{ "id": "6e1d5d6c-5084-4a73-850a-d23ee306e681", "created_at": "2026-04-06T00:09:25.305358Z", "updated_at": "2026-04-10T13:11:36.400608Z", "deleted_at": null, "sha1_hash": "5d15daca1c572e35217e821461e69ff0369078ad", "title": "Behind the CARBANAK Backdoor | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 361607, "plain_text": "Behind the CARBANAK Backdoor | Mandiant\r\nBy Mandiant\r\nPublished: 2017-06-12 · Archived: 2026-04-05 15:50:17 UTC\r\nWritten by: James T. Bennett, Barry Vengerik\r\nIn this blog, we will take a closer look at the powerful, versatile backdoor known as CARBANAK (aka Anunak).\r\nSpecifically, we will focus on the operational details of its use over the past few years, including its configuration,\r\nthe minor variations observed from sample to sample, and its evolution. With these details, we will then draw\r\nsome conclusions about the operators of CARBANAK. For some additional background on the CARBANAK\r\nbackdoor, see the papers by Kaspersky and Group-IB and Fox-It.\r\nTechnical Analysis\r\nBefore we dive into the meat of this blog, a brief technical analysis of the backdoor is necessary to provide some\r\ncontext. CARBANAK is a full-featured backdoor with data-stealing capabilities and a plugin architecture. Some\r\nof its capabilities include key logging, desktop video capture, VNC, HTTP form grabbing, file system\r\nmanagement, file transfer, TCP tunneling, HTTP proxy, OS destruction, POS and Outlook data theft and reverse\r\nshell. Most of these data-stealing capabilities were present in the oldest variants of CARBANAK that we have\r\nseen and some were added over time.\r\nMonitoring Threads\r\nThe backdoor may optionally start one or more threads that perform continuous monitoring for various purposes,\r\nas described in Table 1.\r\nThread Name Description\r\nKey logger\r\nLogs key strokes for configured processes and sends them to the command and control\r\n(C2) server\r\nForm grabber Monitors HTTP traffic for form data and sends it to the C2 server\r\nPOS monitor\r\nMonitors for changes to logs stored in C:\\NSB\\Coalition\\Logs and nsb.pos.client.log and\r\nsends parsed data to the C2 server\r\nPST monitor\r\nSearches recursively for newly created Outlook personal storage table (PST) files within\r\nuser directories and sends them to the C2 server\r\nHTTP proxy\r\nmonitor\r\nMonitors HTTP traffic for requests sent to HTTP proxies, saves the proxy address and\r\ncredentials for future use\r\nhttps://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html\r\nPage 1 of 11\n\nTable 1: Monitoring threads\r\nCommands\r\nIn addition to its file management capabilities, this data-stealing backdoor supports 34 commands that can be\r\nreceived from the C2 server. After decryption, these 34 commands are plain text with parameters that are space\r\ndelimited much like a command line. The command and parameter names are hashed before being compared by\r\nthe binary, making it difficult to recover the original names of commands and parameters. Table 2 lists these\r\ncommands.\r\nCommand\r\nHash\r\nCommand\r\nName\r\nDescription\r\n0x0AA37987 loadconfig\r\nRuns each command specified in the configuration file (see the\r\nConfiguration section).\r\n0x007AA8A5 state Updates the state value (see the Configuration section).\r\n0x007CFABF video Desktop video recording\r\n0x06E533C4 download Downloads executable and injects into new process\r\n0x00684509 ammyy Ammyy Admin tool\r\n0x07C6A8A5 update Updates self\r\n0x0B22A5A7   Add/Update klgconfig (analysis incomplete)\r\n0x0B77F949 httpproxy Starts HTTP proxy\r\n0x07203363 killos Renders computer unbootable by wiping the MBR\r\n0x078B9664 reboot Reboots the operating system\r\n0x07BC54BC tunnel Creates a network tunnel\r\n0x07B40571 adminka Adds new C2 server or proxy address for pseudo-HTTP protocol\r\n0x079C9CC2 server Adds new C2 server for custom binary protocol\r\n0x0007C9C2 user Creates or deletes Windows user account\r\n0x000078B0 rdp Enables concurrent RDP (analysis incomplete)\r\n0x079BAC85 secure Adds Notification Package (analysis incomplete)\r\n0x00006ABC del Deletes file or service\r\n0x0A89AF94 startcmd\r\nAdds command to the configuration file (see the Configuration\r\nsection)\r\nhttps://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html\r\nPage 2 of 11\n\n0x079C53BD runmem Downloads executable and injects directly into new process\r\n0x0F4C3903 logonpasswords Send Windows accounts details to the C2 server\r\n0x0BC205E4 screenshot Takes a screenshot of the desktop and sends it to the C2 server\r\n0x007A2BC0 sleep Backdoor sleeps until specified date\r\n0x0006BC6C dupl Unknown\r\n0x04ACAFC3   Upload files to the C2 server\r\n0x00007D43 vnc Runs VNC plugin\r\n0x09C4D055 runfile Runs specified executable file\r\n0x02032914 killbot Uninstalls backdoor\r\n0x08069613 listprocess Returns list of running processes to the C2 server\r\n0x073BE023 plugins Change C2 protocol used by plugins\r\n0x0B0603B4   Download and execute shellcode from specified address\r\n0x0B079F93 killprocess Terminates the first process found specified by name\r\n0x00006A34 cmd Initiates a reverse shell to the C2 server\r\n0x09C573C7 runplug Plugin control\r\n0x08CB69DE autorun Updates backdoor\r\nTable 2: Supported Commands\r\nConfiguration\r\nA configuration file resides in a file under the backdoor’s installation directory with the .bin extension. It contains\r\ncommands in the same form as those listed in Table 2 that are automatically executed by the backdoor when it is\r\nstarted. These commands are also executed when the loadconfig command is issued. This file can be likened to a\r\nstartup script for the backdoor. The state command sets a global variable containing a series of Boolean values\r\nrepresented as ASCII values ‘0’ or ‘1’ and also adds itself to the configuration file. Some of these values indicate\r\nwhich C2 protocol to use, whether the backdoor has been installed, and whether the PST monitoring thread is\r\nrunning or not. Other than the state command, all commands in the configuration file are identified by their hash’s\r\ndecimal value instead of their plain text name. Certain commands, when executed, add themselves to the\r\nconfiguration so they will persist across (or be part of) reboots. The loadconfig and state commands are executed\r\nduring initialization, effectively creating the configuration file if it does not exist and writing the state command to\r\nit.\r\nhttps://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html\r\nPage 3 of 11\n\nFigure 1 and Figure 2 illustrate some sample, decoded configuration files we have come across in our\r\ninvestigations.\r\nFigure 1: Configuration file that adds new C2 server and forces the data-stealing backdoor to use it\r\nFigure 2: Configuration file that adds TCP tunnels and records desktop video\r\nCommand and Control\r\nCARBANAK communicates to its C2 servers via pseudo-HTTP or a custom binary protocol.\r\nPseudo-HTTP Protocol\r\nMessages for the pseudo-HTTP protocol are delimited with the ‘|’ character. A message starts with a host ID\r\ncomposed by concatenating a hash value generated from the computer’s hostname and MAC address to a string\r\nlikely used as a campaign code. Once the message has been formatted, it is sandwiched between an additional two\r\nfields of randomly generated strings of upper and lower case alphabet characters. An example of a command\r\npolling message and a response to the listprocess command are given in Figure 3 and Figure 4, respectively.\r\nhttps://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html\r\nPage 4 of 11\n\nFigure 3: Example command polling message\r\nFigure 4: Example command response message\r\nMessages are encrypted using Microsoft’s implementation of RC2 in CBC mode with PKCS#5 padding. The\r\nencrypted message is then Base64 encoded, replacing all the ‘/’ and ‘+’ characters with the ‘.’ and ‘-’ characters,\r\nrespectively. The eight-byte initialization vector (IV) is a randomly generated string consisting of upper and lower\r\ncase alphabet characters. It is prepended to the encrypted and encoded message.\r\nThe encoded payload is then made to look like a URI by having a random number of ‘/’ characters inserted at\r\nrandom locations within the encoded payload. The malware then appends a script extension (php, bml, or cgi)\r\nwith a random number of random parameters or a file extension from the following list with no parameters: gif,\r\njpg, png, htm, html, php.\r\nThis URI is then used in a GET or POST request. The body of the POST request may contain files contained in\r\nthe cabinet format. A sample GET request is shown in Figure 5.\r\nhttps://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html\r\nPage 5 of 11\n\nFigure 5: Sample pseudo-HTTP beacon\r\nThe pseudo-HTTP protocol uses any proxies discovered by the HTTP proxy monitoring thread or added by the\r\nadminka command. The backdoor also searches for proxy configurations to use in the registry at\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings and for each profile in the Mozilla Firefox\r\nconfiguration file at %AppData%\\Mozilla\\Firefox\\\\prefs.js.\r\nCustom Binary Protocol\r\nFigure 6 describes the structure of the malware’s custom binary protocol. If a message is larger than 150 bytes, it\r\nis compressed with an unidentified algorithm. If a message is larger than 4096 bytes, it is broken into compressed\r\nchunks. This protocol has undergone several changes over the years, each version building upon the previous\r\nversion in some way. These changes were likely introduced to render existing network signatures ineffective and\r\nto make signature creation more difficult.\r\nFigure 6: Binary protocol message format\r\nVersion 1\r\nIn the earliest version of the binary protocol, we have discovered that the message bodies that are stored in the\r\nfield are simply XORed with the host ID. The initial message is not encrypted and contains the host ID.\r\nVersion 2\r\nRather than using the host ID as the key, this version uses a random XOR key between 32 and 64 bytes in length\r\nthat is generated for each session. This key is sent in the initial message.\r\nVersion 3\r\nVersion 3 adds encryption to the headers. The first 19 bytes of the message headers (up to the field) are XORed\r\nwith a five-byte key that is randomly generated per message and stored in the field. If the field of the message\r\nheader is greater than one, the XOR key used to encrypt message bodies is iterated in reverse when encrypting and\r\ndecrypting messages.\r\nVersion 4\r\nhttps://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html\r\nPage 6 of 11\n\nThis version adds a bit more complexity to the header encryption scheme. The headers are XOR encrypted with\r\nand combined and reversed.\r\nVersion 5\r\nVersion 5 is the most sophisticated of the binary protocols we have seen. A 256-bit AES session key is generated\r\nand used to encrypt both message headers and bodies separately. Initially, the key is sent to the C2 server with the\r\nentire message and headers encrypted with the RSA key exchange algorithm. All subsequent messages are\r\nencrypted with AES in CBC mode. The use of public key cryptography makes decryption of the session key\r\ninfeasible without the C2 server’s private key.\r\nThe Roundup\r\nWe have rounded up 220 samples of the CARBANAK backdoor and compiled a table that highlights some\r\ninteresting details that we were able to extract. It should be noted that in most of these cases the backdoor was\r\nembedded as a packed payload in another executable or in a weaponized document file of some kind. The MD5\r\nhash is for the original executable file that eventually launches CARBANAK, but the details of each sample were\r\nextracted from memory during execution. This data provides us with a unique insight into the operational aspect\r\nof CARBANAK and can be downloaded here.\r\nProtocol Evolution\r\nAs described earlier, CARBANAK’s binary protocol has undergone several significant changes over the years.\r\nFigure 7 illustrates a rough timeline of this evolution based on the compile times of samples we have in our\r\ncollection. This may not be entirely accurate because our visibility is not complete, but it gives us a general idea as\r\nto when the changes occurred. It has been observed that some builds of this data-stealing backdoor use outdated\r\nversions of the protocol. This may suggest multiple groups of operators compiling their own builds of this data-stealing backdoor independently.\r\nhttps://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html\r\nPage 7 of 11\n\nFigure 7: Timeline of binary protocol versions\r\n*It is likely that we are missing an earlier build that utilized version 3.\r\nBuild Tool\r\nMost of CARBANAK’s strings are encrypted in order to make analysis more difficult. We have observed that the\r\nkey and the cipher texts for all the encrypted strings are changed for each sample that we have encountered, even\r\namongst samples with the same compile time. The RC2 key used for the HTTP protocol has also been observed to\r\nchange among samples with the same compile time. These observations paired with the use of campaign codes\r\nthat must be configured denote the likely existence of a build tool.\r\nRapid Builds\r\nDespite the likelihood of a build tool, we have found 57 unique compile times in our sample set, with some of the\r\ncompile times being quite close in proximity. For example, on May 20, 2014, two builds were compiled\r\napproximately four hours apart and were configured to use the same C2 servers. Again, on July 30, 2015, two\r\nbuilds were compiled approximately 12 hours apart.\r\nWhat changes in the code can we see in such short time intervals that would not be present in a build tool? In one\r\ncase, one build was programmed to execute the runmem command for a file named wi.exe while the other was\r\nnot. This command downloads an executable from the C2 and directly runs it in memory. In another case, one\r\nbuild was programmed to check for the existence of the domain blizko.net in the trusted sites list for Internet\r\nExplorer while the other was not. Blizko is an online money transfer service. We have also seen that different\r\nmonitoring threads from Table 1 are enabled from build to build. These minor changes suggest that the code is\r\nquickly modified and compiled to adapt to the needs of the operator for particular targets.\r\nhttps://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html\r\nPage 8 of 11\n\nCampaign Code and Compile Time Correlation\r\nIn some cases, there is a close proximity of the compile time of a CARBANAK sample to the month specified in a\r\nparticular campaign code. Figure 8 shows some of the relationships that can be observed in our data set.\r\nCampaign Code Compile Date\r\nAug 7/30/15\r\ndec 12/8/14\r\njulyc 7/2/16\r\njun 5/9/15\r\njune 5/25/14\r\njune 6/7/14\r\njunevnc 6/20/14\r\njuspam 7/13/14\r\njuupd 7/13/14\r\nmay 5/20/14\r\nmay 5/19/15\r\nndjun 6/7/16\r\nSeP 9/12/14\r\nspamaug 8/1/14\r\nspaug 8/1/14\r\nFigure 8: Campaign code to compile time relationships\r\nRecent Updates\r\nRecently, 64 bit variants of the backdoor have been discovered. We shared details about such variants in a recent\r\nblog post. Some of these variants are programmed to sleep until a configured activation date when they will\r\nbecome active.\r\nHistory\r\nThe “Carbanak Group”\r\nhttps://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html\r\nPage 9 of 11\n\nMuch of the publicly released reporting surrounding the CARBANAK malware refers to a corresponding\r\n“Carbanak Group”, who appears to be behind the malicious activity associated with this data-stealing backdoor.\r\nFireEye iSIGHT Intelligence has tracked several separate overarching campaigns employing the CARBANAK\r\ntool and other associated backdoors, such as DRIFTPIN (aka Toshliph). With the data available at this time, it is\r\nunclear how interconnected these campaigns are – if they are all directly orchestrated by the same criminal group,\r\nor if these campaigns were perpetrated by loosely affiliated actors sharing malware and techniques.\r\nFIN7\r\nIn all Mandiant investigations to date where the CARBANAK backdoor has been discovered, the activity has been\r\nattributed to the FIN7 threat group. FIN7 has been extremely active against the U.S. restaurant and hospitality\r\nindustries since mid-2015.\r\nFIN7 uses CARBANAK as a post-exploitation tool in later phases of an intrusion to cement their foothold in a\r\nnetwork and maintain access, frequently using the video command to monitor users and learn about the victim\r\nnetwork, as well as the tunnel command to proxy connections into isolated portions of the victim environment.\r\nFIN7 has consistently utilized legally purchased code signing certificates to sign their CARBANAK payloads.\r\nFinally, FIN7 has leveraged several new techniques that we have not observed in other CARBANAK related\r\nactivity.\r\nWe have covered recent FIN7 activity in previous public blog posts:\r\nFIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings\r\nFIN7 Evolution and the Phishing LNK\r\nTo SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence\r\nThe FireEye iSIGHT Intelligence MySIGHT Portal contains additional information on our investigations and\r\nobservations into FIN7 activity.\r\nWidespread Bank Targeting Throughout the U.S., Middle East and Asia\r\nProofpoint initially reported on a widespread campaign targeting banks and financial organizations throughout the\r\nU.S. and Middle East in early 2016. We identified several additional organizations in these regions, as well as in\r\nSoutheast Asia and Southwest Asia being targeted by the same attackers.\r\nThis cluster of activity persisted from late 2014 into early 2016. Most notably, the infrastructure utilized in this\r\ncampaign overlapped with LAZIOK, NETWIRE and other malware targeting similar financial entities in these\r\nregions.\r\nDRIFTPIN\r\nDRIFTPIN (aka Spy.Agent.ORM, and Toshliph) has been previously associated with CARBANAK in various\r\ncampaigns. We have seen it deployed in initial spear phishing by FIN7 in the first half of 2016. Also, in late 2015,\r\nESET reported on CARBANAK associated attacks, detailing a spear phishing campaign targeting Russian and\r\nEastern European banks using DRIFTPIN as the malicious payload. Cyphort Labs also revealed that variants of\r\nhttps://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html\r\nPage 10 of 11\n\nDRIFTPIN associated with this cluster of activity had been deployed via the RIG exploit kit placed on two\r\ncompromised Ukrainian banks’ websites.\r\nFireEye iSIGHT Intelligence observed this wave of spear phishing aimed at a large array of targets, including U.S.\r\nfinancial institutions and companies associated with Bitcoin trading and mining activities. This cluster of activity\r\ncontinues to be active now to this day, targeting similar entities. Additional details on this latest activity are\r\navailable on the FireEye iSIGHT Intelligence MySIGHT Portal.\r\nEarlier CARBANAK Activity\r\nIn December 2014, Group-IB and Fox-IT released a report about an organized criminal group using malware\r\ncalled \"Anunak\" that has targeted Eastern European banks, U.S. and European point-of-sale systems and other\r\nentities. Kaspersky released a similar report about the same group under the name \"Carbanak\" in February 2015.\r\nThe name “Carbanak” was coined by Kaspersky in this report – the malware authors refer to the backdoor as\r\nAnunak.\r\nThis activity was further linked to the 2014 exploitation of ATMs in Ukraine. Additionally, some of this early\r\nactivity shares a similarity with current FIN7 operations – the use of Power Admin PAExec for lateral movement.\r\nConclusion\r\nThe details that can be extracted from CARBANAK provide us with a unique insight into the operational details\r\nbehind this data-stealing malware. Several inferences can be made when looking at such data in bulk as we\r\ndiscussed above and are summarized as follows:\r\n1. Based upon the information we have observed, we believe that at least some of the operators of\r\nCARBANAK either have access to the source code directly with knowledge on how to modify it or have a\r\nclose relationship to the developer(s).\r\n2. Some of the operators may be compiling their own builds of the backdoor independently.\r\n3. A build tool is likely being used by these attackers that allows the operator to configure details such as C2\r\naddresses, C2 encryption keys, and a campaign code. This build tool encrypts the binary’s strings with a\r\nfresh key for each build.\r\n4. Varying campaign codes indicate that independent or loosely affiliated criminal actors are employing\r\nCARBANAK in a wide-range of intrusions that target a variety of industries but are especially directed at\r\nfinancial institutions across the globe, as well as the restaurant and hospitality sectors within the U.S.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html\r\nhttps://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia", "MITRE" ], "origins": [ "web" ], "references": [ "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html" ], "report_names": [ "behind-the-carbanak-backdoor.html" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434165, "ts_updated_at": 1775826696, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5d15daca1c572e35217e821461e69ff0369078ad.pdf", "text": "https://archive.orkl.eu/5d15daca1c572e35217e821461e69ff0369078ad.txt", "img": "https://archive.orkl.eu/5d15daca1c572e35217e821461e69ff0369078ad.jpg" } }