{ "id": "a0136dff-0575-4611-ba0a-4d343d379324", "created_at": "2026-04-06T01:30:47.636133Z", "updated_at": "2026-04-10T13:12:29.440785Z", "deleted_at": null, "sha1_hash": "678ad058b3b1d73fd5e594432cb93c111a03ff26", "title": "Unpacking the unpleasant FIN7 gift: PackXOR", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1747450, "plain_text": "Unpacking the unpleasant FIN7 gift: PackXOR\r\nBy Alice Climent-Pommeret\r\nPublished: 2024-09-04 · Archived: 2026-04-06 01:10:31 UTC\r\nPublished on 4 September, 2024 14min\r\nSummary\r\nIn early July 2024, the Sentinel Labs researchers released an extensive article1 about “FIN7 reboot” tooling,\r\nnotably introducing “AvNeutralizer”, an anti-EDR tool. This tool has been found in the wild as a packed payload.\r\nIn this article, we offer a thorough analysis of the associated private packer that we named “PackXOR”, as well as\r\nan unpacking tool. Additionally, while investigating the packer usage, we determined that PackXOR might not be\r\nhttps://harfanglab.io/insidethelab/unpacking-packxor/\r\nPage 1 of 14\n\nexclusively leveraged by FIN7.\r\nBackground\r\nAvNeutralizer and FIN7\r\nIn order to disable EDR (Endpoint Detection and Response) software, AvNeutralizer (also called “AuKill”) relies\r\non vulnerable drivers to terminate EDR related processes from the kernel.\r\nAccording to Sentinel Labs researchers, AvNeutralizer has been sold since 2022 on “underground” forums such as\r\nxss[.]is , exploit[.]in and “RAMP” by individuals they link with high confidence to the “FIN7” cluster.\r\nSentinel Labs states that AvNeutralizer can be delivered to targets as a packed or unprotected payload since April\r\n2023, as part of ransomware operations from various threat actors.\r\nSentinel Labs also notices that “the packer code is identical across various usages, suggesting that FIN7 provides a\r\nshared obfuscator to their buyers within the AvNeutralizer bundle”1.\r\nHowever, we discovered that PackXOR, the packer for AvNeutralizer, was also used to protect unrelated payloads,\r\nsuch as the “XMRig”2 cryptominer or XMRig + the “R77 rootkit”3, which were additionally obfuscated with the\r\nopen-source “SilentCryptoMiner”4.\r\nThe use of XMRig does not match the known FIN7 TTPs (Tactics, techniques, and procedures). While the packer\r\ncould still have been used on XMRig payloads to test if it is detected by some security products, we believe such\r\nhypothesis is not consistent with the additional use of the SilentCryptoMiner obfuscator.\r\nPackXOR developers might indeed be connected to the FIN7 cluster, but the packer appears to be used for\r\nactivities that are not related to FIN7.\r\nA catch-up session to packers\r\nIn malware analysis, a “packer” is a tool which is used to compress, encrypt, and/or obfuscate a “payload” (which\r\nwill often be a malicious code).\r\nPackers wrap the original malicious code in “packed data”, and produce a “packed binary” as a result. This packed\r\nbinary needs to “unpack” packed data before the the payload can be executed:\r\nhttps://harfanglab.io/insidethelab/unpacking-packxor/\r\nPage 2 of 14\n\nFigure 1 – Packing workflow\r\nPackers’ products often contain a decryption stub, which is a small piece of code that is executed first when the\r\npacked binary is executed. This stub decrypts and/or decompresses the malicious code (packed data) into its\r\noriginal form, allowing it to execute.\r\nFigure 2 – Unpacking workflow\r\nThe aim of packing is to hinder the work of malware analysts and antivirus/EDR software, by concealing payloads\r\nand delaying their detection.\r\nPackXOR\r\nPacker logic\r\nPacked data which is produced by the PackXOR packer is structured in 2 sections (see Fig. 3):\r\nA 40 bytes header that contains:\r\nXOR key 1, a XOR key used for a first iteration,\r\nthe compressed size of the packed payload,\r\nthe uncompressed size of the packed data,\r\nXOR key 2, a XOR key used for a second iteration\r\na packed payload.\r\nhttps://harfanglab.io/insidethelab/unpacking-packxor/\r\nPage 3 of 14\n\nThis packed data is usually found at the begining of the PE .data section.\r\nFigure 3 – Data structure of the packed content\r\nIn order to conceal the packed payload, and as explained in the Sentinel Labs article1, the packed binary\r\nimplements (see Fig. 4):\r\n1. A first XOR iteration (with XOR key 1) on LZNT1 compressed data,\r\n2. A decompression of LZNT1 data,\r\n3. A second XOR iteration (with XOR key 2) on the decompressed data.\r\nFigure 4 – Unpacking code\r\nIn a function of the packer that we called Get_and_Call_RtlDecompressBuffer during our analysis, we can see\r\none example of a call to a strings decryption function decrypt_API_DLL_names (see Fig. 5). This strings\r\ndecryption function is described next.\r\nhttps://harfanglab.io/insidethelab/unpacking-packxor/\r\nPage 4 of 14\n\nFigure 5 – Call to the “decrypt_api_DLL_names” function\r\nStrings encryption\r\nThe packed binary leverages “Run-Time Dynamic Linking” 5 for some specific Windows API functions that it\r\nneeds to use. The associated required DLLs and Windows API functions names are “encrypted” strings in the\r\npacker.\r\nStrings are decrypted just before usage6 by a dedicated function that we called decrypt_API_DLL_name . The\r\n“encryption”7 is implemented using XOR and substraction operations for each byte of a given string (a string\r\nbeing ASCII-encoded):\r\nFigure 6 – Strings encryption function\r\nEncrypted strings are stored in “data blobs” which match a specific layout:\r\nhttps://harfanglab.io/insidethelab/unpacking-packxor/\r\nPage 5 of 14\n\nFigure 7 – Structure of a blob for an encrypted string\r\nThe first byte of the blob (in red) is the XOR key which is used for the byte by byte “encryption”.\r\nThe second byte (in green) contains the string length in bytes. Between the string length and the first byte of the\r\nencrypted string, 3 bytes are unused.\r\nIn the packed binary, encrypted data blobs are stored one after the others. The color code used is the same that the\r\none in the illustration below. The non-colored bytes are unused:\r\nFigure 8 – Encrypted data blobs in the packer\r\nAs an example, let’s decrypt the last encrypted data blob that is shown in the screenshot above (see Fig. 8). Here,\r\nthe XOR key is 0x7C . If we follow the “decryption” routine and for each byte of the data blob, we need to: XOR\r\nthe byte with the key, then substract the current byte position index (in data blob) minus 1 to the result.\r\n((13 xor 7C) - 0) - 1 = 6F - 1 = 6E = n\r\n((0A xor 7C) - 1) - 1 = 75 - 1 = 74 = t\r\n((1B xor 7C) - 2) - 1 = 65 - 1 = 64 = d\r\n((0C xor 7C) - 3) - 1 = 6D - 1 = 6C = l\r\n((0D xor 7C) - 4) - 1 = 6D - 1 = 6C = l\r\n((48 xor 7C) - 5) - 1 = 2F - 1 = 2E = .\r\nhttps://harfanglab.io/insidethelab/unpacking-packxor/\r\nPage 6 of 14\n\n((17 xor 7C) - 6) - 1 = 65 - 1 = 64 = d\r\n((08 xor 7C) - 7) - 1 = 6D - 1 = 6C = l\r\n((09 xor 7C) - 8) - 1 = 6D - 1 = 6C = l\r\nThe XOR key is different for almost every string in a given binary sample, and changes with every sample.\r\nChanging the XOR keys between strings and samples increase the odds of bypassing a static analysis.\r\nPackXOR usage\r\nDuring our research, we could identify 4 different additional payloads (other than AvNeutralizer) that we believe\r\nwith medium to high confidence were packed with PackXOR, because the unpacking code is identical in all\r\nsamples.\r\nThree of the identified samples drop the XMRig2 cryptominer or XMRig + the R77 rootkit3. Between those final\r\npayloads and PackXOR-produced code, we discovered a second and sometimes third layer of obfuscation (see\r\nFig. 9):\r\nsome payloads (SHA-256 e3505901fd44c8f6597ca9c512375b6ecbf3dc21dbae3d373318c99929d62091 and\r\nb86612a6d62a1789031248bdb732b8bff51acaeaa687c3559f0980560a8abf2f ) were packed with the open-source SilentCryptoMiner4\r\n obfuscator ,\r\na payload (SHA-256 cf1d985a33b39d332d4bac33d971a004dcd18cea82ff1b291c6a5046e073414d ) which was\r\nobfuscated with SilentCryptoMiner was additionnally obfuscated with a “commercial” packing tool\r\n(Hidden Malware Builder8).\r\nhttps://harfanglab.io/insidethelab/unpacking-packxor/\r\nPage 7 of 14\n\nhttps://harfanglab.io/insidethelab/unpacking-packxor/\r\nPage 8 of 14\n\nFigure 9 – Layers of obfuscation\r\nOne of the packed binary samples we identified (SHA-256\r\n632b068e1b8fbc54eb0b30f01455c73396deb5f8e3bbd3b171fb69b6936a6019 ) dropped another type of payload,\r\nwhich is very similar to a data exfiltration tool that was documented in an article from ReversingLab in 20219.\r\nUnpacker\r\nAccording to Sentinel Labs and following our own research, it appears PackXOR is used by different ransomware\r\noperators, and to pack different tools. As a result we thought that providing an unpacker could be of use to the\r\ncybersecurity community.\r\nWe developed one which can be downloaded from our Github repository.\r\nusage: packxor_unpacker.py [-h] [--file FILE] [--offset OFFSET]\r\nUnpacker for PackXOR\r\noptions:\r\n -h, --help show this help message and exit\r\n --file FILE Packed PackXOR Malware\r\n --offset OFFSET Optional. Offset of the packed header (in hexadecimal). No prefix (0x, x, etc)\r\nIf you already know the offset of the packed data structure header in the binary you want to unpack, you can pass\r\nit directly with the --offset argument.\r\n$ python packxor_unpacker.py --file 050637.exe --offset 1a00\r\nXOR key for first iteration : 0x1f\r\nXOR key for second iteration : 0x4f\r\nSize of compressed data (in bytes): 62958\r\nSize of uncompressed data (in bytes): 80896\r\nUnpacking SUCCESS\r\nUnpacked file available in 050637_unpacked.exe\r\nHowever, if you don’t have time or don’t want to reverse the binary to find such offset, no worries! Without --\r\noffset , the script will try to automatically the header offset and unpack the data.\r\n$ python packxor_unpacker.py --file 050637.exe\r\nOffset header not provided as an argument. Trying to find it anyway.\r\nPacker header found\r\nXOR key for first iteration : 0x1f\r\nXOR key for second iteration : 0x4f\r\nhttps://harfanglab.io/insidethelab/unpacking-packxor/\r\nPage 9 of 14\n\nSize of compressed data (in bytes): 62958\r\nSize of uncompressed data (in bytes): 80896\r\nUnpacking SUCCESS\r\nUnpacked file available in 050637_unpacked.exe\r\nAppendix\r\nIndicators of compromise (IOCs)\r\nAssociated IOCs are also available on our GitHub repository.\r\nHashes (SHA-256)\r\nPacked\r\n0506372e2c2b6646c539ac5a08265dd66d0da58a25545e444c25b9a02f8d9a44|AvNeutralizer\r\n146c68ca89b8b0378c2c6fb978892aace0235c7038879e85b3764556b0dbf2a5|AvNeutralizer\r\ncf1d985a33b39d332d4bac33d971a004dcd18cea82ff1b291c6a5046e073414d|XMRig (packed with: PackXOR+Hidden Malware Buil\r\ne3505901fd44c8f6597ca9c512375b6ecbf3dc21dbae3d373318c99929d62091|XMRig (packed with: PackXOR+SilentCryptoMiner)\r\nb86612a6d62a1789031248bdb732b8bff51acaeaa687c3559f0980560a8abf2f|XMRig+R77 (packed with: PackXOR+SilentCryptoMin\r\ndcc7fd38fced82cc04cb6fa0d189d2924163494e542f6c516e6588c110ab7554|Data exfiltrator/bot (packed with: PackXOR)\r\nUnpacked\r\nf15e6ff7f1ba8f7aad1adb88300a5ea367d6b5388f41d602f978d2885aa2ed38|AvNeutralizer\r\n56af567979acaec20bab9a36064ee5f31b96fceaa5487f6ba2db9ff6360d9a51|AvNeutralizer\r\n40a8ffc5bbcb3befc90f269e32ab96b3ff32768f1fc0317a00f86f9b1161cdeb|XMRig+R77 (packed with: SilentCryptoMiner)\r\n42ca0d62a9516cbf4a1ffcd9097d2f2c3b135f82b1c07adf586ef5b23ce96197|XMRig (packed with: Hidden Malware Builder+Sile\r\n1428e14c9c86e8f068e37efc11190ee16f2cdb9bc808308c5450389ee2893c10|XMRig (packed with: SilentCryptoMiner)\r\n632b068e1b8fbc54eb0b30f01455c73396deb5f8e3bbd3b171fb69b6936a6019|Data exfiltrator/bot\r\nYara rule\r\nrule PackXOR\r\n{\r\n meta:\r\n description = \"Detection rule for PackXOR\"\r\n references = \"https://harfanglab.io/insidethelab/unpacking-packxor/\"\r\n hash = \"0506372e2c2b6646c539ac5a08265dd66d0da58a25545e444c25b9a02f8d9a44\"\r\n date = \"2024-08-05\"\r\n author = \"Harfanglab\"\r\n context = \"file\"\r\n strings:\r\n $s_packer_xor = {\r\nhttps://harfanglab.io/insidethelab/unpacking-packxor/\r\nPage 10 of 14\n\n4? 63 [3] // movsxd rax, dword [rsp+0x50 {var_78}]\r\n 4? 8b [2-6] // mov rcx, qword [rsp+0xd0 {arg_8}]\r\n 4? 8b [2-6] // mov rcx, qword [rcx+0x8]\r\n 4? 0? [2] // add rax, qword [rcx+0x50]\r\n 4? 8d [5] // lea rcx, [rel data_140003020]\r\n 0f (b6|b7) [1-5] // movzx eax, byte [rcx+rax]\r\n 0f (b6|b7) [1-5] // movzx ecx, byte [rel data_14002399c]\r\n 4? 8b [2-6] // mov rdx, qword [rsp+0xd0 {arg_8}]\r\n 4? 8b [2-6] // mov rdx, qword [rdx+0x8]\r\n 4? 0? [2] // add rcx, qword [rdx+0x68]\r\n 0f (b6|b7) [1-5] // movzx ecx, cl\r\n 33 ?? // xor eax, ecx\r\n 4? 63 [3] // movsxd rcx, dword [rsp+0x50 {var_78}]\r\n 4? 8b [2-6] // mov rdx, qword [rsp+0xd0 {arg_8}]\r\n 4? 8b [2-6] // mov rdx, qword [rdx+0x8]\r\n 4? 0? [2] // add rcx, qword [rdx+0x48]\r\n 4? 8d [5] // lea rdx, [rel data_140003020]\r\n 88 04 0a // mov byte [rdx+rcx], al\r\n 0f (b6|b7) // movzx eax, byte [rel data_14000301e]\r\n }\r\n $s_packer_decrypt_conf = {\r\n 8b [1-3] // mov eax, dword [rsp+0x4 {i}]\r\n ff ?? // inc eax\r\n 89 [1-3] // mov dword [rsp+0x4 {i}], eax\r\n 0f b6 [1-3] // movzx eax, byte [rsp {var_128}]\r\n 39 [1-3] // cmp dword [rsp+0x4 {i}], eax\r\n 73 ?? // jae 0x140001d59\r\n 8b [1-3] // mov eax, dword [rsp+0x4 {i}]\r\n 83 ?? 05 // add eax, 0x5\r\n 8b ?? // mov eax, eax\r\n 4? 8b [2-6] // mov rcx, qword [rsp+0x130 {arg_8}]\r\n 0f be [1-3] // movsx eax, byte [rcx+rax]\r\n 85 ?? // test eax, eax\r\n 74 ?? // je 0x140001d40\r\n 0f b6 [1-3] // movzx eax, byte [rsp+0x2 {var_126}]\r\n 8b [3] // mov ecx, dword [rsp+0x4 {i}]\r\n 83 ?? 05 // add ecx, 0x5\r\n 8b ?? // mov ecx, ecx\r\n 4? 8b [4-6] // mov rdx, qword [rsp+0x130 {arg_8}]\r\n 0f (be|bf) [1-3] // movsx ecx, byte [rdx+rcx]\r\n 33 ?? // xor eax, ecx\r\n 2b [1-3] // sub eax, dword [rsp+0x4 {i}]\r\n ff ?? // dec eax\r\n 8b [1-3] // mov ecx, dword [rsp+0x4 {i}]\r\n 88 [1-3] // mov byte [rsp+rcx+0x20 {var_108}], al\r\n eb ?? // jmp 0x140001d57\r\n b8 01 00 00 00 // mov eax, 0x1\r\nhttps://harfanglab.io/insidethelab/unpacking-packxor/\r\nPage 11 of 14\n\n4? 6b ?? 00 // imul rax, rax, 0x0\r\n 4? 8b [4-6] // mov rcx, qword [rsp+0x130 {arg_8}]\r\n c6 [1-3] 00 // mov byte [rcx+rax], 0x0\r\n eb ?? // jmp 0x140001d59\r\n eb // jmp 0x140001ce7\r\n }\r\n $s_packer_find_entry_point = {\r\n 4? 63 [1-4] // movsxd rax, dword [rsp {var_38_1}]\r\n 4? 3b [1-4] // cmp rax, qword [rsp+0x20 {var_18_1}]\r\n 73 ?? // jae 0x140001c7f\r\n 48 8b [1-4] // mov rax, qword [rsp+0x10 {var_28_1}]\r\n 0f b7 [1-4] // movzx eax, word [rax]\r\n c1 ?? 0c // sar eax, 0xc\r\n 83 ?? 0a // cmp eax, 0xa\r\n 75 ?? // jne 0x140001c7d\r\n 4? 8b [1-4] // mov rax, qword [rsp+0x8 {var_30}]\r\n 8b [1-4] // mov eax, dword [rax]\r\n 4? 03 [1-4] // add rax, qword [rsp+0x40 {arg_8}]\r\n 4? 8b [1-4] // mov rcx, qword [rsp+0x10 {var_28_1}]\r\n 0f b7 [1-4] // movzx ecx, word [rcx]\r\n 81 ?? ff 0f 00 00 // and ecx, 0xfff\r\n 4? 63 [1-4] // movsxd rcx, ecx\r\n 4? 03 [1-4] // add rax, rcx\r\n 4? 89 [1-4] // mov qword [rsp+0x18 {var_20_1}], rax\r\n 4? 8b [1-4] // mov rax, qword [rsp+0x18 {var_20_1}]\r\n 4? 8b [1-4] // mov rax, qword [rax]\r\n 4? 03 [1-4] // add rax, qword [rsp+0x50 {arg_18}]\r\n 4? 8b [1-4] // mov rcx, qword [rsp+0x18 {var_20_1}]\r\n 4? 89 [1-4] // mov qword [rcx], rax\r\n eb 93 // jmp 0x140001c12\r\n }\r\n $s_packer_find_entry_point_rtlcreateuserthtread = {\r\n 4? 8b [1-4] // mov rax, qword [rsp+0x70 {var_58_1}]\r\n 8b [1-4] // mov eax, dword [rax+0x28]\r\n 4? 03 [1-4] // add rax, qword [rsp+0x68 {var_60_1}]\r\n 4? 89 [2-6] // mov qword [rsp+0x88 {var_40_1}], rax\r\n ff [2-6] // call qword [rsp+0x88 {var_40_1}]\r\n 4? 8d [2-6] // lea rax, [rsp+0x9c {var_2c}]\r\n 4? 89 [1-4] // mov qword [rsp+0x48 {var_80_1}], rax {var_2c}\r\n 4? 8d [2-6] // lea rax, [rsp+0xb8 {var_10}]\r\n 4? 89 [1-4] // mov qword [rsp+0x40 {var_88_1}], rax {var_10}\r\n 4? c7 [3-7] // mov qword [rsp+0x38 {var_90}], 0x0\r\n 4? 8b [2-6] // mov rax, qword [rsp+0x88 {var_40_1}]\r\n 4? 89 [1-4] // mov qword [rsp+0x30 {var_98_1}], rax\r\n 4? c7 [3-7] // mov qword [rsp+0x28 {var_a0}], 0x0\r\n 4? c7 [3-7 ] // mov qword [rsp+0x20 {var_a8}], 0x0\r\n 4? 33 ?? // xor r9d, r9d {0x0}\r\nhttps://harfanglab.io/insidethelab/unpacking-packxor/\r\nPage 12 of 14\n\n4? ?? 01 // mov r8b, 0x1\r\n 33 ?? // xor edx, edx {0x0}\r\n 4? c? ?? ff ff ff ff // mov rcx, 0xffffffffffffffff\r\n ff // call qword [rsp+0xa0 {var_28_1}]\r\n }\r\n $s_packer_string_encryption = {\r\n 0f B? [1-2] // movzx eax, [rsp+128h+size_string]\r\n 39 [1-3] // cmp [rsp+128h+var_124], eax\r\n 73 ?? // jnb short loc_140001CC9\r\n 8B [1-3] // mov eax, [rsp+128h+var_124]\r\n 83 ?? 05 // add eax, 5\r\n 8B ?? // mov eax, eax\r\n 4? 8B [1-6] // mov rcx, [rsp+128h+arg_0]\r\n 0F B? [1-2] // movsx eax, byte ptr [rcx+rax]\r\n 85 ?? // test eax, eax\r\n 74 ?? // jz short loc_140001CB0\r\n 0f B? [1-3] // movzx eax, [rsp+128h+key]\r\n 8B [1-3] // mov ecx, [rsp+128h+var_124]\r\n 83 ?? 05 // add ecx, 5\r\n 8B ?? // mov ecx, ecx\r\n 4? 8B [1-6] // mov rdx, [rsp+128h+arg_0]\r\n 0F B? [1-2] // movsx ecx, byte ptr [rdx+rcx]\r\n 33 ?? // xor eax, ecx\r\n 2B [1-3] // sub eax, [rsp+128h+var_124]\r\n FF ?? // dec eax\r\n 8B [1-3] // mov ecx, [rsp+128h+var_124]\r\n 88 [1-3] // mov [rsp+rcx+128h+decrypted_string], al\r\n EB // jmp short loc_140001CC7\r\n }\r\n condition:\r\n uint16(0) == 0x5A4D\r\n and uint32(uint32(0x3C)) == 0x00004550\r\n and filesize \u003c 20MB\r\n 2 of ($s_packer*)\r\n}\r\n1. https://www.sentinelone.com/labs/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks/ ↩ ↩ ↩\r\n2. https://github.com/xmrig/xmrig ↩ ↩\r\n3. https://bytecode77.com/r77-rootkit ↩ ↩\r\n4. https://github.com/SilentCryptoMiner/SilentCryptoMiner ↩ ↩\r\nhttps://harfanglab.io/insidethelab/unpacking-packxor/\r\nPage 13 of 14\n\n5. Run-time dynamic linking is a way to load DLLs (Dynamic Link Library) and import functions from\r\nthem only when needed, rather than at the executable startup. This process involves the Windows API\r\nfunctions GetModuleHandle , LoadLibrary , and GetProcAddress . Malware often uses Run-time\r\ndynamic linking in order to evade detection from static analysis tools.  ↩\r\n6. Strings are “decrypted” just before usage in LoadLibrary and GetProcAddress functions. ↩\r\n7. https://archive.org/details/flooved1478/page/n1/mode/2up ↩\r\n8. https://poison.tools/product/poison-fud-crypter/ ↩\r\n9. https://www.reversinglabs.com/blog/data-exfiltrator ↩\r\nSource: https://harfanglab.io/insidethelab/unpacking-packxor/\r\nhttps://harfanglab.io/insidethelab/unpacking-packxor/\r\nPage 14 of 14\n\nPublished on Summary 4 September, 2024 14min \nIn early July 2024, the Sentinel Labs researchers released an extensive article1 about “FIN7 reboot” tooling, \nnotably introducing “AvNeutralizer”, an anti-EDR tool. This tool has been found in the wild as a packed payload.\nIn this article, we offer a thorough analysis of the associated private packer that we named “PackXOR”, as well as\nan unpacking tool. Additionally, while investigating the packer usage, we determined that PackXOR might not be\n Page 1 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://harfanglab.io/insidethelab/unpacking-packxor/" ], "report_names": [ "unpacking-packxor" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439047, "ts_updated_at": 1775826749, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/678ad058b3b1d73fd5e594432cb93c111a03ff26.pdf", "text": "https://archive.orkl.eu/678ad058b3b1d73fd5e594432cb93c111a03ff26.txt", "img": "https://archive.orkl.eu/678ad058b3b1d73fd5e594432cb93c111a03ff26.jpg" } }