{
	"id": "60d9b59a-73d1-4f02-a761-616c1082ac35",
	"created_at": "2026-04-06T00:13:08.691188Z",
	"updated_at": "2026-04-10T03:31:13.291692Z",
	"deleted_at": null,
	"sha1_hash": "6162d971fcb24db9261abb9b41872213f7828c52",
	"title": "NotCarbanak Mystery - Source Code Leak",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 40920,
	"plain_text": "NotCarbanak Mystery - Source Code Leak\r\nPublished: 2018-07-11 · Archived: 2026-04-05 14:46:25 UTC\r\nI got a tip a very short time ago in our slack group about possible Carbanak source code leak. A quick google\r\nsearch proven this is indeed a possibility.\r\nhxxp://mal4all.com/showthread.php?tid=494\u0026action=lastpost\r\nHere is the source code in a zip file.\r\nPlease make sure you use proper security steps such as sandbox and isolated environment. The origin of this zip\r\nfiles is unknown and was not inspected for booby traps etc.\r\nThis file was uploaded for research and defense purpose only. If you plan to use this for malicious reasons you\r\nsuck.\r\nPass: f1Up$zD%QY*p5@!\u0026\r\nIf you are creating any signatures such as Yara and Snort please share back with the community.\r\nHappy Researching\r\nMy team at Minerva have organized the information into a single blog post:\r\nInitial analysis and insights about the enhanced #Buhtrap source code #leak (not #carbanak)\r\nhttps://t.co/b4hCMmc5fp\r\n— Minerva Labs (@MinervaLabs) July 12, 2018\r\nSome on-going updates posted during the initial investigation:\r\nthe #carbanak leak seems to have full AD dump of several banks such as:\r\nKazan-based Energobank pic.twitter.com/NpHKdGd35G\r\n— Omri Moyal (@GelosSnake) July 11, 2018\r\nAnd of course, Enums visible machines in current or any specified domain\r\npic.twitter.com/KD0bFGCSD1\r\n— Bʀʏᴀɴ (@bry_campbell) July 11, 2018\r\nSomebody leaked the Carbanak source code last week\r\nI've been talking with several security researchers who are currently trying to verify the code's\r\nauthenticity and they believe it to be the real thing, albeit they're not 100% sure just yet\r\nhttps://malware-research.org/carbanak-source-code-leaked/\r\nPage 1 of 2\n\npic.twitter.com/8sAUHPEgnv\r\n— Catalin Cimpanu (@campuscodi) July 11, 2018\r\nHere's a video of the arrest: https://t.co/vzKhroTYFt\r\n— Catalin Cimpanu (@campuscodi) July 11, 2018\r\nSource: https://malware-research.org/carbanak-source-code-leaked/\r\nhttps://malware-research.org/carbanak-source-code-leaked/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://malware-research.org/carbanak-source-code-leaked/"
	],
	"report_names": [
		"carbanak-source-code-leaked"
	],
	"threat_actors": [
		{
			"id": "c9617bb6-45c8-495e-9759-2177e61a8e91",
			"created_at": "2022-10-25T15:50:23.405039Z",
			"updated_at": "2026-04-10T02:00:05.387643Z",
			"deleted_at": null,
			"main_name": "Carbanak",
			"aliases": [
				"Carbanak",
				"Anunak"
			],
			"source_name": "MITRE:Carbanak",
			"tools": [
				"Carbanak",
				"Mimikatz",
				"PsExec",
				"netsh"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "9de1979b-40fc-44dc-855d-193edda4f3b8",
			"created_at": "2025-08-07T02:03:24.92723Z",
			"updated_at": "2026-04-10T02:00:03.755516Z",
			"deleted_at": null,
			"main_name": "GOLD LOCUST",
			"aliases": [
				"Anunak",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Silicon "
			],
			"source_name": "Secureworks:GOLD LOCUST",
			"tools": [
				"Carbanak"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "01d569b1-f089-4a8f-8396-85078b93da26",
			"created_at": "2023-01-06T13:46:38.411615Z",
			"updated_at": "2026-04-10T02:00:02.963422Z",
			"deleted_at": null,
			"main_name": "BuhTrap",
			"aliases": [],
			"source_name": "MISPGALAXY:BuhTrap",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3b046db2-f60e-49ae-8e16-0cf82a4be6fb",
			"created_at": "2022-10-25T16:07:23.427162Z",
			"updated_at": "2026-04-10T02:00:04.594113Z",
			"deleted_at": null,
			"main_name": "Buhtrap",
			"aliases": [
				"Buhtrap",
				"Operation TwoBee",
				"Ratopak Spider",
				"UAC-0008"
			],
			"source_name": "ETDA:Buhtrap",
			"tools": [
				"AmmyyRAT",
				"Buhtrap",
				"CottonCastle",
				"FlawedAmmyy",
				"NSIS",
				"Niteris EK",
				"Nullsoft Scriptable Install System",
				"Ratopak"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf",
			"created_at": "2023-01-06T13:46:38.405479Z",
			"updated_at": "2026-04-10T02:00:02.961112Z",
			"deleted_at": null,
			"main_name": "FIN7",
			"aliases": [
				"ATK32",
				"G0046",
				"G0008",
				"Sangria Tempest",
				"ELBRUS",
				"GOLD NIAGARA",
				"Coreid",
				"Carbanak",
				"Carbon Spider",
				"JokerStash",
				"CARBON SPIDER"
			],
			"source_name": "MISPGALAXY:FIN7",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ed3810b7-141a-4ed0-8a01-6a972b80458d",
			"created_at": "2022-10-25T16:07:23.443259Z",
			"updated_at": "2026-04-10T02:00:04.602946Z",
			"deleted_at": null,
			"main_name": "Carbanak",
			"aliases": [
				"Anunak",
				"Carbanak",
				"Carbon Spider",
				"ELBRUS",
				"G0008",
				"Gold Waterfall",
				"Sangria Tempest"
			],
			"source_name": "ETDA:Carbanak",
			"tools": [
				"AVE_MARIA",
				"Agentemis",
				"AmmyyRAT",
				"Antak",
				"Anunak",
				"Ave Maria",
				"AveMariaRAT",
				"BABYMETAL",
				"BIRDDOG",
				"Backdoor Batel",
				"Batel",
				"Bateleur",
				"BlackMatter",
				"Boostwrite",
				"Cain \u0026 Abel",
				"Carbanak",
				"Cl0p",
				"Cobalt Strike",
				"CobaltStrike",
				"DNSMessenger",
				"DNSRat",
				"DNSbot",
				"DRIFTPIN",
				"DarkSide",
				"FOXGRABBER",
				"FlawedAmmyy",
				"HALFBAKED",
				"JS Flash",
				"KLRD",
				"MBR Eraser",
				"Mimikatz",
				"Nadrac",
				"Odinaff",
				"POWERPIPE",
				"POWERSOURCE",
				"PsExec",
				"SQLRAT",
				"Sekur",
				"Sekur RAT",
				"SocksBot",
				"SoftPerfect Network Scanner",
				"Spy.Agent.ORM",
				"TEXTMATE",
				"TeamViewer",
				"TiniMet",
				"TinyMet",
				"Toshliph",
				"VB Flash",
				"WARPRISM",
				"avemaria",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f4f16213-7a22-4527-aecb-b964c64c2c46",
			"created_at": "2024-06-19T02:03:08.090932Z",
			"updated_at": "2026-04-10T02:00:03.6289Z",
			"deleted_at": null,
			"main_name": "GOLD NIAGARA",
			"aliases": [
				"Calcium ",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Navigator ",
				"Sangria Tempest ",
				"TelePort Crew "
			],
			"source_name": "Secureworks:GOLD NIAGARA",
			"tools": [
				"Bateleur",
				"Carbanak",
				"Cobalt Strike",
				"DICELOADER",
				"DRIFTPIN",
				"GGLDR",
				"GRIFFON",
				"JSSLoader",
				"Meterpreter",
				"OFFTRACK",
				"PILLOWMINT",
				"POWERTRASH",
				"SUPERSOFT",
				"TAKEOUT",
				"TinyMet"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434388,
	"ts_updated_at": 1775791873,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6162d971fcb24db9261abb9b41872213f7828c52.pdf",
		"text": "https://archive.orkl.eu/6162d971fcb24db9261abb9b41872213f7828c52.txt",
		"img": "https://archive.orkl.eu/6162d971fcb24db9261abb9b41872213f7828c52.jpg"
	}
}