{ "id": "e1473a2d-82ea-461d-90ef-a53fee9005ff", "created_at": "2026-04-06T00:08:41.160929Z", "updated_at": "2026-04-10T03:35:02.928557Z", "deleted_at": null, "sha1_hash": "660bd79b220d27e53736c6bf86901061c4f2e6c4", "title": "Operation Buhtrap, the trap for Russian accountants", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 588824, "plain_text": "Operation Buhtrap, the trap for Russian accountants\r\nBy Jean-Ian Boutin\r\nArchived: 2026-04-05 13:29:25 UTC\r\nLate in 2014, we noticed and started to track an undocumented malicious campaign targeting Russian businesses, and\r\nthat has been active for well over a year. The malware used in this campaign is a mix of off-the-shelf tools, NSIS-packed malware and bespoke spyware that abuses Yandex’s Punto software, a program for Russian users which silently\r\nand automatically changes the keyboard language depending on what the user is typing. Once the cybercriminals have\r\ncompromised a computer, they use custom tools to analyze its content, install a backdoor and finally deploy a malicious\r\nmodule that spies on the system and can enumerate smart cards.\r\nThe campaign targets a wide range of Russian banks, uses several different code signing certificates and implements\r\nevasive methods to avoid detection. As explained later, we believe this campaign is financially-motivated and that it\r\ntargets accounting departments in Russian businesses. Operation Buhtrap is a mix of two words: “Buhgalter” and\r\n“trap”. “Buhgalter” means “accountant” in Russian.\r\nThis campaign is of particular interest as the techniques used by these cybercriminals are often associated with targeted\r\nattacks and not generally used by financially-motivated cybercriminals. Although we believe it to be a different\r\ncampaign, it shares some similarities with Anunak/Carbanak in terms of techniques, tactics and procedures it uses. In\r\nthis blog post, we will cover this campaign, its targets, and the tools used by these criminals.\r\nTargets\r\nThe cybercriminals behind this campaign are installing their software only on computers that have Russia as their\r\ndefault Windows locale. The infection vector we have seen consists of Microsoft Word documents sent as email\r\nattachments that exploit CVE-2012-0158, a vulnerability in Microsoft Word that was patched three years ago. The\r\nimages below show two of the decoy documents used in this campaign. The first document, titled “Счет № 522375-\r\nФЛОРЛ-14-115.doc” mimics an invoice. The second, aptly titled “kontrakt87.doc”, copies a generic\r\ntelecommunications service contract from MegaFon, a large Russian mobile phone operator.\r\nhttps://www.welivesecurity.com/2015/04/09/operation-buhtrap/\r\nPage 1 of 13\n\nThe content of the decoy documents we've examined, the tactics and tools used, the references to business applications\r\ncontained in some modules, as well as some of the malicious domain names that were used in this campaign, all lead us\r\nto believe that Russian businesses are their primary target.\r\nhttps://www.welivesecurity.com/2015/04/09/operation-buhtrap/\r\nPage 2 of 13\n\nIf we take it into consideration that some of the Command and Control (C\u0026C) domain names are very similar to some\r\naccounting forums or specialized websites, and that the malware contains references to software tools and banking\r\napplications commonly used in accounting departments, we can infer that workers belonging to this department are the\r\nmost likely primary targets.\r\nThe tools deployed on the victim’s computer allow them to control it remotely and to record the user’s actions. The\r\nmalware allows the criminals to install a backdoor, attempt to obtain the account password, and even create a new\r\naccount. They also install a keylogger, a clipboard stealer, a smart card module, and have the capability to download\r\nand execute additional malware.\r\nOur telemetry for the malware families linked to this campaign is shown below. Most detections we have for these\r\nthreats are located in Russia. Our telemetry also shows that the tools used by this campaign are not widespread. This\r\nreinforces our assumption that these attackers are likely focusing primarily on businesses.\r\nhttps://www.welivesecurity.com/2015/04/09/operation-buhtrap/\r\nPage 3 of 13\n\nInstallation Overview\r\nIf the user opens the malicious attachments on a vulnerable system, an NSIS-packed trojan downloader will be dropped\r\nand executed. It will make several checks on the machine, first looking for malware researcher tools or evidence that\r\nthe malware is run in a virtual machine, exiting if it finds any. It will also check whether the Windows locale is Russian\r\n(1049) and uses “FindFirst/NextUrlCacheEntry” and registry key “Software\\Microsoft\\Internet Explorer\\TypedURLs”\r\nto know whether URLs matching the following patterns were visited on the computer:\r\n*ICPortalSSL *ibank *i-elba\r\n*sib.taatta.net *ibrs *clbank.minbank.ru\r\n*isfront.priovtb.com *iclient *chelindbank.ru/online/\r\nhttps://www.welivesecurity.com/2015/04/09/operation-buhtrap/\r\nPage 4 of 13\n\n*ICPortalSSL *ibank *i-elba\r\n*ISAPIgate.dll *e-plat.mdmbank.com *uwagb\r\n*bsi.dll *sberweb.zubsb.ru *wwwbank\r\n*PortalSSL *ibc *dbo\r\n*IIS-Gate.dll *elbrus *ib\r\n*beta.mcb.ru\r\nIt will also check to see if any of the applications below is running on the machine:\r\nip-client.exe pkimonitor.exe BC_Loader.exe CbShell.exe Bankline.EXE\r\nprclient.exe pmodule.exe Client2008.exe clb.exe GeminiClientStation.exe\r\nrclient.exe pn.exe IbcRemote31.exe CliBank.exe _ClientBank.exe\r\nsaclient.exe postmove.exe _ftcgpk.exe CliBankOnlineEn.exe ISClient.exe\r\nSRCLBClient.exe productprototype.exe scardsvr.exe CliBankOnlineRu.exe cws.exe\r\ntwawebclient.exe quickpay.exe CL_1070002.exe CliBankOnlineUa.exe CLBANK.EXE\r\nvegaClient.exe rclaunch.exe intpro.exe client2.exe IMBLink32.exe\r\ndsstart.exe retail.exe UpMaster.exe client6.exe cbsmain.dll\r\ndtpaydesk.exe retail32.exe SGBClient.exe clientbk.exe GpbClientSftcws.exe\r\neelclnt.exe translink.exe el_cli.exe clntstr.exe Run.exe\r\nelbank.exe unistream.exe MWClient32.exe clntw32.exe SGBClient.exe\r\netprops.exe uralprom.exe Adirect.exe contactng.exe sx_Doc_ni.exe\r\neTSrv.exe w32mkde.exe Bclient.exe Core.exe icb_c.exe\r\nibconsole.exe wclnt.exe bc.exe cshell.exe Client32.exe\r\nkb_cli.exe wfinist.exe ant.exe cyberterm.exe BankCl.exe\r\nKLBS.exe winpost.exe arm.exe client.exe ICLTransportSystem.exe\r\nKlientBnk.exe wupostagent.exe arm_mt.exe cncclient.exe GPBClient.exe\r\nlfcpaymentais.exe Zvit1DF.exe ARMSH95.EXE bbclient.exe CLMAIN.exe\r\nloadmain.exe budget.exe asbank_lite.exe EximClient.exe ONCBCLI.exe\r\nlpbos.exe CB.exe bank.exe fcclient.exe CLBank3.exe\r\nhttps://www.welivesecurity.com/2015/04/09/operation-buhtrap/\r\nPage 5 of 13\n\nip-client.exe pkimonitor.exe BC_Loader.exe CbShell.exe Bankline.EXE\r\nmebiusbankxp.exe cb193w.exe bank32.exe iscc.exe rmclient.exe\r\nmmbank.exe cbank.exe bbms.exe kabinet.exe FcolseOW.exe\r\npcbank.exe cbmain.ex bk.exe SrCLBStart.exe RkcLoader.exe\r\npinpayr.exe CBSMAIN.exe BK_KW32.EXE srcbclient.exe uarm.exe\r\nPionner.exe bnk.exe Upp_4.exe nlnotes.exe\r\nThe list of processes is quite exhaustive and does not contain only banking applications. It includes, for example,\r\n“scardsvr.exe” which is Microsoft’s SmartCard reader. This makes sense knowing that this malware has smartcard\r\nreader capabilities. On the other hand, some processes are hard to identify and might be there for opportunistic reasons.\r\nIf all the requirements are met, the final stage is to download an additional file that contains all the modules used by the\r\ncybercriminal to spy on the victim.\r\nInterestingly, the downloaded archive may differ depending on the results of the checks above. In one of the earlier\r\nversion of the NSIS-packed downloader we analyzed, there exist two different archives that can be downloaded from\r\nthe C\u0026C: one malicious and one benign.\r\nOne of the benign archives we downloaded ultimately installed the Windows Live Toolbar. Although the means to\r\ninstall the software was malicious, the final payload wasn't. These tactics were probably put in place to fool automatic\r\nprocessing systems: since a payload was downloaded, the system could be fooled into thinking that this is the end of\r\nthe story.\r\nThe archive downloaded by the NSIS-packed dropper is a 7z self-extracting executable and contains different modules,\r\nall distributed as 7z password-protected archives. This downloaded archive contains the different modules used by this\r\ncampaign. The picture below better describes the overall installation process and shows the different modules.\r\nhttps://www.welivesecurity.com/2015/04/09/operation-buhtrap/\r\nPage 6 of 13\n\nWhile the\r\ndifferent modules have very different purposes, they are all similarly packaged and a lot of them are signed with a valid\r\ncode-signing certificate. We found four different certificates used since the campaign started, all registered to\r\ncompanies in Moscow. We of course notified the certificate issuer to have them revoked.\r\nhttps://www.welivesecurity.com/2015/04/09/operation-buhtrap/\r\nPage 7 of 13\n\nThe table below lists the different certificates that were found linked to this campaign. We believe they were all\r\nfraudulently obtained.\r\nCompany name Validity Serial and Thumbprint\r\nStroi-Tekh-Sever 09/25/2014 to 09/26/2015\r\nSerial: 07 ac 7c a0 d1 69 d7 d3 86 ee 08 01 19 95 99 f2\r\nThumbprint: cf5a43d14c6ad0c7fdbcbe632ab7c789e39443ee\r\nFlash 12/18/2014 to 12/19/2015\r\nSerial: 57 a8 f7 1c 7e 2b 97 8c 71 60 ba 07 5e ca b4 6c\r\nThumbprint: e9af1f9af597a9330c52a7686bf70b0094ad7616\r\nOOO \"Techcom\" 12/22/2014 to 12/23/2015\r\nSerial: 00 e9 fb cb 1b c3 8b 66 8d 9e ba a4 73 11 76 01 41\r\nThumbprint: 3e1a6e52a1756017dd8f03ff85ec353273b20c66\r\nTorg-Group 10/30/2014 to 10/31/2015\r\nSerial: 13 01 47 51 84 46 19 e6 b5 7f de ca 34 e6 04 aa\r\nThumbprint: efad94fc87b2b3a652f1a98901204ea8fbeef474\r\nAll the modules that make up this threat share a common install procedure. They are all 7z self-extracting executables\r\nthat first decompress a password-protected archive and then execute an install.cmd file. The following is the first\r\ninstall.cmd file that gets invoked after the first module has been downloaded and executed:\r\nhttps://www.welivesecurity.com/2015/04/09/operation-buhtrap/\r\nPage 8 of 13\n\nThe install.cmd file will then install the malware or run the various tools, but will first learn more about the machine it\r\nis about to compromise, especially about the account privileges it currently has and which version of Windows is\r\ninstalled.\r\nIf administrator privileges are required and malware is run on a limited account, it uses two different techniques to\r\nattempt privilege escalation.\r\nThe first approach uses two files, l1.exe and cc1.exe, which implement a variant of the trick used in the leaked Carberp\r\nsource code. It copies cryptbase.dll to %USERPROFILE%, patches it so that it launches the malware on execution and\r\npacks it as a MSU file. Finally, it uses wusa.exe to copy it to the system directory before launching it. The other\r\ntechnique exploits CVE-2013-3660. Each module that requires privilege escalation has a 32- and 64-bit version of this\r\nexploit. If gaining administrator privileges is required, the install.cmd file will try to use either of these techniques to\r\nescalate privileges locally  in order to install the different modules.\r\nWhile tracking this campaign, we downloaded different overall packages. Interestingly, the modules they contained\r\nwere not the same. This leads us to believe that different targets might receive different modules.\r\nSystem Preparation – mimi.exe and xtm.exe\r\nThis module will try to:\r\nRecover account passwords\r\nEnable remote desktop service\r\nCreate a new account on the compromised computer\r\nmimi.exe includes a modified version of Mimikatz, a well-known open source tool allowing password recovery for\r\nusers logged in a Windows system. Both the 32- and 64-bit versions of the tools are included in the executable\r\nhttps://www.welivesecurity.com/2015/04/09/operation-buhtrap/\r\nPage 9 of 13\n\nresources. While the account password recovery functionality is still there, the executable was modified to remove the\r\nuser interaction part of the tool. The executable is also modified so that when run, it will invoke in succession the\r\n“privilege::debug” and “sekurlsa:logonPasswords” commands, effectively compromising the current local account\r\npassword.\r\nxtm.exe has different behavior to reach its goals depending on which Windows version it is run. In WinXP, it has\r\nscripts that will enable remote desktop services and try to create a new account. These steps are required to give the\r\nmalware authors full control over the compromised system. xtm.exe will also change system settings, to allow multiple\r\nusers to be logged on to the computer at the same time. The screenshot below shows an example of the type of\r\ncommands run on a WinXP machine.\r\nBackdoor – lmpack.exe\r\nThis module’s sole purpose is to install a backdoor onto the system. It will try to install LiteManager, a third-party tool\r\nthat allows remote control of a system.\r\nhttps://www.welivesecurity.com/2015/04/09/operation-buhtrap/\r\nPage 10 of 13\n\nOnce this software is installed, it allows the cybercriminals to connect directly to the victim's computer and control it\r\nremotely. This software even has a command line option to install the application silently, to create firewall rules, and\r\nfinally to start LiteManager silently. Of course all these options are abused by the cybercriminals.\r\nSpying module – pn_pack.exe\r\nThis module is responsible for spying on the user and communicating with the C\u0026C. It will first install Punto, software\r\nmade by Yandex that can automatically change keyboard language as the user types. The cybercriminals are then\r\nmisusing this software to run the spying module through DLL side loading and are using it to\r\nLog all keystrokes and copy clipboard content\r\nEnumerate smart cards present on the system\r\nHandle C\u0026C communications\r\nThe module that is ultimately responsible for these tasks is an encrypted DLL that is decrypted and loaded into memory\r\nat runtime by the Punto process. It launches three threads that will ultimately perform the work outlined above. The fact\r\nthat Punto is misused by this malware for keylogging purposes is not surprising: several Russian forums detail\r\nexplicitly how to misuse this application for this purpose.\r\nThis module uses RC4 to encrypt its strings as well as its network communication. It will reach out to the C\u0026C every\r\ntwo minutes, transmitting any data that have been stolen from the compromised system. A screenshot of a network\r\ncommunication as well as the different commands that can be received from the server are shown below.\r\nCommand Description\r\nMZ The data sent is an executable. The banker module will execute it through the CreateProcess API\r\nLD\r\nThe data sent is code. The banker module will copy it into executable memory and will execute it by\r\nlaunching a new thread.\r\nAs the server commands are sent as a response to a status update from the user, it is not unimaginable that special code\r\nwill be sent for specific events, such as when a smart card is detected on the system.\r\nhttps://www.welivesecurity.com/2015/04/09/operation-buhtrap/\r\nPage 11 of 13\n\nInterestingly, in all the banker modules we analyzed (the latest one having a compilation time of January 18th\r\n), there is\r\na string “TEST_BOTNET” that is sent in every communication with the C\u0026C. At this point, it is unclear what this\r\nmeans as people and organizations have already been compromised by this malware. As we believe this operation has\r\nbeen ongoing for more than a year, this is intriguing. Perhaps the future holds the answer.\r\nConclusion\r\nWe can imagine the fraudsters operating in this way: they first compromise a single computer in a business by sending\r\na spam and luring the person into opening the attachment.\r\nOnce the malware is installed on the victim's computer, the cybercriminals have access to several tools that will help\r\nthem to first compromise other computers in the company and second, spy on the user and see whether some fraudulent\r\nbanking transactions can be performed.\r\nWhile the tools and software used in this campaign are far from being novel, the overall campaign is quite interesting\r\nand intriguing: it diverges quite a bit from the traditional banking malware with which we are familiar.\r\nThis campaign is using specific tools to reach its goal, akin to what we are accustomed to see in targeted attacks. Seeing\r\na campaign like this, inevitably the Anunak/Carbanak documented by Fox-IT and Kaspersky comes to mind. Although\r\nwe believe that this campaign is different, some similarities were observed. The infection vector is similar, it uses a\r\nsimilar modified mimikatz application, and it uses a third-party remote access tool, changes system settings to allow\r\nconcurrent RDP sessions, and so on.\r\nIt will be interesting to see whether this kind of operation will become the norm and if the popularity of traditional\r\nbanking trojan families will diminish in return.\r\nSpecial thanks to Anton Cherepanov and Joan Calvet for their help in this analysis\r\nHashes\r\nIndicators of Compromise\r\nIndicator Value\r\nC\u0026C Domains\r\nstore.kontur-expres.com\r\nbalans2w.balans2.com\r\nforum.buhonline.info\r\nrss.mercurynews.biz\r\ntopic.buhgalter-info.com\r\nhelp.b-kontur.org\r\nC\u0026C Hardcoded IP 91.218.231.79\r\n7z self-extracting executable URLs hXXp://playback.savefrom.biz/video/video1.cab\r\nhXXp://playback.savefrom.biz/video/video_1.cab\r\nhXXp://download.sendspace.biz/file/install.cab\r\nhXXp://download.sendspace.biz/file/l.cab\r\nhttps://www.welivesecurity.com/2015/04/09/operation-buhtrap/\r\nPage 12 of 13\n\nIndicator Value\r\nhXXp://library.source-forge.info/cab/cabinstal.cab\r\nhXXp://library.source-forge.info/cab/cabinstal3.cab\r\nhXXp://new.pikabu-story.com/file/file1.cab\r\nhXXp://getdownloadsfile.com/file/new1.cab\r\nhXXp://new.pikabu-story.com/file/mega.cab\r\nDecoy document name\r\nСчет № 522375-ФЛОРЛ-14-115.doc\r\nkontrakt87.doc\r\nSource: https://www.welivesecurity.com/2015/04/09/operation-buhtrap/\r\nhttps://www.welivesecurity.com/2015/04/09/operation-buhtrap/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA" ], "references": [ "https://www.welivesecurity.com/2015/04/09/operation-buhtrap/" ], "report_names": [ "operation-buhtrap" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "01d569b1-f089-4a8f-8396-85078b93da26", "created_at": "2023-01-06T13:46:38.411615Z", "updated_at": "2026-04-10T02:00:02.963422Z", "deleted_at": null, "main_name": "BuhTrap", "aliases": [], "source_name": "MISPGALAXY:BuhTrap", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b046db2-f60e-49ae-8e16-0cf82a4be6fb", "created_at": "2022-10-25T16:07:23.427162Z", "updated_at": "2026-04-10T02:00:04.594113Z", "deleted_at": null, "main_name": "Buhtrap", "aliases": [ "Buhtrap", "Operation TwoBee", "Ratopak Spider", "UAC-0008" ], "source_name": "ETDA:Buhtrap", "tools": [ "AmmyyRAT", "Buhtrap", "CottonCastle", "FlawedAmmyy", "NSIS", "Niteris EK", "Nullsoft Scriptable Install System", "Ratopak" ], "source_id": "ETDA", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434121, "ts_updated_at": 1775792102, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/660bd79b220d27e53736c6bf86901061c4f2e6c4.pdf", "text": "https://archive.orkl.eu/660bd79b220d27e53736c6bf86901061c4f2e6c4.txt", "img": "https://archive.orkl.eu/660bd79b220d27e53736c6bf86901061c4f2e6c4.jpg" } }