{ "id": "2cdb7c2f-33ec-45e9-a643-f4e7eca395ce", "created_at": "2026-04-06T00:14:22.946474Z", "updated_at": "2026-04-10T13:11:35.705615Z", "deleted_at": null, "sha1_hash": "695f75674e6efbfb1ab952e4350a522ae74ef4b2", "title": "Operation Buhtrap malware distributed via ammyy.com", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 196873, "plain_text": "Operation Buhtrap malware distributed via ammyy.com\r\nBy Jean-Ian Boutin\r\nArchived: 2026-04-05 16:56:32 UTC\r\nESET Research\r\nThe free version of Ammyy's remote administrator software were being served a bundle that contained an NSIS\r\ninstaller used by the gang behind Operation Buhtrap.\r\n11 Nov 2015  •  , 4 min. read\r\nWe noticed in late October that users visiting the Ammyy website to download the free version of its remote\r\nadministrator software were being served a bundle containing not only the legitimate Remote Desktop Software\r\nAmmyy Admin, but also an NSIS (Nullsoft Scriptable Installation Software) installer ultimately intended to install\r\nthe tools used by the Buhtrap gang to spy on and control their victims’ computers.\r\nFigure 1 – Ammyy.com legitimate website\r\nWhile Ammyy Admin is legitimate software, it has a long history of being used by fraudsters. As a result, several\r\nsecurity products, such as ESET's, detect it as a Potentially Unsafe Application. However, it is still widely used,\r\nnotably in Russia.\r\nAs noted in our previous blog on Buhtrap, this gang has been actively targeting Russian businesses, mostly\r\nthrough spear-phishing. It is thus interesting to see them add strategic web compromises to their arsenal. As\r\nremote administrator software is routinely used by businesses, it definitely makes sense for this gang to try to\r\nhttps://www.welivesecurity.com/2015/11/11/operation-buhtrap-malware-distributed-via-ammyy-com/\r\nPage 1 of 5\n\ncompromise visitors to this site. It’s worth noting that Ammyy’s website lists clients that include the top 500\r\nFortune companies as well as Russian banks.\r\nThe compromise\r\nIt appears Ammyy’s website is now clean and serves the malware-free Ammyy Admin remote administrator\r\npackage, but for about a week, visitors were downloading an installer that contained both malware and the\r\nAmmyy product. After investigation, different malware families were found to have been distributed through\r\nAmmyy’s website. The timeline below shows which and when.\r\nThe first malware we saw was the lurk downloader, which was distributed on October 26th. We then saw Corebot\r\non the 29th, Buhtrap on the 30th, and finally, Ranbyus and the Netwire RAT on November 2nd.\r\nAlthough these families are not linked together, the droppers that might have been downloaded from Ammyy’s\r\nwebsite were the same in every case. The executable would install the real Ammyy product, but would also launch\r\na file called either AmmyyService.exe or AmmyySvc.exe which contained the malicious payload. Thus, it is quite\r\npossible that the cybercriminals responsible for the website hack sold access to different groups.\r\nBuhtrap\r\nThe install package behaves in exactly the same way as described in our previous blog. It first fingerprints the\r\nsystem by looking at software installed on the computer and at what URLs have been visited. It then downloads\r\nan additional package if the system is deemed valuable. This downloader is signed with the following certificate:\r\nhttps://www.welivesecurity.com/2015/11/11/operation-buhtrap-malware-distributed-via-ammyy-com/\r\nPage 2 of 5\n\nFigure 2 – Downloader’s certificate\r\nWe notified Comodo which promptly revoked this certificate. The downloaded package is used to spy on the\r\nsystem and ultimately run code to log all keystrokes, enumerate smart cards and communicate with C\u0026C servers.\r\nThis module has exactly the same functionalities as the one that we analyzed previously and is loaded in memory\r\nthrough a DLL sideloading technique. The main difference this time is that the legitimate application that is used\r\nfor DLL sideloading is no longer Yandex Punto, but a program called The Guide, a two-pane extrinsic outliner.\r\nOperation Buhtrap is still ongoing and we regularly see new updates coming from the malware’s authors. This\r\ngroup, in much the same way as the Carbanak gang, is using techniques that we are accustomed to see in targeted\r\nattacks. The fact that they now use strategic web compromises is another sign of the closing gap between\r\ntechniques used by cybercriminals and by APT actors.\r\nhttps://www.welivesecurity.com/2015/11/11/operation-buhtrap-malware-distributed-via-ammyy-com/\r\nPage 3 of 5\n\nIf you downloaded and installed Ammyy Admin recently, your computer might be compromised by one of the\r\nmalware described above. Since we do not know exactly when the attack started nor if the site is still\r\ncompromised, we recommend that you take precautionary measures and use or install a security product to scan\r\nand protect your computer.\r\nWe tried to contact Ammyy’s developers about this problem for several days and in different ways, but did not\r\nreceive an answer from them. As Ammyy Admin is widely used, we wanted to warn its users about this security\r\nproblem.\r\nSpecial thanks to Anton Cherepanov, Peter Košinár and Jan Matušík for their help in this analysis.\r\nIndicator Value\r\nAmmyy + Lurk downloader\r\n(Win32/TrojanDropper.Agent.REV) bundle SHA1\r\n11657755FAD6F7B8854959D09D5ED1E0DE01D485\r\nAmmyy + CoreBot (Win32/Agent.RLY) bundle\r\nSHA1\r\n92CF622E997F43C208DD3835D87A9B984CE73952\r\nAmmyy + Buhtrap\r\n(NSIS/TrojanDownloader.Agent.NSU) bundle\r\nSHA1\r\n44769DD6A5291D1EAC79E78FEE3ED1F147990120\r\nAmmyy + Buhtrap\r\n(NSIS/TrojanDownloader.Agent.NSU) bundle\r\nSHA1\r\n39CE37DC0E3009E536416F5CE25C0E538CBE41E0\r\nAmmyy + Ranbyus (Win32/Spy.Ranbyus.L)\r\nbundle SHA1\r\n2A336AC995B6526529E01EB6303E229E40D99763\r\nAmmyy + Netwire RAT (Win32/Spy.Weecnaw.A)\r\nbundle SHA1\r\n10C22B70899E0F0B741C8E10964E663EBD73F4FD\r\nCertificate thumbprint\r\n71 49 30 ac cf 5d 9a 7f fc d7 8c 0b 58 aa a5 a7 95 38 51\r\nbe\r\nCertificate serial number 00 8b 2f fa 23 26 66 36 f2 30 77 82 66 bb 32 41 47\r\nBuhtrap downloaded package (Win32/RA-based.AB) SHA1\r\n07F0B293F29EF13C61B33453E50C8C79C69BF22B\r\nBuhtrap downloaded package URL http://shevi-reg.com/bor/notepad.cab\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nhttps://www.welivesecurity.com/2015/11/11/operation-buhtrap-malware-distributed-via-ammyy-com/\r\nPage 4 of 5\n\nSource: https://www.welivesecurity.com/2015/11/11/operation-buhtrap-malware-distributed-via-ammyy-com/\r\nhttps://www.welivesecurity.com/2015/11/11/operation-buhtrap-malware-distributed-via-ammyy-com/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.welivesecurity.com/2015/11/11/operation-buhtrap-malware-distributed-via-ammyy-com/" ], "report_names": [ "operation-buhtrap-malware-distributed-via-ammyy-com" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "01d569b1-f089-4a8f-8396-85078b93da26", "created_at": "2023-01-06T13:46:38.411615Z", "updated_at": "2026-04-10T02:00:02.963422Z", "deleted_at": null, "main_name": "BuhTrap", "aliases": [], "source_name": "MISPGALAXY:BuhTrap", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b046db2-f60e-49ae-8e16-0cf82a4be6fb", "created_at": "2022-10-25T16:07:23.427162Z", "updated_at": "2026-04-10T02:00:04.594113Z", "deleted_at": null, "main_name": "Buhtrap", "aliases": [ "Buhtrap", "Operation TwoBee", "Ratopak Spider", "UAC-0008" ], "source_name": "ETDA:Buhtrap", "tools": [ "AmmyyRAT", "Buhtrap", "CottonCastle", "FlawedAmmyy", "NSIS", "Niteris EK", "Nullsoft Scriptable Install System", "Ratopak" ], "source_id": "ETDA", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "dcba8e2b-93e0-4d6e-a15f-5c44faebc3b1", "created_at": "2022-10-25T16:07:23.816991Z", "updated_at": "2026-04-10T02:00:04.758143Z", "deleted_at": null, "main_name": "Lurk", "aliases": [], "source_name": "ETDA:Lurk", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434462, "ts_updated_at": 1775826695, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/695f75674e6efbfb1ab952e4350a522ae74ef4b2.pdf", "text": "https://archive.orkl.eu/695f75674e6efbfb1ab952e4350a522ae74ef4b2.txt", "img": "https://archive.orkl.eu/695f75674e6efbfb1ab952e4350a522ae74ef4b2.jpg" } }