalt Strike", "CobtInt", "Cyst", "Metasploit", "Meterpreter", "Mimikatz", "SpicyOmelette" ], "source_id": "Secureworks", "reports": null }, { "id": "3b046db2-f60e-49ae-8e16-0cf82a4be6fb", "created_at": "2022-10-25T16:07:23.427162Z", "updated_at": "2026-04-10T02:00:04.594113Z", "deleted_at": null, "main_name": "Buhtrap", "aliases": [ "Buhtrap", "Operation TwoBee", "Ratopak Spider", "UAC-0008" ], "source_name": "ETDA:Buhtrap", "tools": [ "AmmyyRAT", "Buhtrap", "CottonCastle", "FlawedAmmyy", "NSIS", "Niteris EK", "Nullsoft Scriptable Install System", "Ratopak" ], "source_id": "ETDA", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "2dfaa730-7079-494c-b2f0-3ff8f3598a51", "created_at": "2022-10-25T16:07:23.474746Z", "updated_at": "2026-04-10T02:00:04.623746Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "ATK 67", "Cobalt Gang", "Cobalt Spider", "G0080", "Gold Kingswood", "Mule Libra", "TAG-CR3" ], "source_name": "ETDA:Cobalt Group", "tools": [ "ATMRipper", "ATMSpitter", "Agentemis", "AmmyyRAT", "AtNow", "COOLPANTS", "CobInt", "Cobalt Strike", "CobaltStrike", "Cyst Downloader", "Fareit", "FlawedAmmyy", "Formbook", "Little Pig", "Metasploit Stager", "Mimikatz", "More_eggs", "NSIS", "Nullsoft Scriptable Install System", "Pony Loader", "Ripper ATM", "SDelete", "Siplog", "SoftPerfect Network Scanner", "SpicyOmelette", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Terra Loader", "ThreatKit", "VenomKit", "cobeacon", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "afd91a61-a617-4e58-ac82-929627f00786", "created_at": "2023-01-06T13:46:38.919251Z", "updated_at": "2026-04-10T02:00:03.145523Z", "deleted_at": null, "main_name": "RATPAK SPIDER", "aliases": [], "source_name": "MISPGALAXY:RATPAK SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "c11abba0-f5e8-4017-a4ee-acb1a7c8c242", "created_at": "2022-10-25T15:50:23.744036Z", "updated_at": "2026-04-10T02:00:05.294413Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "Cobalt Group", "GOLD KINGSWOOD", "Cobalt Gang", "Cobalt Spider" ], "source_name": "MITRE:Cobalt Group", "tools": [ "Mimikatz", "More_eggs", "SpicyOmelette", "SDelete", "Cobalt Strike", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434167, "ts_updated_at": 1775792153, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/32e5783381e5fe1fb21a4771d8277e29e1502f9c.pdf", "text": "https://archive.orkl.eu/32e5783381e5fe1fb21a4771d8277e29e1502f9c.txt", "img": "https://archive.orkl.eu/32e5783381e5fe1fb21a4771d8277e29e1502f9c.jpg" } }