{ "id": "c8661268-3eb4-4346-a85c-12e00abab5b7", "created_at": "2026-04-06T00:07:25.084473Z", "updated_at": "2026-04-10T03:35:53.021433Z", "deleted_at": null, "sha1_hash": "44bcbb4f0bb6ca3ca6a74be91d08b24172bf76b0", "title": "FIN7 Deploys Anubis Backdoor to Hijack Windows Systems via Compromised SharePoint Sites", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 243181, "plain_text": "FIN7 Deploys Anubis Backdoor to Hijack Windows Systems via\r\nCompromised SharePoint Sites\r\nBy The Hacker News\r\nPublished: 2025-04-02 ยท Archived: 2026-04-05 21:49:53 UTC\r\nThe financially motivated threat actor known as FIN7 has been linked to a Python-based backdoor called Anubis\r\n(not to be confused with an Android banking trojan of the same name) that can grant them remote access to\r\ncompromised Windows systems.\r\n\"This malware allows attackers to execute remote shell commands and other system operations, giving them full\r\ncontrol over an infected machine,\" Swiss cybersecurity company PRODAFT said in a technical report of the\r\nmalware.\r\nFIN7, also called Carbon Spider, ELBRUS, Gold Niagara, Sangria Tempest, and Savage Ladybug, is a Russian\r\ncybercrime group known for its ever-evolving and expanding set of malware families for obtaining initial access\r\nand data exfiltration. In recent years, the threat actor is said to have transitioned to a ransomware affiliate.\r\nIn July 2024, the group was observed using various online aliases to advertise a tool called AuKill (aka\r\nAvNeutralizer) that's capable of terminating security tools in a likely attempt to diversify its monetization strategy.\r\nhttps://thehackernews.com/2025/04/fin7-deploys-anubis-backdoor-to-hijack.html\r\nPage 1 of 2\n\nAnubis is believed to be propagated via malspam campaigns that typically entice victims into executing the\r\npayload hosted on compromised SharePoint sites.\r\nDelivered in the form of a ZIP archive, the entry point of the infection is a Python script that's designed to decrypt\r\nand execute the main obfuscated payload directly in memory. Once launched, the backdoor establishes\r\ncommunications with a remote server over a TCP socket in Base64-encoded format.\r\nThe responses from the server, also Base64-encoded, allow it to gather the IP address of the host,\r\nupload/download files, change the current working directory, grab environment variables, alter Windows Registry,\r\nload DLL files into memory using PythonMemoryModule, and terminate itself.\r\nIn an independent analysis of Anubis, German security company GDATA said the backdoor also supports the\r\nability to run operator-provided responses as a shell command on the victim system.\r\n\"This enables attackers to perform actions such as keylogging, taking screenshots, or stealing passwords without\r\ndirectly storing these capabilities on the infected system,\" PRODAFT said. \"By keeping the backdoor as\r\nlightweight as possible, they reduce the risk of detection while maintaining flexibility for executing further\r\nmalicious activities.\"\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2025/04/fin7-deploys-anubis-backdoor-to-hijack.html\r\nhttps://thehackernews.com/2025/04/fin7-deploys-anubis-backdoor-to-hijack.html\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://thehackernews.com/2025/04/fin7-deploys-anubis-backdoor-to-hijack.html" ], "report_names": [ "fin7-deploys-anubis-backdoor-to-hijack.html" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434045, "ts_updated_at": 1775792153, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/44bcbb4f0bb6ca3ca6a74be91d08b24172bf76b0.pdf", "text": "https://archive.orkl.eu/44bcbb4f0bb6ca3ca6a74be91d08b24172bf76b0.txt", "img": "https://archive.orkl.eu/44bcbb4f0bb6ca3ca6a74be91d08b24172bf76b0.jpg" } }