{ "id": "0ea6fbc7-27d4-47e5-9b02-d4ad08c1e160", "created_at": "2026-04-06T00:06:42.794963Z", "updated_at": "2026-04-10T03:31:13.740966Z", "deleted_at": null, "sha1_hash": "3c6c22aab55b909387363ed473b352a0d699d2b9", "title": "Odinaff Trojan attacks banks and more, monitoring networks and stealing credentials", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1655843, "plain_text": "Odinaff Trojan attacks banks and more, monitoring networks and\r\nstealing credentials\r\nBy Danny Palmer\r\nPublished: 2016-10-11 ยท Archived: 2026-04-05 21:37:25 UTC\r\nCybercriminals are targeting banks in the UK and around the world with new Trojan.\r\nImage: iStock\r\nA previously undocumented banking Trojan is targeting financial institutions across the globe and is being used by\r\ncybercriminals to spy on networks of compromised organisations and stealthily defraud them of funds.\r\nThe Odinaff trojan has been active since January this year, carrying out attacks against organisations operating in\r\nthe banking, securities, trading, and payroll sectors, as well as those which provide support services to these\r\nindustries.\r\nAccording to cybersecurity researchers at Symantec, the Trojan contains custom-built malware tools purposely\r\nbuilt for exploring compromised networks, stealing credentials, and monitoring and recording employee activity\r\nin attacks which researchers say can be highly lucrative for hackers -- and bear the hallmarks of the Carbanak\r\nfinancial Trojan.\r\nThose behind Odinaff are using a variety of techniques to break into the networks of targeted organisations: the\r\nmost common method of gaining access is tricking employees into opening documents containing malicious\r\nhttps://www.zdnet.com/article/odinaff-trojan-attacks-banks-and-more-monitoring-networks-and-stealing-credentials/\r\nPage 1 of 3\n\nmacros.\r\nWhile macros are turned off by default in Microsoft Word, the recipient can opt to enable them -- which they're\r\nencouraged to do by a malicious attachment -- at which point the Odinaff Trojan will be installed on their system.\r\nOne way a user can avoid being infected in this way is simply to keep the default setting of not allowing macros to\r\nbe disabled.\r\nodinaff-macro.jpg\r\nOdinaff lures victims into enabling macros and allowing the Trojan to be installed.\r\nImage: Symantec\r\nAnother common technique involves the use of password protected .RAR archive files, which trick the victim into\r\ninstalling Odinaff. While cybersecurity researchers haven't been able to determine how these malicious documents\r\nand links are distributed by cybercrminals, it's believed spear-phishing is the main method of deployment.\r\nOdinaff is a sophisticated Trojan which is capable of taking screenshots of infected systems between every five\r\nand 30 seconds which it sends back to a remote command-and-control server. The Trojan also downloads and\r\nexecutes RC4 cipher keys and can issue shell commands.\r\nOnce the Odinaff Trojan has performed the initial compromise of the infected machine, a second piece of malware\r\nknown as Batel is installed. This second malware infection is capable of running payloads solely in the memory,\r\neffectively enabling it to stealthily run in the background.\r\nGiven the specialist nature of these attacks, Odinaff requires large amount of manual intervention, with those\r\ninvolved carefully managing attacks and only downloading and installing new tools when required, suggesting\r\nthat the group behind it is sophisticated and well resourced.\r\nIndeed, cybersecurity researchers suspect that Odinaff is in fact related to the Carbanak hacking group which has\r\nstolen over one billion dollars from banks since first appearing in 2013. Researchers note that one of the IP\r\naddresses used by Odinaff has been mentioned in connection to the Oracle Micros breach, an attack which saw the\r\ncompromise of hundreds of point-of-sale devices.\r\nIn addition to this, three Odinaff command and control IP addresses have been connected to previous Carbanak\r\ncampaigns, which saw banks in 30 countries being targeted by criminal actors suspected to originate from Russia,\r\nUkraine, Europe, and China.\r\nWhile many cyberattacks against banks are limited by region -- for example, Zeus Trojan variant Panda\r\nspecifically targeted Brazil in the run-up to the country hosting the Olympic Games -- the fact that like Carbanak,\r\nOdinaff is targeting financial institutions across the entire globe could ultimately mean the two types of attack are\r\nrelated.\r\nBanks across the world have been attacked with this Trojan, but it's banks in the US find themselves most targeted\r\nby Odinaff, followed by Hong Kong, Australia, and the UK.\r\nodinaff-chart.jpg\r\nhttps://www.zdnet.com/article/odinaff-trojan-attacks-banks-and-more-monitoring-networks-and-stealing-credentials/\r\nPage 2 of 3\n\nThe countries most targeted by Odinaff\r\nImage: Symantec\r\nThe Odinaff group is just the latest in a line of cybercriminal groups who've realized that while it's -- in theory --\r\nmuch harder to infiltrate the networks of a bank, the potential payoff can be very, very lucrative. The GozNym\r\nbanking Trojan and the data-stealing Qadars Trojan malware are other examples of how hackers are trying to\r\nbreak into banks.\r\nRead more on cybercrime\r\nFighting a hidden enemy: Why banks need to step up the war on cybercrime\r\nHow to empty your bank's vault with a few clicks and lines of code\r\nHackers hit central banks in Indonesia and South Korea\r\nMalware strikes Starwood, Marriott and Hyatt hotels, exposing customer card data [CNET]\r\nSource: https://www.zdnet.com/article/odinaff-trojan-attacks-banks-and-more-monitoring-networks-and-stealing-credentials/\r\nhttps://www.zdnet.com/article/odinaff-trojan-attacks-banks-and-more-monitoring-networks-and-stealing-credentials/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.zdnet.com/article/odinaff-trojan-attacks-banks-and-more-monitoring-networks-and-stealing-credentials/" ], "report_names": [ "odinaff-trojan-attacks-banks-and-more-monitoring-networks-and-stealing-credentials" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "b753c6a8-a83d-47bc-829d-45e56136eb7d", "created_at": "2023-01-06T13:46:38.97802Z", "updated_at": "2026-04-10T02:00:03.169611Z", "deleted_at": null, "main_name": "GozNym", "aliases": [], "source_name": "MISPGALAXY:GozNym", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434002, "ts_updated_at": 1775791873, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3c6c22aab55b909387363ed473b352a0d699d2b9.pdf", "text": "https://archive.orkl.eu/3c6c22aab55b909387363ed473b352a0d699d2b9.txt", "img": "https://archive.orkl.eu/3c6c22aab55b909387363ed473b352a0d699d2b9.jpg" } }