{ "id": "6b56f395-399c-4f10-a9cf-5ebef0ed1bae", "created_at": "2026-04-06T00:21:27.247491Z", "updated_at": "2026-04-10T13:13:04.655044Z", "deleted_at": null, "sha1_hash": "6b5736beaaed9cdd901199d904181dd87d637555", "title": "The Hunt for Lurk", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3163543, "plain_text": "The Hunt for Lurk\r\nBy Ruslan Stoyanov\r\nPublished: 2016-08-30 · Archived: 2026-04-05 13:25:18 UTC\r\nIn early June, 2016, the Russian police arrested the alleged members of the criminal group known as Lurk. The\r\npolice suspected Lurk of stealing nearly three billion rubles, using malicious software to systematically withdraw\r\nlarge sums of money from the accounts of commercial organizations, including banks. For Kaspersky Lab, these\r\narrests marked the culmination of a six-year investigation by the company’s Computer Incidents Investigation\r\nteam. We are pleased that the police authorities were able to put the wealth of information we accumulated to\r\ngood use: to detain suspects and, most importantly, to put an end to the theft. We ourselves gained more\r\nknowledge from this investigation than from any other. This article is an attempt to share this experience with\r\nother experts, particularly the IT security specialists in companies and financial institutions that increasingly find\r\nthemselves the targets of cyber-attacks.\r\nWhen we first encountered Lurk, in 2011, it was a nameless Trojan. It all started when we became aware of a\r\nnumber of incidents at several Russian banks that had resulted in the theft of large sums of money from customers.\r\nTo steal the money, the unknown criminals used a hidden malicious program that was able to interact\r\nautomatically with the financial institution’s remote banking service (RBS) software; replacing bank details in\r\npayment orders generated by an accountant at the attacked organization, or even generating such orders by itself.\r\nIn 2016, it is hard to imagine banking software that does not demand some form of additional authentication, but\r\nthings were different back in 2011. In most cases, the attackers only had to infect the computer on which the RBS\r\nsoftware was installed in order to start stealing the cash. Russia’s banking system, like those of many other\r\ncountries, was unprepared for such attacks, and cybercriminals were quick to exploit the security gap.\r\nWe participated in the investigation of several incidents involving the nameless malware, and sent samples to our\r\nmalware analysts. They created a signature to see if any other infections involving it had been registered, and\r\ndiscovered something very unusual: our internal malware naming system insisted that what we were looking at\r\nwas a Trojan that could be used for many things (spamming, for example) but not stealing money.\r\nOur detection systems suggest that a program with a certain set of functions can sometimes be mistaken for\r\nsomething completely different. In the case of this particular program the cause was slightly different: an\r\ninvestigation revealed that it had been detected by a “common” signature because it was doing nothing that could\r\nlead the system to include it in any specific group, for example, that of banking Trojans.\r\nWhatever the reason, the fact remained that the malicious program was used for the theft of money.\r\nSo we decided to take a closer look at the malware. The first attempts to understand how the program worked\r\ngave our analysts nothing. Regardless of whether it was launched on a virtual or a real machine, it behaved in the\r\nsame way: it didn’t do anything. This is how the program, and later the group behind it, got its name. To “lurk”\r\nmeans to hide, generally with the intention of ambush.\r\nhttps://securelist.com/the-hunt-for-lurk/75944/\r\nPage 1 of 12\n\nWe were soon able to help investigate another incident involving Lurk. This time we got a chance to explore the\r\nimage of the attacked computer. There, in addition to the familiar malicious program, we found a .dll file with\r\nwhich the main executable file could interact. This was our first piece of evidence that Lurk had a modular\r\nstructure.\r\nLater discoveries suggest that, in 2011, Lurk was still at an early stage of development. It was formed of just two\r\ncomponents, a number that would grow considerably over the coming years.\r\nThe additional file we uncovered did little to clarify the nature of Lurk. It was clear that it was a Trojan targeting\r\nRBS and that it was used in a relatively small number of incidents. In 2011, attacks on such systems were starting\r\nto grow in popularity. Other, similar, programs were already known about, the earliest detected as far back as in\r\n2006, with new malware appearing regularly since then. These included ZeuS, SpyEye, and Carberp, etc. In this\r\nseries, Lurk represented yet another dangerous piece of malware.\r\nIt was extremely difficult to make Lurk work in a lab environment. New versions of the program appeared only\r\nrarely, so we had few opportunities to investigate new incidents involving Lurk. A combination of these factors\r\ninfluenced our decision to postpone our active investigation into this program and turn our attention to more\r\nurgent tasks.\r\nA change of leader\r\nFor about a year after we first met Lurk, we heard little about it. It later turned out that the incidents involving this\r\nmalicious program were buried in the huge amount of similar incidents involving other malware. In May 2011, the\r\nsource code of ZeuS had been published on the Web and this resulted in the emergence of many program\r\nmodifications developed by small groups of cybercriminals.\r\nIn addition to ZeuS, there were a number of other unique financial malware programs. In Russia, there were\r\nseveral relatively large cybercriminal groups engaged in financial theft via attacks on RBS. Carberp was the most\r\nactive among them. At the end of March 2012, the majority of its members were arrested by the police. This event\r\nsignificantly affected the Russian cybercriminal world as the gang had stolen hundreds of millions of rubles\r\nduring a few years of activity, and was considered a “leader” among cybercriminals. However, by the time of the\r\narrests, Carberp’s reputation as a major player was already waning. There was a new challenger for the crown.\r\nA few weeks before the arrests, the sites of a number of major Russian media, such as the agency “RIA Novosti”,\r\nGazeta.ru and others, had been subjected to a watering hole attack. The unknown cybercriminals behind this\r\nattack distributed their malware by exploiting a vulnerability in the websites’ banner exchange system. A visitor to\r\nthe site would be redirected to a fraudulent page containing a Java exploit. Successful exploitation of the\r\nvulnerability initiated the launch of a malicious program whose main function was collecting information on the\r\nattacked computer, sending it to a malicious server, and in some cases receiving and installing an extra load from\r\nthe server.\r\nhttps://securelist.com/the-hunt-for-lurk/75944/\r\nPage 2 of 12\n\nThe code on the main page of RIA.ru that is used to download additional content from AdFox.ru\r\nFrom a technical perspective, the malicious program was unusual. Unlike most other malware, it left no traces on\r\nthe hard drive of the system attacked and worked only in the RAM of the machine. This approach is not often used\r\nin malware, primarily because the resulting infection is “short-lived”: malware exists in the system only until the\r\ncomputer is restarted, at which point the process of infection need to be started anew. But, in the case of these\r\nattacks, the secret “bodiless” malicious program did not have to gain a foothold in the victim’s system. Its primary\r\njob was to explore; its secondary role was to download and install additional malware. Another fascinating detail\r\nwas the fact that the malware was only downloaded in a small number of cases, when the victim computer turned\r\nout to be “interesting”.\r\nhttps://securelist.com/the-hunt-for-lurk/75944/\r\nPage 3 of 12\n\nPart of the Lurk code responsible for downloading additional modules\r\nAnalysis of the bodiless malicious program showed that it was “interested” in computers with remote banking\r\nsoftware installed. More specifically, RBS software created by Russian developers. Much later we learned that this\r\nunnamed, bodiless module was a mini, one of the malicious programs which used Lurk. But at the time we were\r\nnot sure whether the Lurk we had known since 2011, and the Lurk discovered in 2012, were created by the same\r\npeople. We had two hypotheses: either Lurk was a program written for sale, and both the 2011 and 2012 versions\r\nwere the result of the activity of two different groups, which had each bought the program from the author; or the\r\n2012 version was a modification of the previously known Trojan.\r\nThe second hypothesis turned out to be correct.\r\nInvisible war with banking software\r\nA small digression. Remote banking systems consist of two main parts: the bank and the client. The client part is a\r\nsmall program that allows the user (usually an accountant) to remotely manage their organization’s accounts.\r\nThere are only a few developers of such software in Russia, so any Russian organization that uses RBS relies on\r\nsoftware developed by one of these companies. For cybercriminal groups specializing in attacks on RBS, this\r\nlimited range of options plays straight into their hands.\r\nhttps://securelist.com/the-hunt-for-lurk/75944/\r\nPage 4 of 12\n\nIn April 2013, a year after we found the “bodiless” Lurk module, the Russian cybercriminal underground\r\nexploited several families of malicious software that specialized in attacks on banking software. Almost all\r\noperated in a similar way: during the exploration stage they found out whether the attacked computer had the\r\nnecessary banking software installed. If it did, the malware downloaded additional modules, including ones\r\nallowing for the automatic creation of unauthorized payment orders, changing details in legal payment orders, etc.\r\nThis level of automation became possible because the cybercriminals had thoroughly studied how the banking\r\nsoftware operated and “tailored” their malicious software modules to a specific banking solution.\r\nThe people behind the creation and distribution of Lurk had done exactly the same: studying the client component\r\nof the banking software and modifying their malware accordingly. In fact, they created an illegal add-on to the\r\nlegal RBS product.\r\nThrough the information exchanges used by people in the security industry, we learned that several Russian banks\r\nwere struggling with malicious programs created specifically to attack a particular type of legal banking software.\r\nSome of them were having to release weekly patches to customers. These updates would fix the immediate\r\nsecurity problems, but the mysterious hackers “on the other side” would quickly release a new version of malware\r\nthat bypassed the upgraded protection created by the authors of the banking programs.\r\nIt should be understood that this type of work – reverse-engineering a professional banking product – cannot\r\neasily be undertaken by an amateur hacker. In addition, the task is tedious and time-consuming and not the kind to\r\nbe performed with great enthusiasm. It would need a team of specialists. But who in their right mind would openly\r\ntake up illegal work, and who might have the money to finance such activities? In trying to answer these\r\nquestions, we eventually came to the conclusion that every version of Lurk probably had an organized group of\r\ncybersecurity specialists behind it.\r\nThe relative lull of 2011-2012 was followed by a steady increase in notifications of Lurk-based incidents resulting\r\nin the theft of money. Due to the fact that affected organizations turned to us for help, we were able to collect ever\r\nmore information about the malware. By the end of 2013, the information obtained from studying hard drive\r\nimages of attacked computers as well as data available from public sources, enabled us to build a rough picture of\r\na group of Internet users who appeared to be associated with Lurk.\r\nThis was not an easy task. The people behind Lurk were pretty good at anonymizing their activity on the network.\r\nFor example, they were actively using encryption in everyday communication, as well as false data for domain\r\nregistration, services for anonymous registration, etc. In other words, it was not as easy as simply looking\r\nsomeone up on “Vkontakte” or Facebook using the name from Whois, which can happen with other, less\r\nprofessional groups of cybercriminals, such as Koobface. The Lurk gang did not make such blunders. Yet\r\nmistakes, seemingly insignificant and rare, still occurred. And when they did, we caught them.\r\nNot wishing to give away free lessons in how to run a conspiracy, I will not provide examples of these mistakes,\r\nbut their analysis allowed us to build a pretty clear picture of the key characteristics of the gang. We realized that\r\nwe were dealing with a group of about 15 people (although by the time it was shut down, the number of “regular”\r\nmembers had risen to 40). This team provided the so-called “full cycle” of malware development, delivery and\r\nmonetization – rather like a small, software development company. At that time the “company” had two key\r\n“products”: the malicious program, Lurk, and a huge botnet of computers infected with it. The malicious program\r\nhttps://securelist.com/the-hunt-for-lurk/75944/\r\nPage 5 of 12\n\nhad its own team of developers, responsible for developing new functions, searching for ways to “interact” with\r\nRBS systems, providing stable performance and fulfilling other tasks. They were supported by a team of testers\r\nwho checked the program performance in different environments. The botnet also had its own team\r\n(administrators, operators, money flow manager, and other partners working with the bots via the administration\r\npanel) who ensured the operation of the command and control (C\u0026C) servers and protected them from detection\r\nand interception.\r\nDeveloping and maintaining this class of malicious software requires professionals and the leaders of the group\r\nhunted for them on job search sites. Examples of such vacancies are covered in my article about Russian financial\r\ncybercrime. The description of the vacancy did not mention the illegality of the work on offer. At the interview,\r\nthe “employer” would question candidates about their moral principles: applicants were told what kind of work\r\nthey would be expected to do, and why. Those who agreed got in.\r\nA fraudster has advertised a job vacancy for java / flash specialists on a popular Ukrainian website. The job\r\nrequirements include a good level of programming skills in Java, Flash, knowledge of JVM / AVM specifications,\r\nand others. The organizer offers remote work and full employment with a salary of $2,500.\r\nSo, every morning, from Monday to Friday, people in different parts of Russia and Ukraine sat down in front of\r\ntheir computer and started to “work”. The programmers “tuned” the functions of malware modifications, after\r\nwhich the testers carried out the necessary tests on the quality of the new product. Then the team responsible for\r\nthe botnet and for the operation of the malware modules and components uploaded the new version onto the\r\ncommand server, and the malicious software on botnet computers was automatically updated. They also studied\r\ninformation sent from infected computers to find out whether they had access to RBS, how much money was\r\ndeposited in clients’ accounts, etc.\r\nhttps://securelist.com/the-hunt-for-lurk/75944/\r\nPage 6 of 12\n\nThe money flow manager, responsible for transferring the stolen money into the accounts of money mules, would\r\npress the button on the botnet control panel and send hundreds of thousands of rubles to accounts that the “drop\r\nproject” managers had prepared in advance. In many cases they didn’t even need to press the button: the malicious\r\nprogram substituted the details of the payment order generated by the accountant, and the money went directly to\r\nthe accounts of the cybercriminals and on to the bank cards of the money mules, who cashed it via ATMs, handed\r\nit over to the money mule manager who, in turn, delivered it to the head of the organization. The head would then\r\nallocate the money according to the needs of the organization: paying a “salary” to the employees and a share to\r\nassociates, funding the maintenance of the expensive network infrastructure, and of course, satisfying their own\r\nneeds. This cycle was repeated several times.\r\nEach member of the typical criminal group has their own responsibilities.\r\nThese were the golden years for Lurk. The shortcomings in RBS transaction protection meant that stealing money\r\nfrom a victim organization through an accountant’s infected machine did not require any special skills and could\r\neven be automated. But all “good things” must come to an end.\r\nhttps://securelist.com/the-hunt-for-lurk/75944/\r\nPage 7 of 12\n\nThe end of “auto money flow” and the beginning of hard times\r\nThe explosive growth of thefts committed by Lurk and other cybercriminal groups forced banks, their IT security\r\nteams and banking software developers to respond.\r\nFirst of all, the developers of RBS software blocked public access to their products. Before the appearance of\r\nfinancial cybercriminal gangs, any user could download a demo version of the program from the manufacturer’s\r\nwebsite. Attackers used this to study the features of banking software in order to create ever more tailored\r\nmalicious programs for it. Finally, after many months of “invisible war” with cybercriminals, the majority of RBS\r\nsoftware vendors succeeded in perfecting the security of their products.\r\nAt the same time, the banks started to implement dedicated technologies to counter the so-called “auto money\r\nflow”, the procedure which allowed the attackers to use malware to modify the payment order and steal money\r\nautomatically.\r\nBy the end of 2013, we had thoroughly explored the activity of Lurk and collected considerable information about\r\nthe malware. At our farm of bots, we could finally launch a consistently functioning malicious script, which\r\nallowed us to learn about all the modifications cybercriminals had introduced into the latest versions of the\r\nprogram. Our team of analysts had also made progress: by the year’s end we had a clear insight into how the\r\nmalware worked, what it comprised and what optional modules it had in its arsenal.\r\nMost of this information came from the analysis of incidents caused by Lurk-based attacks. We were\r\nsimultaneously providing technical consultancy to the law enforcement agencies investigating the activities of this\r\ngang.\r\nIt was clear that the cybercriminals were trying to counteract the changes introduced in banking and IT security.\r\nFor example, once the banking software vendors stopped providing demo versions of their programs for public\r\naccess, the members of the criminal group established a shell company to receive directly any updated versions of\r\nthe RBS software.\r\nThefts declined as a result of improvements in the security of banking software, and the “auto money flow”\r\nbecame less effective. As far as we can judge from the data we have, in 2014 the criminal group behind Lurk\r\nseriously reduced its activity and “lived from hand to mouth”, attacking anyone they could, including ordinary\r\nusers. Even if the attack could bring in no more than a few tens of thousands of rubles, they would still descend to\r\nit.\r\nIn our opinion, this was caused by economic factors: by that time, the criminal group had an extensive and\r\nextremely costly network infrastructure, so, in addition to employees’ salaries, it was necessary to pay for renting\r\nservers, VPN and other technical tools. Our estimates suggest that the network infrastructure alone cost the Lurk\r\nmanagers tens of thousands of dollars per month.\r\nAttempts to come back\r\nIn addition to increasing the number of “minor” attacks, the cybercriminals were trying to solve their cash flow\r\nproblem by “diversifying” the business and expanding their field of activity. This included developing,\r\nhttps://securelist.com/the-hunt-for-lurk/75944/\r\nPage 8 of 12\n\nmaintaining and renting the Angler exploit pack (also known as XXX). Initially, this was used mainly to deliver\r\nLurk to victims’ computers. But as the number of successful attacks started to decline, the owners began to offer\r\nsmaller groups paid access to the tools.\r\nBy the way, judging by what we saw on Russian underground forums for cybercriminals, the Lurk gang had an\r\nalmost legendary status. Even though many small and medium-sized groups were willing to “work” with them,\r\nthey always preferred to work by themselves. So when Lurk provided other cybercriminals with access to Angler,\r\nthe exploit pack became especially popular – a “product” from the top underground authority did not need\r\nadvertising. In addition, the exploit pack was actually very effective, delivering a very high percentage of\r\nsuccessful vulnerability exploitations. It didn’t take long for it to become one of the key tools on the\r\ncriminal2criminal market.\r\nAs for extending the field of activity, the Lurk gang decided to focus on the customers of major Russian banks and\r\nthe banks themselves, whereas previously they had chosen smaller targets.\r\nIn the second half of 2014, we spotted familiar pseudonyms of Internet users on underground forums inviting\r\nspecialists to cooperate on document fraud. Early the following year, several Russian cities were swamped with\r\nannouncements about fraudsters who used fake letters of attorney to re-issue SIM cards without their owners\r\nbeing aware of it.\r\nThe purpose of this activity was to gain access to one-time passwords sent by the bank to the user so that they\r\ncould confirm their financial transaction in the online or remote banking system. The attackers exploited the fact\r\nthat, in remote areas, mobile operators did not always carefully check the authenticity of the documents submitted\r\nand released new SIM cards at the request of cybercriminals. Lurk would infect a computer, collect its owner’s\r\npersonal data, generate a fake letter of attorney with the help of “partners” from forums and then request a new\r\nSIM card from the network operator.\r\nOnce the cybercriminals received a new SIM card, they immediately withdrew all the money from the victim’s\r\naccount and disappeared.\r\nAlthough initially this scheme yielded good returns, this didn’t last long, since by then many banks had already\r\nimplemented protection mechanisms to track changes in the unique SIM card number. In addition, the SIM card-based campaign forced some members of the group and their partners out into the open and this helped law\r\nenforcement agencies to find and identify suspects.\r\nAlongside the attempts to “diversify” the business and find new cracks in the defenses of financial businesses,\r\nLurk continued to regularly perform “minor thefts” using the proven method of auto money flow. However, the\r\ncybercriminals were already planning to earn their main money elsewise.\r\nNew “specialists”\r\nIn February 2015, Kaspersky Lab’s Global Research and Analysis Team (GReAT) released its research into the\r\nCarbanak campaign targeting financial institutions. Carbanak’s key feature, which distinguished it from\r\n“classical” financial cybercriminals, was the participation of professionals in the Carbanak team, providing deep\r\nknowledge of the target bank’s IT infrastructure, its daily routine and the employees who had access to the\r\nhttps://securelist.com/the-hunt-for-lurk/75944/\r\nPage 9 of 12\n\nsoftware used to conduct financial transactions. Before any attack, Carbanak carefully studied the target, searched\r\nfor weak points and then, at a certain moment in time, committed the theft in no more than a few hours. As it\r\nturned out, Carbanak was not the only group applying this method of attack. In 2015, the Lurk team hired similar\r\nexperts.\r\nHow the Carbanak group operated.\r\nWe realized this when we found incidents that resembled Carbanak in style, but did not use any of its tools. This\r\nwas Lurk. The Lurk malware was used as a reliable “back door” to the infrastructure of the attacked organization\r\nrather than as a tool to steal money. Although the functionality that had previously allowed for the near-automatic\r\ntheft of millions no longer worked, in terms of its secrecy Lurk was still an extremely dangerous and\r\nprofessionally developed piece of malware.\r\nHowever, despite its attempts to develop new types of attacks, Lurk’s days were numbered. Thefts continued until\r\nthe spring of 2016. But, either because of an unshakable confidence in their own impunity or because of apathy,\r\nday-by-day the cybercriminals were paying less attention to the anonymity of their actions. They became\r\nespecially careless when cashing money: according to our incident analysis, during the last stage of their activity,\r\nthe cybercriminals used just a few shell companies to deposit the stolen money. But none of that mattered any\r\nmore as both we and the police had collected enough material to arrest suspected group members, which happened\r\nearly in June this year.\r\nNo one on the Internet knows you are a cybercriminal?\r\nMy personal experience of the Lurk investigation made me think that the members of this group were convinced\r\nthey would never be caught. They had grounds to be that presumptuous: they were very thorough in concealing\r\nthe traces of their illegal activity, and generally tried to plan the details of their actions with care. However, like all\r\nhttps://securelist.com/the-hunt-for-lurk/75944/\r\nPage 10 of 12\n\npeople, they made mistakes. These errors accumulated over the years and eventually made it possible to put a stop\r\nto their activity. In other words, although it is easier to hide evidence on the Internet, some traces cannot be\r\nhidden, and eventually a professional team of investigators will find a way to read and understand them.\r\nLurk is neither the first nor the last example to prove this. The infamous banking Trojan SpyEye was used to steal\r\nmoney between 2009 and 2011. Its alleged creator was arrested 2013, and convicted in 2014.\r\nThe first attacks involving the banking Trojan Carberp began in 2010; the members of the group suspected of\r\ncreating and distributing this Trojan were arrested in 2012 and convicted in 2014. The list goes on.\r\nThe history of these and other cybercriminal groups spans the time when everyone (and members of the groups in\r\nparticular) believed that they were invulnerable and the police could do nothing. The results have proved them\r\nwrong.\r\nUnfortunately, Lurk is not the last group of cybercriminals attacking companies for financial gain. We know about\r\nsome other groups targeting organizations in Russia and abroad. For these reasons, we recommend that all\r\norganizations do the following:\r\nIf your organization was attacked by hackers, immediately call the police and involve experts in digital\r\nforensics. The earlier you apply to the police, the more evidence the forensics will able to collect, and the\r\nmore information the law enforcement officers will have to catch the criminals.\r\nApply strict IT security policies on terminals from which financial transactions are made and for\r\nemployees working with them.\r\nTeach all employees who have access to the corporate network the rules of safe online behavior.\r\nCompliance with these rules will not completely eliminate the risk of financial attacks but will make it harder for\r\nfraudsters and significantly increase the probability of their making a mistake while trying to overcome these\r\ndifficulties. And this will help law enforcement agencies and IT security experts in their work.\r\nP.S.: why does it take so long?\r\nLaw enforcement agencies and IT security experts are often accused of inactivity, allowing hackers to remain at\r\nlarge and evade punishment despite the enormous damage caused to the victims.\r\nThe story of Lurk proves the opposite. In addition, it gives some idea of the amount of work that has to be done to\r\nobtain enough evidence to arrest and prosecute suspects. Unfortunately, the rules of the “game” are not the same\r\nfor all participants: the Lurk group used a professional approach to organizing a cybercriminal enterprise, but, for\r\nobvious reasons, did not find it necessary to abide by the law. As we work with law enforcement, we must respect\r\nthe law. This can be a long process, primarily because of the large number of “paper” procedures and restrictions\r\nthat the law imposes on the types of information we as a commercial organization can work with.\r\nOur cooperation with law enforcement in investigating the activity of this group can be described as a multi-stage\r\ndata exchange. We provided the intermediate results of our work to the police officers; they studied them to\r\nunderstand if the results of our investigation matched the results of their research. Then we got back our data\r\n“enriched” with the information from the law enforcement agencies. Of course, it was not all the information they\r\nhttps://securelist.com/the-hunt-for-lurk/75944/\r\nPage 11 of 12\n\ncould find; but it was the part which, by law, we had the right to work with. This process was repeated many times\r\nuntil we finally we got a complete picture of Lurk activity. However, that was not the end of the case.\r\nA large part of our work with law enforcement agencies was devoted to “translating” the information we could get\r\nfrom “technical” into “legal” language. This ensured that the results of our investigation could be described in\r\nsuch a way that they were clear to the judge. This is a complicated and laborious process, but it is the only way to\r\nbring to justice the perpetrators of cybercrimes.\r\nSource: https://securelist.com/the-hunt-for-lurk/75944/\r\nhttps://securelist.com/the-hunt-for-lurk/75944/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://securelist.com/the-hunt-for-lurk/75944/" ], "report_names": [ "75944" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "dcba8e2b-93e0-4d6e-a15f-5c44faebc3b1", "created_at": "2022-10-25T16:07:23.816991Z", "updated_at": "2026-04-10T02:00:04.758143Z", "deleted_at": null, "main_name": "Lurk", "aliases": [], "source_name": "ETDA:Lurk", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434887, "ts_updated_at": 1775826784, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6b5736beaaed9cdd901199d904181dd87d637555.pdf", "text": "https://archive.orkl.eu/6b5736beaaed9cdd901199d904181dd87d637555.txt", "img": "https://archive.orkl.eu/6b5736beaaed9cdd901199d904181dd87d637555.jpg" } }