{ "id": "cef04334-eefa-4beb-ac69-2cc16119075a", "created_at": "2026-04-06T00:22:28.531274Z", "updated_at": "2026-04-10T13:11:22.305428Z", "deleted_at": null, "sha1_hash": "7b791dbf7a70a1a0d81056d383c752d2d858b5d7", "title": "Carbanak, Anunak - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 103979, "plain_text": "Carbanak, Anunak - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 19:25:43 UTC\r\nHome \u003e List all groups \u003e Carbanak, Anunak\r\n APT group: Carbanak, Anunak\r\nNames\r\nCarbanak (Kaspersky)\r\nAnunak (Group-IB)\r\nCarbon Spider (CrowdStrike)\r\nGold Waterfall (SecureWorks)\r\nELBRUS (Microsoft)\r\nSangria Tempest (Microsoft)\r\nG0008 (MITRE)\r\nCountry Ukraine\r\nMotivation Financial crime, Financial gain\r\nFirst seen 2013\r\nDescription\r\nCarbanak is a threat group that mainly targets banks. It also refers to malware of the\r\nsame name (Carbanak). It is sometimes referred to as FIN7, but these appear to be\r\ntwo groups using the same Carbanak malware and are therefore tracked separately.\r\n(Kaspersky) From late 2013 onwards, several banks and financial institutions have\r\nbeen attacked by an unknown group of cybercriminals. In all these attacks, a similar\r\nmodus operandi was used. According to victims and the law enforcement agencies\r\n(LEAs) involved in the investigation, this could result in cumulative losses of up to 1\r\nbillion USD. The attacks are still active. This report provides a technical analysis of\r\nthese attacks. The motivation for the attackers, who are making use of techniques\r\ncommonly seen in Advanced Persistent Threats (APTs), appears to be financial gain\r\nas opposed to espionage. An analysis of the campaign has revealed that the initial\r\ninfections were achieved using spear phishing emails that appeared to be legitimate\r\nbanking communications, with Microsoft Word 97 – 2003 (.doc) and Control Panel\r\nApplet (.CPL) files attached. We believe that the attackers also redirected to exploit\r\nkits website traffic that related to financial activity.\r\nObserved Sectors: Energy, Financial, Food and Agriculture, Healthcare, Hospitality.\r\nCountries: Australia, Austria, Brazil, Bulgaria, Canada, China, Czech, France,\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=e5869096-4b2d-406d-b8d1-713eda321457\r\nPage 1 of 5\n\nGermany, Hong Kong, Iceland, India, Luxembourg, Morocco, Nepal, Norway,\nPakistan, Poland, Russia, Spain, Sweden, Switzerland, Taiwan, UK, Ukraine, USA,\nUzbekistan.\nTools used\nAntak, Ave Maria, BABYMETAL, Backdoor Batel, Bateleur, BELLHOP,\nBlackMatter, Boostwrite, Cain \u0026 Abel, Carbanak, Cobalt Strike, Clop, DarkSide,\nDNSMessenger, DNSRat, DRIFTPIN, FlawedAmmyy, FOXGRABBER, Griffon,\nHALFBAKED, JS Flash, KLRD, Mimikatz, MBR Eraser, Odinaff, POWERPIPE,\nPOWERSOURCE, PsExec, SocksBot, SoftPerfect Network Scanner, SQLRAT,\nTeamViewer, TinyMet, WARPRISM.\nOperations performed\nAug 2020\nDarkSide: New targeted ransomware demands million dollar ransoms\nAug 2020\nDarkSide Ransomware hits North American real estate developer\nOct 2020\nRansomware gang donates part of ransom demands to charity\norganizations\nNov 2020\nDarkside Ransomware Gang Launches Affiliate Program\nNov 2020\nDarkSide Ransomware Group Makes New Storage System\nFeb 2021\nLeading Canadian rental car company hit by DarkSide ransomware\nFeb 2021\nEletrobras, Copel energy companies hit by ransomware attacks\nFeb 2021\nHypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER\nTarget ESXi Servers With Ransomware to Maximize Impact\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=e5869096-4b2d-406d-b8d1-713eda321457\nPage 2 of 5\n\nMar 2021\nDarkside 2.0 Ransomware Promises Fastest Ever Encryption Speeds\nMar 2021\nCompuCom MSP hit by DarkSide ransomware cyberattack\nApr 2021\nCanadian retailer Home Hardware hit by ransomware\nApr 2021\nRansomware gang wants to short the stock price of their victims\nApr 2021\nUS chemical distributor shares info on DarkSide ransomware data\ntheft\nApr 2021\nFashion retailer Guess discloses data breach after ransomware attack\nMay 2021\nA Toshiba business unit says it has been attacked by hacking group\nDarkSide\nMay 2021\nChemical distributor pays $4.4 million to DarkSide ransomware\nMay 2021\nLargest U.S. pipeline shuts down operations after ransomware attack\nJul 2021\nBlackMatter ransomware targets companies with revenue of $100\nmillion and more\nAug 2021 Linux version of BlackMatter ransomware targets VMware ESXi\nservers\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=e5869096-4b2d-406d-b8d1-713eda321457\nPage 3 of 5\n\nAug 2021\nFBI: FIN7 hackers target US companies with BadUSB devices to\ninstall ransomware\nSep 2021\nBlackMatter ransomware hits medical technology giant Olympus\nSep 2021\nUS farmer cooperative hit by $5.9M BlackMatter ransomware attack\nSep 2021\nMarketron marketing services hit by Blackmatter ransomware\nOct 2021\nDarkSide ransomware gang moves some of its Bitcoin after REvil got\nhit by law enforcement\nNov 2021\nBlackMatter: New Data Exfiltration Tool Used in Attacks\nNov 2021\nBlackMatter ransomware moves victims to LockBit after shutdown\nApr 2023\nMicrosoft: Notorious FIN7 hackers return in Clop ransomware attacks\nCounter operations\nMar 2018\nMastermind behind EUR 1 billion cyber bank robbery arrested in\nSpain\nAug 2018\nThree Carbanak cyber heist gang members arrested\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=e5869096-4b2d-406d-b8d1-713eda321457\nPage 4 of 5\n\nMay 2021\nDarkside ransomware gang says it lost control of its servers \u0026 money\na day after Biden threat\nJul 2021\nDutch police confiscate DarkSide server\nNov 2021\nBlackMatter ransomware says its shutting down due to pressure from\nlocal authorities\nNov 2021\nUS offers $10 million reward for info on Darkside ransomware group\nInformation\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e5869096-4b2d-406d-b8d1-713eda321457\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=e5869096-4b2d-406d-b8d1-713eda321457\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e5869096-4b2d-406d-b8d1-713eda321457" ], "report_names": [ "showcard.cgi?u=e5869096-4b2d-406d-b8d1-713eda321457" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "334d00aa-7607-4072-9f5b-00d60bae89a7", "created_at": "2023-01-06T13:46:39.280703Z", "updated_at": "2026-04-10T02:00:03.272492Z", "deleted_at": null, "main_name": "GOLD WATERFALL", "aliases": [], "source_name": "MISPGALAXY:GOLD WATERFALL", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "f4e7d054-d52b-437f-abe6-027d8ea42d51", "created_at": "2025-08-07T02:03:25.028729Z", "updated_at": "2026-04-10T02:00:03.616558Z", "deleted_at": null, "main_name": "GOLD WATERFALL", "aliases": [ "" ], "source_name": "Secureworks:GOLD WATERFALL", "tools": [ "BlackMatter", "CANVAS", "Cobalt Strike", "Darkside" ], "source_id": "Secureworks", "reports": null }, { "id": "27e51b73-410e-4a33-93a1-49cf8a743cf7", "created_at": "2023-01-06T13:46:39.210675Z", "updated_at": "2026-04-10T02:00:03.247656Z", "deleted_at": null, "main_name": "GOLD DUPONT", "aliases": [ "SPRITE SPIDER" ], "source_name": "MISPGALAXY:GOLD DUPONT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "7268a08d-d4d0-4ebc-bffe-3d35b3ead368", "created_at": "2022-10-25T16:07:24.225216Z", "updated_at": "2026-04-10T02:00:04.904162Z", "deleted_at": null, "main_name": "Sprite Spider", "aliases": [ "Gold Dupont", "Sprite Spider" ], "source_name": "ETDA:Sprite Spider", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Coroxy", "Defray 2018", "Defray777", "DroxiDat", "Glushkov", "LaZagne", "Metasploit", "PyXie", "PyXie RAT", "Ransom X", "RansomExx", "SharpHound", "Shifu", "SystemBC", "Target777", "Vatet", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "07775b09-acd9-498e-895f-f10063115629", "created_at": "2024-06-04T02:03:07.817613Z", "updated_at": "2026-04-10T02:00:03.650268Z", "deleted_at": null, "main_name": "GOLD DUPONT", "aliases": [ "Sprite Spider ", "Storm-2460 " ], "source_name": "Secureworks:GOLD DUPONT", "tools": [ "777", "ArtifactExx", "Cobalt Strike", "Defray", "Metasploit", "PipeMagic", "PyXie", "Shifu", "SystemBC", "Vatet" ], "source_id": "Secureworks", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434948, "ts_updated_at": 1775826682, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7b791dbf7a70a1a0d81056d383c752d2d858b5d7.pdf", "text": "https://archive.orkl.eu/7b791dbf7a70a1a0d81056d383c752d2d858b5d7.txt", "img": "https://archive.orkl.eu/7b791dbf7a70a1a0d81056d383c752d2d858b5d7.jpg" } }