{
	"id": "e2cad836-15ff-4cd3-ac13-363d56fa80ea",
	"created_at": "2026-04-06T00:19:09.441811Z",
	"updated_at": "2026-04-10T13:12:55.47467Z",
	"deleted_at": null,
	"sha1_hash": "5951cde2b12fd26948c11de0215cdc33957aa4cb",
	"title": "Karius (Malware Family)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 28845,
	"plain_text": "Karius (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 15:53:48 UTC\r\nAccording to checkpoint, Karius is a banking trojan in development, borrowing code from Ramnit, Vawtrack as\r\nwell as Trickbot, currently implementing webinject attacks only.\r\nIt comes with an injector that loads an intermediate \"proxy\" component, which in turn loads the actual banker\r\ncomponent.\r\nCommunication with the c2 are in json format and encrypted with RC4 with a hardcoded key.\r\nIn the initial version, observed in March 2018, the webinjects were hardcoded in the binary, while in subsequent\r\nversions, they were received by the c2.\r\n[TLP:WHITE] win_karius_auto (20251219 | Detects win.karius.)\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.karius\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.karius\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://malpedia.caad.fkie.fraunhofer.de/details/win.karius"
	],
	"report_names": [
		"win.karius"
	],
	"threat_actors": [],
	"ts_created_at": 1775434749,
	"ts_updated_at": 1775826775,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5951cde2b12fd26948c11de0215cdc33957aa4cb.pdf",
		"text": "https://archive.orkl.eu/5951cde2b12fd26948c11de0215cdc33957aa4cb.txt",
		"img": "https://archive.orkl.eu/5951cde2b12fd26948c11de0215cdc33957aa4cb.jpg"
	}
}