Threat Group Cards: A Threat Actor Encyclopedia
Archived: 2026-04-05 19:13:35 UTC
 APT group: GCMAN
Names
GCMAN (Kaspersky)
G0036 (MITRE)
Country Russia
Motivation Financial crime
First seen 2016
Description
(Kaspersky) A second group, which we call GCMAN because the malware is based on
code compiled on the GCC compiler, emerged recently using similar techniques to the
Corkow, Metel Group to infect banking institutions and attempt to transfer money to e-currency services.
The initial infection mechanism is handled by spear-phishing financial institution targets
with e-mails carrying a malicious RAR archive to. Upon opening the RAR archive, an
executable is started instead of a Microsoft Word document, resulting in infection.
Once inside the network, the GCMAN group uses legitimate and penetration testing
tools such as Putty, VNC, and Meterpreter for lateral movement. Our investigation
revealed an attack where the group then planted a cron script into bank’s server, sending
financial transactions at the rate of $200 per minute. A time-based scheduler was
invoking the script every minute to post new transactions directly to upstream payment
processing system. This allowed the group to transfer money to multiple e-currency
services without these transactions being reported to any system inside the bank.
Observed
Sectors: Financial.
Countries: Russia.
Tools used GCMAN, Meterpreter, PuTTY, VNC and malicious RAR archives.
Information
MITRE ATT&CK Last change to this card: 16 August 2025
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e6eeb30a-a941-46f9-8340-20958f1d6cb0
Page 1 of 2

Download this actor card in PDF or JSON format
Source: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e6eeb30a-a941-46f9-8340-20958f1d6cb0
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e6eeb30a-a941-46f9-8340-20958f1d6cb0
Page 2 of 2