{ "id": "42184c44-e8d6-4105-be50-755f1f25c914", "created_at": "2026-04-06T00:21:18.102771Z", "updated_at": "2026-04-10T13:11:53.515227Z", "deleted_at": null, "sha1_hash": "60790daa7f1b607cc257b8baf0db20b33972dc37", "title": "Unveiling the intricacies of DiceLoader", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 880274, "plain_text": "Unveiling the intricacies of DiceLoader\r\nBy Sekoia TDR\u0026nbsp;and\u0026nbsp;Pierre Le Bourhis\r\nPublished: 2024-02-01 · Archived: 2026-04-05 20:05:04 UTC\r\nTable of contents\r\nIntroduction\r\nSample dissection\r\nLoader context\r\nData structure used by DiceLoader\r\nFingerprint\r\nNetworking\r\nExecution\r\nDiceLoader C2 infrastructure\r\nFinal words\r\nAnnexes\r\nIntroduction\r\nFIN7 is an intrusion set operating since at least 2015. The group is known to be structured as a corporate\r\nbusiness composed of Russian-speaking members. FIN7 hides its illicit activities behind front companies, which\r\nare likewise used to recruit IT experts who are not aware of the malicious activities they are involved in.\r\nThe intrusion set targets various sectors of activity (e.g. retail, hospitality, food service industry) within different\r\ngeographical areas such as the United States, the United Kingdom, Australia and France. \r\nFIN7 members were reported being affiliated to other cybercriminal organisations such as REvil, Lockbit,\r\nDarkside and also BlackBasta.\r\nThe intrusion set’s arsenal notably includes malware such as loaders, ransomware or backdoor, of which a great\r\npart is custom malware (e.g. Carbanak Backdoor, Domino Loader, Domino Backdoor, DiceLoader, etc).\r\nDiceLoader appears to be also sold for quite a long time. However, we assess with high confidence that the\r\nmalware is still used by this intrusion set in their campaigns. We observed, in the FIN7 context, that the malware\r\nis dropped by a PowerShell script that uses the FIN7 specific obfuscation along with other malware of their\r\narsenal named Carbanak.\r\nThis report aims to detail the functioning of a malware used by FIN7 since 2021, named DiceLoader (also known\r\nIcebot), and to provide a comprehensive approach of the threat by detailing the related Techniques and\r\nProcedures.\r\nThe sample used for this analysis was extracted from this PowerShell (stage-0):\r\nhttps://blog.sekoia.io/unveiling-the-intricacies-of-diceloader/\r\nPage 1 of 17\n\nPowerShell: SHA-256: ffb1573c4dd003c4750a2a5d66c1d9061a159e83f2f945f12d1b1c47cc62ab77\r\nDiceLoader DLL: SHA-256: 75b9346e9c803f7e942c7be69d3a93902bfdc6b10ad4142c4e5be473546a9165\r\nSample dissection\r\nDiceLoader is a small-sized malware, part of the FIN7 arsenal, belonging to the downloader family. It uses\r\nmultiple internal structures to hinder analysis. The next sections of this report explain how the loader works by\r\nanalysing its workflow along with the data structures, the program architecture, the different obfuscation\r\ntechniques and finally its network state machines.\r\nLoader context\r\nIn FIN7 campaigns observed by Sekoia.io analysts, DiceLoader is dropped by a PowerShell script along with\r\nother malware of the intrusion set’s arsenal such as Carbanak RAT (Remote Access Trojan). The loader is a DLL\r\nwhose default entry point (exported function Ordinal #1) has a random name which corresponds to the\r\n“Reflective DLL injection” module available on Github.\r\nThis module is used to inject the DiceLoader main entry point into another process memory. Below, it refers to the\r\nfunction DllEntryPoint (address: 0x100018E3).\r\nFigure 1. Exported functions from DiceLoader DLL sample\r\n\u003e Reflective DLL injection is a library injection technique in which the concept of reflective programming is\r\nemployed to perform the loading of a library from memory into a host process. As such the library is responsible\r\nfor loading itself by implementing a minimal Portable Executable (PE) file loader. It can then govern, with\r\nminimal interaction with the host system and process, how it will load and interact with the host.\r\nSource: https://github.com/stephenfewer/ReflectiveDLLInjection\r\nNB: To facilitate the analysis of a malware using the Reflective DLL Injection, here is an adjusted C header file\r\ningestible by IDA.\r\nData structure used by DiceLoader\r\nThe first function executed by the malware sets up the principal data structures and mechanisms used by the\r\nloader for its future execution. \r\nIn this function, it initialises four criticalSections used for the thread context to provide mutex objects and then\r\ncreates a IoCompletionPort for the inter-thread communications. \r\nFinally, it allocates four empty linked lists used to connect each part of the program to structure the data in\r\nmemory; this mechanism is detailed in a dedicated section.\r\nhttps://blog.sekoia.io/unveiling-the-intricacies-of-diceloader/\r\nPage 2 of 17\n\nThreading and Io Completion Port\r\nAs introduced previously, DiceLoader starts multiple threads that consume a specific data structure which will be\r\nthe subject of the next section; these threads are dubbed “consumer” in the rest of this report. \r\nPart of the main thread activity is to receive, to parse and to format incoming TCP packets and to forward them to\r\nthe Consumers. Consumers are infinite loops used to consume structured messages coming from the C2 server. \r\nFigure 2. Usage of IoCompletionPort (queue) in DiceLoader execution\r\nThe communications between the main thread and the Consumers are done by the IoCompletionPort file handle. \r\nNB-1: According to MSDN this mechanism has been designed to fit asynchronous needs and to provide an\r\nefficient threading model. Under the hood, IoCompletionPort are queues in first-in-first-out (FIFO) order. \r\nNB-2: The term file handle as used here refers to a system abstraction that represents an overlapped I/O endpoint,\r\nnot only a file on disk. Any system objects that support overlapped I/O such as network endpoints, TCP sockets,\r\nnamed pipes, and mail slots can be used as file handles.\r\nSource: https://learn.microsoft.com/en-us/windows/win32/fileio/i-o-completion-ports\r\nOn one hand, the threads consume the queue in the infinite loop using the GetQueuedCompletionStatus method,\r\non the other hand the main thread pushes incoming messages using PostQueuedCompletionStatus. Regarding the\r\nthreading context, DiceLoader uses a critical section to protect the shared resources (the four linked lists) from\r\nsimultaneous access.\r\nLinked List used by DiceLoader\r\nhttps://blog.sekoia.io/unveiling-the-intricacies-of-diceloader/\r\nPage 3 of 17\n\nTo access structued data during its execution, DiceLoader uses the linked list data structure – a linear data\r\nstructure where the elements are not stored in a contiguous memory location. The data structure of a node in the\r\nlist is the following one:\r\nstruct node\r\n{\r\n_DWORD *head; // Pointer to the head of the list\r\n_DWORD *node; // Pointer to the current node data\r\n_DWORD size; // Size of the node\r\n_DWORD buff_size; // Internal node buffer size\r\n_BYTE nid; // ID used for the node creation\r\n};\r\nCode 1. C declaration of the linked list element structure\r\nAs introduced above, the loader required to access these linked list across threads; therefore implying the uses of\r\ncritical section, here is the implementation of a new element insertion within the list:\r\nFigure 3. Function to insert an element in the linked list\r\nDuring the analysis of the malware, only few functions were implemented to interact with the linked list: \r\nhttps://blog.sekoia.io/unveiling-the-intricacies-of-diceloader/\r\nPage 4 of 17\n\nFigure 4. List of functions implementation in DiceLoader to use linked list\r\nThe malware creates four linked lists dubbed L0, L1, L2 and L3 for the purpose of the analysis. These lists\r\nmanipulate various structures such as the fingerprint of the host, the received payload and the shellcode wrapper.\r\nThis analysis is focused on L0 and L3 where L0 is used to contain formatted messages coming from the C2 and\r\nL3 is used to store the shellcode wrapper and the payload.\r\nDiceloader Obfuscation Methods\r\nDiceLoader has two obfuscation methods:\r\n1. To deobfuscate the configuration C2(s): IP address(es) and port(s)\r\n2. To deobfuscation the network communication.\r\nThe configuration of the DiceLoader C2 server is obfuscated with a XOR operation with a fixed key length of 31\r\nbytes. Both obfuscated C2(s) and the key are stored at the beginning of the .data section.\r\nFigure 5. .data section containing the obfuscated port, the C2 and the XOR key\r\nThe function used to un-XOR the configuration is straightforward, it iterates over the input buffer (e.g. C2 IP\r\naddress(es) and the C2 port), the length of the XOR key is hardcoded in the function (line 12, with the modulo\r\n0x1f).\r\nhttps://blog.sekoia.io/unveiling-the-intricacies-of-diceloader/\r\nPage 5 of 17\n\nFigure 6. Function to un-xor DiceLoader C2s\r\nA script to deobfuscate DiceLoader configuration is available on this gist.\r\nThe second obfuscation function is also based on the XOR operator. \r\nFigure 7. Decompiled code of the second obfuscation method\r\nThis method involves a more complex obfuscation function: each byte (Cx) is XORed with a byte of the key (Kx)\r\n(at the same index regarding the key length), and is XORed with the previous byte result of the deobfuscation (Px-1). The figure below schematizes the obfuscation algorithm:\r\n“K” in the schema stands for the XOR key which is the function parameter “key” in figure 8;\r\n“C” in the schema stands for the ciphertext which is the function parameter “buff” in figure 8;\r\nhttps://blog.sekoia.io/unveiling-the-intricacies-of-diceloader/\r\nPage 6 of 17\n\n“P” in the schema stands for the plaintext: the result of the deobfuscation.\r\nNB: In the DiceLoader scenario the “IV” of this algorithm is one byte long and is Zero.\r\nFigure 8. Schema of the second obfuscation method\r\nThe data can be deobfuscated with the following Python function:\r\ndef xor_blob(blob: bytes, key: bytes) -\u003e bytearray:\r\n\"\"\"DiceLoader uses XOR obfuscation\"\"\"\r\noutput = bytearray()\r\ntemp = blob[0] ^ key[0]\r\noutput.append(temp)\r\nfor index, value in enumerate(blob):\r\nif index == 0:\r\ncontinue\r\nhttps://blog.sekoia.io/unveiling-the-intricacies-of-diceloader/\r\nPage 7 of 17\n\ntemp = blob[index - 1] ^ value ^ key[index % len(key)]\r\noutput.append(temp)\r\nreturn output\r\nCode 2. Python function to deobfuscate TCP packet\r\nThis second obfuscation is consolidated as it is used twice:\r\n1. With a fixed key stored in the PE (the same as the one used for the configuration);\r\n2. With a key sent by the C2 at the runtime.\r\nFigure 9. Decompiled code that deobfuscates the received payload with the two different keys.\r\nFingerprint\r\nTo profile the victim’s machine, the malware takes a fingerprint of the infected host to generate a unique identifier.\r\nFirst, it hashes the concatenation of the MAC address, the username and the computer name. This hash is\r\nconcatenated with the current process identifier and it is then re-hashed. The malware uses the FNV-1 (Fowler–\r\nNoll–V 1) hashing algorithm:\r\nFigure 10. Fowler–Noll–V 1 implementation in DiceLoader\r\nLater, this fingerprint hash is sent at the earliest stage of the communication with the C2 server. To manipulate this\r\ninformation afterwards, the malware creates the following structure:\r\nhttps://blog.sekoia.io/unveiling-the-intricacies-of-diceloader/\r\nPage 8 of 17\n\nstruct fingerprint\r\n{\r\n_DWORD cmd_id;\r\n_BYTE random[15];\r\nint *fingerprint;\r\n_DWORD current_process_id;\r\n_DWORD magic;\r\n_BYTE flag_event;\r\n_BYTE flag_arg2;\r\n_DWORD flag_arg3;\r\n_DWORD size1;\r\n_BYTE undef_flags[3];\r\n_DWORD size_local_ipaddress;\r\nchar local_ipaddress;\r\n};\r\nCode 3. C declaration of the fingerprint made by the loader and inserted in the linked list\r\nNetworking\r\nAs introduced in the previous section “Obfuscation”, the loader uses a raw TCP connection to communicate with\r\nits Command and Control, where the port is configurable for each C2 of each sample. \r\nAt the time of digging deep in the reverse of the sample, the C2s were down. For analysis purposes a fake\r\nDiceLoader C2 was developed. Therefore, the data sent from this server are considered to be incorrect.\r\nInitialisation sequence\r\nTo declare itself to the C2, DiceLoader uses a unique sequence of bytes. The screenshot below represents the\r\ndissection of the first TCP packet sent to the C2 server.\r\nhttps://blog.sekoia.io/unveiling-the-intricacies-of-diceloader/\r\nPage 9 of 17\n\nFigure 11. Diagram of the initial TCP sequence\r\nThe legend for the figure above is as follows:\r\n1. The 2 first bytes are random numbers (never reused afterwards);\r\n2. The next 15 bytes are randomly generated number used for XOR obfuscation (of note, the size is also\r\nrandom from 5 to 15 bytes);\r\n3. The following 22 bytes are the fingerprint obfuscated;\r\n4. The ensuing 19 bytes are the local IP address obfuscated;\r\n5. The last 4 bytes are the FNV-1 hash of the local IP address;\r\nSo, the fingerprint and the local IP address are obfuscated using the second obfuscation method with the XOR key\r\nstored in the PE and the XOR key obtained from the generated random number (2).\r\nFigure 12. Extract of the decompiled code related to the double obfuscation of the fingerprint and\r\nlocal IP address\r\nReceived C2 order\r\nAfter initialising the communication, the loader received data from its C2 with the specific bytes sequence, format\r\nand structure that is used each time the C2 sends data. The main thread is in charge of this task with the following\r\ncode:\r\nFigure 13. Decompiled code used to manage order received from the C2, part-1.\r\nhttps://blog.sekoia.io/unveiling-the-intricacies-of-diceloader/\r\nPage 10 of 17\n\nFigure 14. Decompiled code used to manage order received from the C2, part-2 (function:\r\nreceived_data)\r\nReceived\r\norder\r\nDescription Length (byte) Ref code\r\n(1) Length of packet (2) 1\r\nFigure 13, line\r\n80\r\n(2) Custom XOR key 5-15: (result of (1) % 0xb + 5)\r\nFigure 13, line\r\n83\r\n(3) Length of packet (4) 4\r\nFigure 13, line\r\n86\r\n(4) Data (payload)\r\nValue defined in the previous\r\npacket\r\nFigure 14, line\r\n22\r\n(5)\r\nFNV-1 hash of packet\r\n(4)\r\n4\r\nFigure 14, line\r\n22\r\nTable 1: Packet sequence used to received data from the C2\r\nEach time the C2 sends a command/data/operation to the infected host, it follows this same packet sequence. \r\nWhen the sequence is received, DiceLoader executes the function used to manage the downloaded payload (c.f.\r\nstage number 4 of table 1), this function is in charge of allocating memory on the heap and of structurizing it\r\nregarding the malware linked lists’ structure.\r\nFigure 15. Decompiled function used to allocate memory and deobfuscate the received packet\r\nAs shown in figure 15, the received data is doubly deobfuscated (see the second obfuscation technique described\r\nin its dedicated section). Firstly, it deobfuscates with the XOR key stored in the sample and secondly, it uses the\r\nkey forwarded by the server at stage (2) of the sequence described in table 1 to retrieve the cleartext message.\r\nThen, the function looks at the first byte of the deobfuscated payload to search for an order ID which value can be:\r\nhttps://blog.sekoia.io/unveiling-the-intricacies-of-diceloader/\r\nPage 11 of 17\n\nOrder\r\nidentifier\r\nDescription\r\n1 Insert the payload in the linked list L0\r\n2 Set the mutex flag to 1, that stops the malware\r\n3\r\nPush the structure containing the payload to the IoCompletionPort (for\r\nafterwards usage by the consumer threads)\r\n4 Increment the next queue direction by one\r\nTable 2. DiceLoader order ID description\r\nFor a better understanding of this thread, a Python server was developed to mimic a DiceLoader C2. \r\nFigure 16. Extract of the TCP communication between the sample and the fake C2 server\r\nExecution\r\nThe loader specialises in the execution of malicious code, orchestrating the initiation of more sophisticated and\r\nharmful payloads to serve attackers objectives. DiceLoader does not use advanced techniques to execute payload\r\nsent by the C2. It works the same way as a shellcode execution: \r\n1. Use VirtualAlloc to copy the shellcode to the reserved memory (n.b: with the correct allocation type:\r\nMEM_RESERVE|MEM_COMMIT and the permissions to PAGE_EXECUTE_READWRITE the region\r\nhttps://blog.sekoia.io/unveiling-the-intricacies-of-diceloader/\r\nPage 12 of 17\n\npages);\r\n2. Copy shellcode in the allocated memory;\r\n3. Deobfuscate the shellcode (c.f. section Obfuscation);\r\n4. Inline function pointer declaration and execution.\r\nFigure 17. Disassembled code of the workflow used to execute a shellcode\r\nThe technique is simple, however, the buffer that contains the code to execute is more complex than it seems at\r\nfirst glance. First to reach this part of the code, the loader must receive the order “3” (c.f. the section “Received C2\r\norder” above) to trigger the windows API call to PostQueuedCompletionStatus in the IoCompletionPort that\r\nwakes up one consumer thread.\r\nThen, the consumer thread manipulates the passed structure to search for another action identifier:\r\nAction\r\nID\r\nObservation Confidence\r\n1\r\nSearch in L3 for already allocated\r\nmemory and execute the data provided\r\npreviously\r\n60%: Few information on the structure\r\nof the memory required to execute the\r\npayload\r\n2\r\nAllocate memory on the Heap and\r\nexecute the data provided previously\r\n(c.f: figure 18)\r\n100%\r\n8\r\nSearch element in L1 to execute a\r\nfunction pointer\r\n30%: Few information on the structure\r\nof element in L1\r\nOther Insert element in L2 100%\r\nTable 3. Interpretation of the action for its given action ID\r\nDisclaimer: At this point in the analysis none of the 3 cases where an execution could be triggered were reached\r\ndue to the lack of knowledge on the required memory structure, and also due to the C2 inactivity.\r\nhttps://blog.sekoia.io/unveiling-the-intricacies-of-diceloader/\r\nPage 13 of 17\n\nFigure 18.  Last part of the shellcode structure preparation\r\nExecution of the additional payload is indirect, the attacker does not provide a DLL or a PE, the malware expects\r\nto have a proper memory structure. This shellcode executor has 4 parameters:\r\n1. A pointer to the current element in L1 linked list;\r\n2. A pointer to a function used to create a structure insertable in L2;\r\n3. Another pointer to a function that creates a structure insertable in L2 that has more choices in the\r\nparameters;\r\n4. A function pointer to search an item in L1.\r\nFigure 19. Build of the parameters pushed to the shellcode function\r\nAs indicated previously, triggering the execution of a payload in DiceLoader is not an easy task due to the\r\ndifferent internal data structures and mechanisms.\r\nDiceLoader C2 infrastructure\r\nSince early 2022, Sekoia.io analysts have proactively tracked a C2 infrastructure that we assess, with high\r\nconfidence, is associated with the DiceLoader malware. The infrastructure has been consistently maintained, with\r\nan average of over 20 active servers, and approximately 50 active servers as of January 2023.\r\nIt is noteworthy that we identified PowerShell scripts, obfuscated in a manner consistent with known FIN7\r\ntechniques, that load Carbanak and DiceLoader. The C2 servers of this infrastructure are linked to these malicious\r\npayloads. We therefore assess with high confidence that the DiceLoader payloads, as well as the associated C2\r\nservers, are used by the FIN7 intrusion set. \r\nHere are the results of our proactive tracking from the beginning of 2022 until January 2024 (at the time of\r\nwriting):\r\nhttps://blog.sekoia.io/unveiling-the-intricacies-of-diceloader/\r\nPage 14 of 17\n\nFigure 20. Number of active DiceLoader C2 servers by date\r\nThe number of presumed active DiceLoader C2 servers has significantly increased since December 2023, as\r\nshown in the above figure.\r\nTwo main hypotheses explaining this increase can be considered. Firstly, it is highly likely that an intrusion set,\r\nleveraging DiceLoader to load additional payloads in its campaigns, has escalated its malicious activities. This\r\ncould be associated with FIN7 or another intrusion set that also employs DiceLoader malware. Secondly, it is\r\nplausible that one or several new intrusion sets recently added DiceLoader to their arsenal. At the time of\r\nwriting, Sekoia.io has no evidence to affirm or refute these hypotheses. We are interested in obtaining more\r\ntechnical or strategic information about DiceLoader and intrusion sets leveraging the malware, including FIN7.\r\nFinal words\r\nWhile analysing DiceLoader malware is a task that can prove challenging as the different developed mechanisms\r\nshow an advanced knowledge and technical expertise in software development, surprisingly the analysed sample\r\ndoes not have any technique for anti-analysis, nor any particular protection against execution in a dedicated\r\nenvironment (e.g.: virtual environments, sandboxes, etc.). The tracking of the infrastructure related to DiceLoader\r\nshows its consistent activity over the time. Sekoia TDR (Threat Detection \u0026 Research) assesses with high\r\nconfidence that the malware is still used by intrusion sets as of January 2024, due to the ongoing development in\r\nthe malware and the constant number of infrastructure spotted online.\r\nAnnexes\r\nResources\r\nhttps://www.mandiant.com/resources/blog/evolution-of-fin7\r\nhttps://research.openanalysis.net/downloader/diceloader/yara/triage/2022/06/16/diceloader.html#Yara\r\nhttps://blog.sekoia.io/unveiling-the-intricacies-of-diceloader/\r\nPage 15 of 17\n\nhttps://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319\r\nhttps://twitter.com/c3rb3ru5d3d53c/status/1348667319665487874\r\nhttps://twitter.com/Arkbird_SOLG/status/1310966874352635907\r\nhttps://twitter.com/bryceabdo/status/1651386790396280832\r\nhttps://duo.com/decipher/fin7-evolves-with-novel-malware-initial-access-tactics\r\nhttps://bazaar.abuse.ch/browse.php?search=tag:diceloader\r\nYARA\r\nWe have removed the YARA rule for matching too widely, stay tuned for its updated version.\r\nMITRE ATT\u0026CK TTPs\r\nTactic Technique\r\nDefense Evasion T1027 – Obfuscated Files or Information\r\nDefense Evasion\r\nT1027.007 – Obfuscated Files or Information: Dynamic API\r\nResolution\r\nDefense Evasion T1140 – Deobfuscate/Decode Files or Information\r\nDefense Evasion T1620 – Reflective Code Loading\r\nCommand and\r\nControl\r\nT1105 – Ingress Tool Transfer\r\nCommand and\r\nControl\r\nT1132.002 – Non-Standard Encoding\r\nCommand and\r\nControl\r\nT1571 – Non-Standard Port\r\nDiscovery T1057 – Process Discovery\r\nDiscovery T1082 – System Information Discovery\r\nThank you for reading this blogpost. We welcome any reaction, feedback or critics about this analysis. Please\r\ncontact us on tdr[at]sekoia.io.\r\nFeel free to read other Sekoia TDR (Threat Detection \u0026 Research) analysis here :\r\nCybercrime Malware Reverse\r\nShare this post:\r\nhttps://blog.sekoia.io/unveiling-the-intricacies-of-diceloader/\r\nPage 16 of 17\n\nSource: https://blog.sekoia.io/unveiling-the-intricacies-of-diceloader/\r\nhttps://blog.sekoia.io/unveiling-the-intricacies-of-diceloader/\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://blog.sekoia.io/unveiling-the-intricacies-of-diceloader/" ], "report_names": [ "unveiling-the-intricacies-of-diceloader" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434878, "ts_updated_at": 1775826713, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/60790daa7f1b607cc257b8baf0db20b33972dc37.pdf", "text": "https://archive.orkl.eu/60790daa7f1b607cc257b8baf0db20b33972dc37.txt", "img": "https://archive.orkl.eu/60790daa7f1b607cc257b8baf0db20b33972dc37.jpg" } }