{ "id": "b44a1c5d-5dd2-49de-ac5f-65954f16f19e", "created_at": "2026-04-06T00:08:32.612567Z", "updated_at": "2026-04-10T03:35:59.559004Z", "deleted_at": null, "sha1_hash": "5025978188903beb6aa3f34b919f4b72bdf573ab", "title": "Read Featured Research \u0026 Threat Intel Article by Adam Meyers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 46836, "plain_text": "Read Featured Research \u0026 Threat Intel Article by Adam Meyers\r\nBy AdamM\r\nArchived: 2026-04-02 10:49:46 UTC\r\nAt our inception, CrowdStrike coined the phrase, “You don’t have a malware problem, you have an adversary\r\nproblem.” Behind every attack -- whether it is the most advanced nation state conducting espionage, opportunistic\r\ncriminal activity, or highly visible hacktivism -- are human actors. Those humans have preferences, patterns, and\r\nflaws. Intelligence analysts who study these actors can piece little parts of the story together to first categorize --\r\nand then ultimately understand -- the human actors behind these attacks. Models can help analysts organize their\r\nthoughts and observations into a transferable or communicable structure so that others may understand what they\r\nbelieve and why. In the cyber domain, military models such as the “kill chain,” are often adopted to suit the\r\nanalyst's needs. At CrowdStrike, we thought long and hard about how various models might help us convey to our\r\ncustomers the behaviors and organization of eCrime actors. What we found was that these actors and their\r\ninterdependent relationships did not fit into an existing model. The eCrime actor’s operational profile differs\r\ngreatly from that of an espionage-focused targeted intrusion actor. Historically the kill chain, derived from\r\nmilitary targeting models, has been applied to disrupt the activity of an adversary. Approaches such as F3EAD\r\n(Find, Fix, Finish, Exploit, Analyze, Disseminate) have been applied to disrupt the adversary’s kill chain in the\r\ncyber realm. The thought behind implementing this model is that an espionage actor generally operates in a closed\r\ncell: that is, they conduct their own reconnaissance, source or build their exploit, deliver/attack the target using\r\ndata from the reconnaissance phase, create a beachhead to maintain persistence, and execute their actions on\r\nobjectives. Disrupting the attacker at any link of this “chain” has consequences on the rest of the activities they\r\nmay attempt to accomplish. Ideally, finding the link in the chain that is hardest or most expensive to change will\r\ncreate a negative impact for the attacker, and they will need to retool or regroup before the next attack. In the\r\ncriminal domain, this is not necessarily true, as eCrime is a vast ecosystem of interconnected services and\r\nschemes. There are complex relationships between varied individuals and groups, whose primary goal is to\r\ngenerate revenue. A banking trojan may be designed and built by one group that intends to build a reliable and\r\nfeature-rich piece of software, and they may choose to monetize this via an affiliate model (partnerkas). With this\r\napproach, they don’t necessarily know or care how their customers use the tool, how they distribute it, or what\r\nthey do with the data they collect - only that they use the tool in accordance with their guidelines and pay them.\r\nThe developers of such a tool may be categorized differently than their customers, but the fact remains they must\r\nrely on various criminal underground elements to be successful. They generally will market their tool to potential\r\ncustomers, they likely will need some resilient infrastructure to host their service, and they will potentially need to\r\nuse monetization schemes to enjoy their revenue. The combination of what activities these actors engage in can be\r\norganized into a series of breadcrumbs to identify that actor. An eCrime actor’s profile is a cross section of the\r\nservices they offer, the services they utilize, crimes they engage in, means to monetize their activities, customers\r\nthat they support, how they market themselves and to whom, the victims that they target, and ultimately their\r\nidentity which they closely protect. Through the judicious investigation and analysis of these actors, CrowdStrike\r\nanalysts piece together these breadcrumbs into the profile of an eCrime actor. The relationships between these\r\nactors becomes a sort of social network, a graph database of sorts where different groups and individuals are\r\nhttps://www.crowdstrike.com/blog/ecrime-ecosystem/\r\nPage 1 of 2\n\nnodes with overlapping edges where they conduct commerce with each other. As an example of this structure,\r\nCrowdStrike fully evaluated the CoreBot banking trojan malware and the people who maintain it, who we track as\r\nBOSON SPIDER. The adversary behind this threat, which was first identified in 2015, recently and inexplicably\r\nwent dark in the spring of 2016, appears to be a tightly knit group operating out of Eastern Europe. They have\r\nused a variety of distribution mechanisms such as the infamous (and now defunct) angler exploit kit, and\r\nobfuscated JavaScript to reduce the detection by antivirus solutions. In addition to outsourcing their\r\nexploitation/delivery, they used bulletproof hosting services such as Avalanche or Kol. Their key value proposition\r\nin the underground economy is providing a well-designed, man-in-the-middle browser hijacking trojan which can\r\nbe used to hijack sessions or steal banking credentials. This service is delivered through an affiliate model that\r\nallows the actor to resell their malware with custom configurations to suit the needs of the affiliate customer. In\r\none configuration, we observed the targeting of U.S. and Canadian banks, while in another smaller configuration,\r\nthe customer targeted Japanese banks exclusively. As far as crimes committed, the primary purpose of the tool was\r\nto steal credentials to facilitate bank fraud against unsuspecting victims when they attempted to authenticate to a\r\ntargeted financial institution. This was monetized by the actors as a botnet-as-a-service, and perhaps they too used\r\nthe botnet to steal credentials for their own usage, in which they may have employed money mules from the\r\neCrime ecosystem to extract the funds. They used some clever technical tradecraft including Domain Generating\r\nAlgorithms (DGA) and disguising malicious JavaScript as legitimate Microsoft Office documents. Finally, in\r\norder to attract potential users or customers, they advertised in at least one criminal forum. The story of BOSON\r\nSPIDER is certainly an interesting one, but for victims such as financial institutions who wish to understand the\r\ncapabilities of this actor, and to monitor for changes in their behavior, a kill chain or diamond representation of\r\ntheir activities doesn’t show the whole picture. This is the reason CrowdStrike has expanded our eCrime offerings\r\nto deliver to our eCrime Intelligence subscribers a more comprehensive understanding of the threat actors that\r\nthey must deal with and ultimately how they can more effectively disrupt the activities of these actors to protect\r\ntheir businesses. Conceptually the CrowdStrike eCrime ecosystem model takes into account the elements of the\r\nadversary that are important to understand who they are, as well as the inter-relationships with the eCrime\r\necosystem. CrowdStrike utilizes this model to deliver best-in-class eCrime intelligence reporting to our customers,\r\nand to fuel the CrowdStrike Falcon® Platform with eCrime intelligence to protect the endpoints of customers all\r\nover the world. We have recently launched our eCrime premium intelligence subscription for customers who are\r\nplagued by financial, reputational, and data losses at the hands of the myriad of eCrime actors operating with\r\nimpunity today. For more information on the CrowdStrike Falcon® Intelligence eCrime offering contact us at\r\nintelligence@crowdstrike.com. If you think you are up to the challenge of analyzing and investigating the\r\nmotivations of malicious adversaries, check our job listings to join the mission!\r\nSource: https://www.crowdstrike.com/blog/ecrime-ecosystem/\r\nhttps://www.crowdstrike.com/blog/ecrime-ecosystem/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.crowdstrike.com/blog/ecrime-ecosystem/" ], "report_names": [ "ecrime-ecosystem" ], "threat_actors": [ { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "ab35254c-b3f8-4b45-9413-01591ba7b5f4", "created_at": "2023-01-06T13:46:39.231425Z", "updated_at": "2026-04-10T02:00:03.253352Z", "deleted_at": null, "main_name": "BOSON SPIDER", "aliases": [], "source_name": "MISPGALAXY:BOSON SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a95ead6e-d506-4929-a0dd-1a7afb19b84e", "created_at": "2022-10-25T16:07:24.461901Z", "updated_at": "2026-04-10T02:00:04.999569Z", "deleted_at": null, "main_name": "Boson Spider", "aliases": [], "source_name": "ETDA:Boson Spider", "tools": [ "CoreBot" ], "source_id": "ETDA", "reports": null }, { "id": "bc289ba8-bc61-474c-8462-a3f7179d97bb", "created_at": "2022-10-25T16:07:24.450609Z", "updated_at": "2026-04-10T02:00:04.996582Z", "deleted_at": null, "main_name": "Avalanche", "aliases": [], "source_name": "ETDA:Avalanche", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434112, "ts_updated_at": 1775792159, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5025978188903beb6aa3f34b919f4b72bdf573ab.pdf", "text": "https://archive.orkl.eu/5025978188903beb6aa3f34b919f4b72bdf573ab.txt", "img": "https://archive.orkl.eu/5025978188903beb6aa3f34b919f4b72bdf573ab.jpg" } }