{ "id": "09d6c29b-57c6-4b95-9b1c-033922867912", "created_at": "2026-04-06T00:12:03.023906Z", "updated_at": "2026-04-10T03:35:52.963793Z", "deleted_at": null, "sha1_hash": "3d9466227e0af020d117e0fa6e53dad68738555b", "title": "Fileless Malware Campaigns Tied to Same Attacker", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 36801, "plain_text": "Fileless Malware Campaigns Tied to Same Attacker\r\nBy Michael Mimoso\r\nPublished: 2017-03-16 · Archived: 2026-04-02 11:38:29 UTC\r\nTwo recent fileless malware campaigns targeting financial institutions, government agencies and other enterprises\r\nhave been linked to the same attack group.\r\nTwo recent fileless malware campaigns targeting financial institutions, government agencies and other enterprises\r\nhave been linked to the same attack group.\r\nThe campaigns, disclosed by Kaspersky Lab and Cisco’s Talos research outfit in the last five weeks, made\r\nextensive use of fileless malware and known penetration testing tools and utilities to spy on organizations and\r\nmove data and money off of networks.\r\nResearchers at Israeli security company Morphisec said today that in investigating a recent campaign, they\r\ndiscovered the framework used to deliver the DNS PowerShell Messenger attacks reported by Cisco and a similar\r\nattack uncovered by Kaspersky Lab that used Meterpreter and other known utilities against 140 banks worldwide.\r\nThe Meterpreter attacks, Kaspersky Lab said, could be connected to the GCMAN and Carbanak groups, which\r\nwere responsible for $1 billion in thefts from financial institutions, according to a 2015 report. FireEye calls this\r\ngroup FIN7 and said it was targeting individuals involved in SEC filings.\r\nThe framework has since disappeared online following a brief interaction with the attacker and Morphisec\r\nresearchers. Omri Dotan of Morphisec said the researchers attempted to build some trust with the attacker and\r\ntried to communicate in Russian before he disabled the command and control infrastructure and removed the\r\nframework.\r\n“There is a high level of probability that we have attributed a whole bunch of attacks across the globe to one actor\r\nand this platform,” Dotan said. “Through this [interaction] we had with them, they took it down and quite likely\r\ndisrupted any ongoing attacks. Now they are going to have to rebuild it and do this stuff over from scratch.”\r\nMorphisec said in an analysis published today that on March 8 during an investigation into an attack against\r\nseveral high-profile enterprises, it found the framework used to deliver a number of variations of attacks, all of\r\nwhich leave no artifacts on the compromised machines. These artifacts either match, or are similar to, others used\r\nin the attacks described by Kaspersky and Cisco, they said.\r\nThe attacks begin with phishing emails targeting organizations using a Word document that is protected, which\r\nurges the user to enable the content. By doing so, the victim executes a macro embedded in the document that\r\nexecutes a PowerShell command using Windows Management Instrumentation, infrastructure used to automate\r\ntasks on remote machines.\r\nA PowerShell script called Updater.ps1 is enabled that opens a backdoor and grabs commands from the command\r\nand control server. It also lowers security restrictions around macros so that more macro-based documents can be\r\nhttps://threatpost.com/fileless-malware-campaigns-tied-to-same-attacker/124369/\r\nPage 1 of 2\n\nsent and will execute without user interaction. Morphisec said it found additional scripts on the command and\r\ncontrol server that execute Mimikatz, which is used to extract passwords and hashes from memory, LaZagne, a\r\nopen source application used to retrieve credentials stored on a local hard drive, and DNS Messenger.\r\nDotan said Morphisec was on the command and control server for three days and was able fingerprint a number of\r\nartifacts on the framework, encryption routines and IP addresses that led them to conclude the likely connection\r\nwith other similar attacks.\r\n“At some point toward the end of our investigation the attacker contacted our people through the shellcode. We\r\nhad a brief interaction where our folks tried to lure the hacker to reveal part of his identity,” Dotan said. “At some\r\npoint, we tried to talk to them in Russian, but at that point, he asked for ‘English, please.’ He then started to shut\r\ndown the command and control server and completely took down the platform.”\r\nDotan said that Morphisec has made all of the artifacts it recovered public but has shared them with Israel’s\r\ncybersecurity administration.\r\nSource: https://threatpost.com/fileless-malware-campaigns-tied-to-same-attacker/124369/\r\nhttps://threatpost.com/fileless-malware-campaigns-tied-to-same-attacker/124369/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia" ], "references": [ "https://threatpost.com/fileless-malware-campaigns-tied-to-same-attacker/124369/" ], "report_names": [ "124369" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "3b185161-668f-4cac-b930-9482f9706848", "created_at": "2022-10-25T16:07:23.670892Z", "updated_at": "2026-04-10T02:00:04.706866Z", "deleted_at": null, "main_name": "GCMAN", "aliases": [ "G0036" ], "source_name": "ETDA:GCMAN", "tools": [ "GCMAN", "Meterpreter", "VNC", "Virtual Network Computing" ], "source_id": "ETDA", "reports": null }, { "id": "1e408839-27ce-4f52-b7c6-d0a700e54027", "created_at": "2023-01-06T13:46:38.479274Z", "updated_at": "2026-04-10T02:00:02.991414Z", "deleted_at": null, "main_name": "GCMAN", "aliases": [ "G0036" ], "source_name": "MISPGALAXY:GCMAN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "fc11deee-6db4-46a9-a3d5-c02bb960cc51", "created_at": "2022-10-25T15:50:23.277991Z", "updated_at": "2026-04-10T02:00:05.400194Z", "deleted_at": null, "main_name": "GCMAN", "aliases": [ "GCMAN" ], "source_name": "MITRE:GCMAN", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434323, "ts_updated_at": 1775792152, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3d9466227e0af020d117e0fa6e53dad68738555b.pdf", "text": "https://archive.orkl.eu/3d9466227e0af020d117e0fa6e53dad68738555b.txt", "img": "https://archive.orkl.eu/3d9466227e0af020d117e0fa6e53dad68738555b.jpg" } }