{ "id": "441fb42b-d0e0-47d0-abcf-64d1fb379a35", "created_at": "2026-04-06T00:14:00.991046Z", "updated_at": "2026-04-10T03:35:52.909138Z", "deleted_at": null, "sha1_hash": "3ae217da242bfeec09138662eccb0ed1d79a60f2", "title": "FIN7 Recruits Talent For Push Into Ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 109743, "plain_text": "FIN7 Recruits Talent For Push Into Ransomware\r\nPublished: 2021-10-21 · Archived: 2026-04-05 15:06:58 UTC\r\nThe intelligence in this report was gathered by a source who was recruited by “Bastion Secure”. Gemini\r\nAdvisory’s investigation and analysis of the source’s information has been ongoing for the past several months.\r\nAlthough sensitive information has been redacted from this report to protect the source, Gemini Advisory has\r\nprovided law enforcement with the complete set of unredacted information. In addition, our findings were reported\r\nto our clients earlier this month and have been corroborated by Microsoft’s presentation at Mandiant Cyber\r\nDefense Summit 2021.\r\nKey Findings\r\nThe cybercriminal group FIN7 has been responsible for large-scale card theft campaigns, resulting in the\r\nexposure of over 20 million payment card records, as well as ransomware attacks. Gemini has discovered\r\nthat FIN7 is now running a new fake company called “Bastion Secure”, replacing the previously reported\r\n“Combi Security”.\r\nBastion Secure offered a job offer to a Gemini source and, in the process, provided the source with files\r\nthat analysts later determined were for the post-exploitation tools Carbanak and Lizar/Tirion. These two\r\ntools have been previously attributed to FIN7 and establish the link between Bastion Secure and FIN7.\r\nThe tasks that were assigned to the Gemini source by FIN7—operating under the guise of Bastion Secure\r\n—matched the steps taken to prepare a ransomware attack, providing further evidence that FIN7 has\r\ncontinued to expand into the ransomware sphere.\r\nFIN7 can pay unwitting “employees” far less than it would have to pay informed criminal accomplices for\r\nits ransomware schemes. However, FIN7’s greed also afforded Gemini a view into the proprietary data of\r\nthis prolific threat team, leading to the exposure of another fake FIN7 company.\r\nBackground\r\nThe cybercriminal group FIN7 gained notoriety in the mid-2010s for large-scale malware campaigns targeting the\r\npoint-of-sale (POS) systems. In 2018, Gemini Advisory reported FIN7’s compromise of Saks Fifth Avenue and\r\nLord \u0026 Taylor stores and the subsequent sale of over 5 million payment cards on the dark web. According to the\r\nUS Department of Justice, the broader FIN7 carding campaigns have resulted in the theft of over 20 million\r\npayment card records and cost victims over $1 billion, making FIN7 one of the most infamous and prolific\r\ncybercriminal groups of the last decade. Now with ransomware proving to be cybercriminals’ preferred high-profit, jackpot venture, FIN7 has redeployed their expertise and capacity towards ransomware, with reports\r\nindicating that the group was involved in attempted ransomware attacks on US companies as early as 2020.\r\nFurthermore, despite focus from law enforcement and the arrest of four FIN7 members from 2018 to 2020, FIN7’s\r\ncontinued activity shows that the group remains a powerful, active threat.\r\nIn 2018, the US Department of Justice revealed that FIN7 was posing as “Combi Security”, a fake cybersecurity\r\ncompany, to involve unaware IT specialists in their carding campaigns. While the public focus on Combi Security\r\nhttps://geminiadvisory.io/fin7-ransomware-bastion-secure/\r\nPage 1 of 11\n\nshut down that operation, Gemini has now discovered that FIN7 is using a new fake cybersecurity company\r\nnamed “Bastion Secure” to lure unaware IT specialists into supporting its continued expansion into ransomware.\r\nOver the course of FIN7’s existence, cybersecurity firms have referred to FIN7 by several names—including\r\nCarbanak, Carbon Spider, Anunak, Cobalt Gang, and Navigator Group—with some practitioners choosing to\r\nsubdivide the FIN7 designation according to the target type. While overlapping but different groups of individuals\r\nhave likely conducted malicious activity attributed to these threat groups, the unifying thread connecting the attack\r\nsignatures to FIN7 has been the use of the malware Carbanak.\r\nAnalysis\r\nA Gemini source was offered a position as an IT specialist at “Bastion Secure Ltd”, a cybersecurity “company”\r\nseeking C++, Python, and PHP programmers, system administrators, and reverse engineers. A basic search for this\r\ncompany returns a legitimate-appearing website (www[.]bastionsecure[.]com), but analysis revealed that it is a\r\nfictitious cybersecurity company run by a cybercriminal group. During the interview process, the source was\r\ngiven several tools for test assignments that the source would use if employed. \r\nGemini Advisory worked jointly with the Recorded Future Insikt Group to analyze the tools provided by Bastion\r\nSecure and determined that they are actually components of the post-exploitation toolkits Carbanak and\r\nLizar/Tirion, both of which have been previously attributed to the FIN7 group and can be used for both POS\r\nsystem infections and ransomware attacks.\r\nPrior to 2020, FIN7’s primary modus operandi was to compromise companies’ networks and infect POS systems\r\nwith credit card-stealing malware. Since 2020, cybersecurity researchers have identified instances in which FIN7\r\ngained access to company networks that were later infected with either REvil or Ryuk ransomware. FIN7’s exact\r\ninvolvement in the deployment of ransomware—i.e., whether they sold the access to ransomware groups or have\r\nformed a partnership with these groups—remains unclear. However, the tasks that were assigned to the Gemini\r\nsource by FIN7 (operating under the guise of Bastion Secure) matched the steps taken to prepare a ransomware\r\nattack, providing further evidence that FIN7 has expanded into the ransomware sphere.\r\nFurthermore, due to Bastion Secure’s use of Carbanak and Lizar/Tirion and FIN7’s established practice of using\r\nfake cybersecurity companies to recruit talent, Gemini assesses with high confidence that FIN7 is using the\r\nfictitious company Bastion Secure to recruit unwitting IT specialists into participating in ransomware attacks.\r\nhttps://geminiadvisory.io/fin7-ransomware-bastion-secure/\r\nPage 2 of 11\n\nImage 1: Bastion Secure posts a job offer for a Windows Network Administrator on the Russian job site\r\nsuperjob.ru.\r\nMore broadly, FIN7’s decision to use a fake cybersecurity company to recruit IT specialists for its criminal\r\nactivity is driven by FIN7’s desire for comparatively cheap, skilled labor. Bastion Secure’s job offers for IT\r\nspecialist positions ranged between $800 and $1,200 USD a month, which is a viable starting salary for this type\r\nof position in post-Soviet states. However, this “salary” would be a small fraction of a cybercriminal’s portion of\r\nthe criminal profits from a successful ransomware extortion or large-scale payment card-stealing operation. In\r\neffect, FIN7’s fake company scheme enables the operators of FIN7 to obtain the talent that the group needs to\r\ncarry out its criminal activities, while simultaneously retaining a larger share of the profits.\r\nFIN7’s use of Bastion Secure—even after the discovery of Combi Security, the group’s previous fake\r\ncybersecurity company—indicates that FIN7 continues to believe that hiring unwitting IT specialists is the group’s\r\nbest method for balancing the need for a technically skilled team against the operators’ desire for maximum\r\nprofits.\r\nBastion Secure\r\nWith FIN7’s latest fake company, Bastion Secure, the criminal group leveraged true, publicly available\r\ninformation from various legitimate cybersecurity companies to create a thin veil of legitimacy around Bastion\r\nSecure. In effect, FIN7 is adopting disinformation tactics so that if a potential hire or interested party were to fact\r\ncheck Bastion Secure, then a cursory search on Google would return “true” information for companies with a\r\nsimilar name or industry to FIN7’s Bastion Secure.\r\nFIN7’s first step in obtaining a veil of legitimacy was to give their fake company the generic name “Bastion\r\nSecure”, which appears similar to several unrelated security-adjacent companies with highly listed Google search\r\nresults:\r\nhttps://geminiadvisory.io/fin7-ransomware-bastion-secure/\r\nPage 3 of 11\n\nBastion Security Products Ltd: a US physical security company that was recently acquired by\r\nECAMSECURE\r\nBastion Security Group: a US physical security consulting company\r\nSecond, Bastion Secure listed the company’s office addresses as:\r\n16e Follingsby Ave, Gateshead, United Kingdom (former address of the since-closed Bastion Security\r\n(North) Limited)\r\n94 Yigal Alon St. Tower 1, Tel Aviv, Israel (office building containing multiple businesses, including the\r\nvehicle security company Cymotive)\r\nImperia Tower, 12 Presnenskaya Embankment, Moscow, 123100 Russia (office building containing\r\nmultiple businesses). Gemini contacted the Imperia Tower building administrators, who confirmed that\r\nthere is no company named Bastion Secure with office space at the building.\r\nFortis Tower, 77-79 Gloucester Rd, Wan Chai, Hong Kong (office building containing multiple businesses).\r\nFortis Tower building administrators did not respond to Gemini’s inquiries; however, public records in the\r\nHong Kong government’s “Companies Registry’s Cyber Search Centre” revealed that there is no registered\r\ncompany named “Bastion Secure” operating in Hong Kong.\r\nFurthermore, the Bastion Secure website itself also appears legitimate at first glance; however, a deeper analysis\r\nrevealed that the website is largely a copy of the website of Convergent Network Solutions Ltd., a legitimate\r\ncybersecurity company. Additionally, the Bastion Secure website is hosted on the Russian domain registrar Beget,\r\nwhich cybercriminals commonly use.\r\nImages 2-3: The website of Bastion Secure (left) is a copy of the website of Convergent Network Solutions Ltd.\r\n(right), a legitimate cybersecurity company.\r\nhttps://geminiadvisory.io/fin7-ransomware-bastion-secure/\r\nPage 4 of 11\n\nImages 4-5:The Bastion Secure website (left) lists @CNS_Security as its Twitter account, matching the Twitter\r\naccount listed on CNS’ website (right). Additionally, the page description sentence includes text directly from the\r\nCNS website.\r\nAn initial analysis of the Bastion Secure website revealed that most of the submenus of the site return a Russian-language HTTP 404 error, indicating that the site creators were Russian speakers. Since the initial analysis by\r\nGemini, most of the website’s submenus have been fixed with appropriate pages; however, a deeper analysis\r\nrevealed that some of the HTTP 404 errors remain unfixed.\r\nImage 6: Some Bastion Secure pages display a 404 error in Russian, indicating that the site designers are Russian\r\nspeakers.\r\nAs shown in the image below, an analysis of the page’s source code reveals the remnants of the CNS site: the code\r\non Bastion Secure still lists the same phone number that is listed prominently on the CNS homepage.\r\nhttps://geminiadvisory.io/fin7-ransomware-bastion-secure/\r\nPage 5 of 11\n\nImage 7: The source code under certain pages has been lifted directly from Convergent Network Solutions Ltd’s\r\nwebsite.\r\nTo recruit IT specialists, Bastion Secure posts legitimate-appearing job offers on both their website and prominent\r\njob search sites in post-Soviet states, as well as providing reputable-looking contacts to potential hires for\r\nadditional credibility. In the past several months, Bastion Secure has posted job offerings for system\r\nadministrators on job search sites and added new vacancies for PHP, Python, and C++ programmers and reverse\r\nengineers on their website. On these job sites, Bastion Secure provides sufficiently professional information to\r\nappear legitimate and includes purported office information and a phone number (+7 499-642-3420). The list of\r\nlegitimate Russian and Ukrainian job sites where Bastion Secure has a presence and has advertised job postings\r\nincludes:\r\nhttps://www.superjob.ru/vakansii/administrator-windows-setej-36641469.html\r\nhttps://ua.joblum.com/company/bastion-secure-ltd\r\nhttps://ua.jubee.org/ru/company/bastion-secure-ltd\r\nhttps://rabota.ua/company10418701\r\nhttps://jobs.ua/company-bastion-secure-ltd-1603731\r\nhttps://moscow.cataloxy.ru/firms/bastionsecure.com.htm – 74996423420\r\nhttps://remoteworkukraine.com/ua/company/ua-bastion-secure/\r\nhttps://geminiadvisory.io/fin7-ransomware-bastion-secure/\r\nPage 6 of 11\n\nImage 8: Bastion Secure’s company page on zoon.ru, a business development site serving Russian companies, job\r\nseekers, and consumers. \r\nFIN7—operating under the guise of Bastion Secure—is looking for programmers (PHP, C++, Python), system\r\nadministrators, and reverse engineers in order to build a “staff” capable of conducting the tasks necessary for\r\nundertaking a range of cybercriminal activity. Given FIN7’s increased interest in ransomware, Bastion Secure is\r\nlikely specifically looking for system administrators because an individual with this skill set would be able to:\r\nMap out compromised companies’ systems\r\nIdentify users and devices within the systems\r\nLocate backup servers and files\r\nIn order for the system administrator to map out a victim’s system, FIN7 would need to first provide the individual\r\nwith access to the system. FIN7 operators could obtain the initial access through their well-documented phishing\r\nand social engineering methods or by purchasing access on dark web forums from a large pool of vendors. Once\r\nthe system administrator mapped out the system and identified backups, FIN7 could then escalate to the next step\r\nin the malware and ransomware infection process. Gemini Advisory has previously written reports on how\r\nransomware teams operate and some of their TTP’s.\r\nhttps://geminiadvisory.io/fin7-ransomware-bastion-secure/\r\nPage 7 of 11\n\nImages 9-11: Bastion Secure posts job vacancies for IT specialists on its website.\r\nFIN7’s Bastion Secure Reveals Criminality During Hiring Process\r\nA Gemini source made contact with a Bastion Secure “HR representative” on a job search site, leading to a hiring\r\nprocess in which Bastion Secure shared their business practices and access to several of their tools. Gemini\r\nanalyzed these tools to discover that they were in fact the post-exploitation tools Carbanak and Lizar/Tirion. As\r\nhttps://geminiadvisory.io/fin7-ransomware-bastion-secure/\r\nPage 8 of 11\n\nvarious security practitioners have already attributed these tools and ransomware attacks to the FIN7 group, the\r\nfact that Bastion Secure representatives provided the source with disguised versions of these attributable post-exploitation tools establishes a strong link between Bastion Secure and FIN7.\r\nFirst Stage: Interview Process\r\nThe first stage of the hiring process proceeded similarly to a legitimate job hiring process and gave no indication\r\nthat Bastion Secure was a fake company for a cybercriminal group. First, the HR representative from Bastion\r\nSecure communicated with the Gemini source and informed them that they had reviewed the source’s resume and\r\nwere interested in hiring them as an IT specialist.\r\nAfter the source indicated that they were interested in the position, the source conducted a typical first-stage\r\ninterview with the HR representative via messages on Telegram. Although many non-criminal individuals in post-Soviet states use Telegram as their preferred messaging app, it is not typical for initial professional\r\ncorrespondences to be conducted on Telegram. \r\nAfter completing the interviews, the source was informed that they would need to:\r\nComplete several test assignments before beginning on a probationary basis\r\nSign a contract and non-disclosure agreement\r\nConfigure their computer by installing several virtual machines and opening ports\r\nSecond Stage: Practice Assignments\r\nAt face value, the second stage of the hiring process did not give a clear indication that Bastion Secure is a\r\ncybercriminal operation. However, the actions taken later in the third stage clearly made the steps taken in the\r\nsecond stage highly suspicious. The source was instructed to install certain platforms and conduct a series of\r\npractice assignments that would be typical for the position. \r\nBastion Secure also informed the source that they were willing to train new hires in cybersecurity. When the\r\nsource indicated that they were interested in learning, the company sent them additional files that included tools\r\nthat could either be used for legitimate penetration testing or malicious activity. Although the tools provided to the\r\nsource were potentially unusual for the position, Bastion Secure prefaced it by proposing that they would train the\r\nsource to not only manage client’s systems but also secure them, lending credence to the use of these tools.\r\nThird Stage: “Real” Assignment Signals Criminal Intent\r\nIn the third stage, Bastion Secure gave the source their first “real” assignment, and it became immediately clear\r\nthat the company was involved in criminal activity. The fact that the Bastion Secure representatives were\r\nparticularly interested in file systems and backups signals that FIN7 was more interested in conducting\r\nransomware attacks than POS infections.\r\nFor the first assignment, Bastion Secure provided the Gemini source with a “client company” to work on. The task\r\nwould have been to use a script to collect information on domain administrators, domain trust relationships, file\r\nshares, backups, and hypervisors (the software responsible for creating and running virtual machines). At this\r\nhttps://geminiadvisory.io/fin7-ransomware-bastion-secure/\r\nPage 9 of 11\n\npoint, the source became highly suspicious of Bastion Secure’s activities, noting the following red flags from\r\nearlier in the hiring process:\r\nBastion Secure provided access to the company’s network without any legal documentation or explanation,\r\nsuggesting that the access may have been acquired through social engineering or purchased on the dark\r\nweb\r\nBastion Secure was only interested in file systems and backup\r\nThe company warned of a heavy fine if the source installed antivirus software on the virtual machine that\r\nthey were using\r\nThe employee was required to use specific tools to avoid detection\r\nBastion Secure software was purportedly licensed to “Checkpoint Software Inc”, which may have been an\r\nattempt to masquerade the software as a product of the legitimate company Check Point Software\r\nTechnologies Ltd. Security researchers have previously reported that FIN7 has attempted to do this in the\r\npast as well.\r\nAttribution\r\nGemini analyzed the files that were sent to the source by Bastion Secure and found that the files contained\r\ncomponents for the post-exploitation tools Carbanak and Lizar/Tirion. Post-exploitation tools—which are part of\r\nany ransomware group’s toolkit—allow malicious actors to control infected computers after they have gained\r\ninitial access to the victim company’s network. Various security practitioners have previously attributed the use of\r\nCarbanak and Lizar/Tirion to FIN7. These two factors indicate that FIN7 operators are sharing a partially\r\ndisguised version of its toolkit with unwitting accomplices through the fake company Bastion Secure.\r\nThe files provided to the source by Bastion Secure included files for a software component titled “Command\r\nManager” that was, in fact, a disguised version of the client component of Carbanak (see image 12). Gemini\r\ndetermined this by analyzing the software’s functionality and concluded that it is an updated version of previously\r\nidentified versions of Carbanak. The main functions of the Carbanak command manager are collecting\r\ninformation about an infected computer and obtaining remote access to the infected computer.\r\nImage 12: Command Manager control panel, which is actually a disguised client component of Carbanak.\r\nhttps://geminiadvisory.io/fin7-ransomware-bastion-secure/\r\nPage 10 of 11\n\nThe files contained an obfuscated PowerShell script that ultimately launches the Lizar/Tirion injector and payload.\r\nThe primary function of the loader is to receive periodic commands from the C\u0026C server and execute the\r\ncommands on the infected computer. The commands executed by the loader on the infected computer are\r\n“modules” and the results are sent back to the C\u0026C server. These modules can be .dll, .exe, and .ps1 file types.\r\nImage 13: The malware operator uses the client to issue commands to the loader, which is located on the infected\r\nmachine.\r\nConclusion\r\nAlthough cybercriminals looking for unwitting accomplices on legitimate job sites is nothing new, the sheer scale\r\nand blatancy with which FIN7 operates continue to surpass the behavior shown by other cybercriminal groups.\r\nNot only is FIN7 looking for unwitting victims on legitimate job sites, but also attempting to obfuscate its true\r\nidentity as a prolific cybercriminal and ransomware group by creating a fabricated web presence through a largely\r\nlegitimate-appearing website, professional job postings, and company info pages on Russian-language business\r\ndevelopment sites.\r\nFIN7’s decision to hire unwitting accomplices, as opposed to finding willing accomplices on the dark web, is\r\nlikely due to greed. With willing accomplices, FIN7 would be forced to share a percentage of ransom payments\r\ntotaling millions of dollars, whereas unwitting “employees” would work for monthly salaries in the low\r\nthousands, which are commensurate with the labor markets in post-Soviet states. However, FIN7’s greed also\r\nafforded Gemini a view into the proprietary tools of this prolific threat team, as well as the exposure of another\r\nfake FIN7 company.\r\nCorrection (11/05/2021): The report incorrectly stated that a FIN7 system administrator was arrested in 2021.\r\nThe individual was arrested in 2018 and sentenced in 2021. Four FIN7 members were arrested between 2018 and\r\n2020.\r\nGemini Advisory Mission Statement\r\nGemini Advisory provides actionable fraud intelligence to the largest financial organizations in an effort to\r\nmitigate ever-growing cyber risks. Our proprietary software utilizes asymmetrical solutions in order to help\r\nidentify and isolate assets targeted by fraudsters and online criminals in real-time.\r\nSource: https://geminiadvisory.io/fin7-ransomware-bastion-secure/\r\nhttps://geminiadvisory.io/fin7-ransomware-bastion-secure/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE" ], "references": [ "https://geminiadvisory.io/fin7-ransomware-bastion-secure/" ], "report_names": [ "fin7-ransomware-bastion-secure" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "220e1e99-97ab-440a-8027-b672c5c5df44", "created_at": "2022-10-25T16:47:55.773407Z", "updated_at": "2026-04-10T02:00:03.649501Z", "deleted_at": null, "main_name": "GOLD KINGSWOOD", "aliases": [ "Cobalt Gang ", "Cobalt Spider " ], "source_name": "Secureworks:GOLD KINGSWOOD", "tools": [ "ATMSpitter", "Buhtrap", "Carbanak", "Cobalt Strike", "CobtInt", "Cyst", "Metasploit", "Meterpreter", "Mimikatz", "SpicyOmelette" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "2dfaa730-7079-494c-b2f0-3ff8f3598a51", "created_at": "2022-10-25T16:07:23.474746Z", "updated_at": "2026-04-10T02:00:04.623746Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "ATK 67", "Cobalt Gang", "Cobalt Spider", "G0080", "Gold Kingswood", "Mule Libra", "TAG-CR3" ], "source_name": "ETDA:Cobalt Group", "tools": [ "ATMRipper", "ATMSpitter", "Agentemis", "AmmyyRAT", "AtNow", "COOLPANTS", "CobInt", "Cobalt Strike", "CobaltStrike", "Cyst Downloader", "Fareit", "FlawedAmmyy", "Formbook", "Little Pig", "Metasploit Stager", "Mimikatz", "More_eggs", "NSIS", "Nullsoft Scriptable Install System", "Pony Loader", "Ripper ATM", "SDelete", "Siplog", "SoftPerfect Network Scanner", "SpicyOmelette", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Terra Loader", "ThreatKit", "VenomKit", "cobeacon", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "c11abba0-f5e8-4017-a4ee-acb1a7c8c242", "created_at": "2022-10-25T15:50:23.744036Z", "updated_at": "2026-04-10T02:00:05.294413Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "Cobalt Group", "GOLD KINGSWOOD", "Cobalt Gang", "Cobalt Spider" ], "source_name": "MITRE:Cobalt Group", "tools": [ "Mimikatz", "More_eggs", "SpicyOmelette", "SDelete", "Cobalt Strike", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434440, "ts_updated_at": 1775792152, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3ae217da242bfeec09138662eccb0ed1d79a60f2.pdf", "text": "https://archive.orkl.eu/3ae217da242bfeec09138662eccb0ed1d79a60f2.txt", "img": "https://archive.orkl.eu/3ae217da242bfeec09138662eccb0ed1d79a60f2.jpg" } }