{
	"id": "b4929b2f-c9a0-41a8-bbf9-3f4e5a732c85",
	"created_at": "2026-04-06T00:20:20.591935Z",
	"updated_at": "2026-04-10T03:36:36.593088Z",
	"deleted_at": null,
	"sha1_hash": "7c0a4b54b8d7373c8cc2289ad412a0cae473dfa0",
	"title": "Citadel (malware)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 55142,
	"plain_text": "Citadel (malware)\r\nBy Contributors to Wikimedia projects\r\nPublished: 2016-05-10 · Archived: 2026-04-05 14:25:45 UTC\r\nFrom Wikipedia, the free encyclopedia\r\nCitadel is a piece of massively-distributed malware based upon Zeus.\r\n[1]\r\n It targets credentials stored in password\r\nmanagers such as Keepass, Password Safe and neXus Personal Security Client.\r\n[2]\r\nBy 2017 (it was first identified in 2011)[3] Citadel had infected about 11 million computers worldwide and had\r\ncaused over $500 million in losses.[4]\r\nOn March 20, 2017, having been extradited from Norway to the United States, a Russian computer science\r\nprofessional Mark Vartanyan pleaded guilty to a computer fraud charge for his part in developing the Control\r\nPanel for Citadel. In July 2017, he was sentenced to 5 years in federal prison.\r\n[5]\r\nConficker\r\nCommand and control (malware)\r\nGameover ZeuS, the successor to ZeuS\r\nOperation Tovar\r\nTimeline of computer viruses and worms\r\nTiny Banker Trojan\r\nTorpig\r\nZeus (malware)\r\nZombie (computer science)\r\n1. ^ Segura, Jérôme (5 November 2012). \"Citadel: a cyber-criminal's ultimate weapon?\". Malwarebytes\r\nLabs.\r\n2. ^ \"Cybercriminals Use Citadel to Compromise Password Management and Authentication Solutions\".\r\nsecurityintelligence.com. 19 November 2014.\r\n3. ^ \"Citadel Banking Malware Is Evolving and Spreading Rapidly, Researchers Warn\". PCWorld.\r\n4. ^ \"Russian sentenced in U.S. to five years prison for 'Citadel' malware\". Reuters. 19 July 2017.\r\n5. ^ \"Russian Citizen who Helped Develop the \"Citadel\" Malware Toolkit is Sentenced\". www.justice.gov. 20\r\nJuly 2017.\r\nSource: https://en.wikipedia.org/wiki/Citadel_(malware)\r\nhttps://en.wikipedia.org/wiki/Citadel_(malware)\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://en.wikipedia.org/wiki/Citadel_(malware)"
	],
	"report_names": [
		"Citadel_(malware)"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e447d393-c259-46e2-9932-19be2ba67149",
			"created_at": "2022-10-25T16:07:24.28282Z",
			"updated_at": "2026-04-10T02:00:04.921616Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"ATK 103",
				"Chimborazo",
				"G0092",
				"Gold Evergreen",
				"Gold Tahoe",
				"Graceful Spider",
				"Hive0065",
				"Operation Tovar",
				"Operation Trident Breach",
				"SectorJ04",
				"Spandex Tempest",
				"TA505",
				"TEMP.Warlock"
			],
			"source_name": "ETDA:TA505",
			"tools": [
				"Amadey",
				"AmmyyRAT",
				"AndroMut",
				"Azer",
				"Bart",
				"Bugat v5",
				"CryptFile2",
				"CryptoLocker",
				"CryptoMix",
				"CryptoShield",
				"Dridex",
				"Dudear",
				"EmailStealer",
				"FRIENDSPEAK",
				"Fake Globe",
				"Fareit",
				"FlawedAmmyy",
				"FlawedGrace",
				"FlowerPippi",
				"GOZ",
				"GameOver Zeus",
				"GazGolder",
				"Gelup",
				"Get2",
				"GetandGo",
				"GlobeImposter",
				"Gorhax",
				"GraceWire",
				"Gussdoor",
				"Jaff",
				"Kasidet",
				"Kegotip",
				"Kneber",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Locky",
				"MINEBRIDGE",
				"MINEBRIDGE RAT",
				"MirrorBlast",
				"Neutrino Bot",
				"Neutrino Exploit Kit",
				"P2P Zeus",
				"Peer-to-Peer Zeus",
				"Philadelphia",
				"Philadephia Ransom",
				"Pony Loader",
				"Rakhni",
				"ReflectiveGnome",
				"Remote Manipulator System",
				"RockLoader",
				"RuRAT",
				"SDBbot",
				"ServHelper",
				"Shifu",
				"Siplog",
				"TeslaGun",
				"TiniMet",
				"TinyMet",
				"Trojan.Zbot",
				"Wsnpoem",
				"Zbot",
				"Zeta",
				"ZeuS",
				"Zeus"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434820,
	"ts_updated_at": 1775792196,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7c0a4b54b8d7373c8cc2289ad412a0cae473dfa0.pdf",
		"text": "https://archive.orkl.eu/7c0a4b54b8d7373c8cc2289ad412a0cae473dfa0.txt",
		"img": "https://archive.orkl.eu/7c0a4b54b8d7373c8cc2289ad412a0cae473dfa0.jpg"
	}
}