{ "id": "8aae611f-60a9-45d9-aa8b-20588aa12565", "created_at": "2026-04-06T00:08:44.466509Z", "updated_at": "2026-04-10T13:12:12.87348Z", "deleted_at": null, "sha1_hash": "7e7421266f14e54dd74b8f644383dcab2295643c", "title": "Mahalo FIN7: Responding to the Criminal Operators' New Tools and Techniques | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 290218, "plain_text": "Mahalo FIN7: Responding to the Criminal Operators' New Tools\r\nand Techniques | Mandiant\r\nBy Mandiant\r\nPublished: 2019-10-10 · Archived: 2026-04-05 17:04:16 UTC\r\nWritten by: Nick Carr, Josh Yoder, Kimberly Goody, Scott Runnels, Jeremy Kennelly, Jordan Nuce\r\nDuring several recent incident response engagements, FireEye Mandiant investigators uncovered new tools in\r\nFIN7’s malware arsenal and kept pace as the global criminal operators attempted new evasion techniques. In this\r\nblog, we reveal two of FIN7’s new tools that we have called BOOSTWRITE and RDFSNIFFER.\r\nThe first of FIN7's new tools is BOOSTWRITE – an in-memory-only dropper that decrypts embedded payloads\r\nusing an encryption key retrieved from a remote server at runtime. FIN7 has been observed making small changes\r\nto this malware family using multiple methods to avoid traditional antivirus detection, including a BOOSTWRITE\r\nsample where the dropper was signed by a valid Certificate Authority. One of the analyzed BOOSTWRITE\r\nvariants contained two payloads: CARBANAK and RDFSNIFFER. While CARBANAK has been thoroughly\r\nanalyzed and has been used maliciously by several financial attackers including FIN7, RDFSNIFFER is a newly-identified tool recovered by Mandiant investigators.\r\nRDFSNIFFER, a payload of BOOSTWRITE, appears to have been developed to tamper with NCR Corporation's\r\n“Aloha Command Center” client. NCR Aloha Command Center is a remote administration toolset designed to\r\nmanage and troubleshoot systems within payment card processing sectors running the Command Center Agent.\r\nThe malware loads into the same process as the Command Center process by abusing the DLL load order of the\r\nlegitimate Aloha utility. Mandiant provided this information to NCR.\r\nBOOSTWRITE Loader: Where You At?\r\nBOOSTWRITE is a loader crafted to be launched via abuse of the DLL search order of applications which load\r\nthe legitimate ‘Dwrite.dll’ provided by the Microsoft DirectX Typography Services. The application loads the\r\n‘gdi’ library, which loads the ‘gdiplus’ library, which ultimately loads ‘Dwrite’. Mandiant identified instances\r\nwhere BOOSTWRITE was placed on the file system alongside the RDFClient binary to force the application to\r\nimport DWriteCreateFactory from it rather than the legitimate DWrite.dll.\r\nOnce loaded, `DWrite.dll` connects to a hard-coded IP and port from which it retrieves a decryption key and\r\ninitialization vector (IV) to decrypt two embedded payload DLLs. To accomplish this task, the malware first\r\ngenerates a random file name to be used as a text log under the current user's %TEMP% directory; this filename\r\nstarts with ~rdf and is followed by a set of random numbers. Next, the malware scans its own image to find the\r\nlocation of a 32-byte long multi-XOR key which is used to decode data inside its body. Part of the decoded data is\r\nan IP address and port which are used to retrieve the key and the IV for the decryption of the embedded payloads.\r\nThe encryption algorithm uses the ChaCha stream cipher with a 256-bit key and 64-bit IV.\r\nhttps://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html\r\nPage 1 of 9\n\nOnce the key and the IV are downloaded the malware decrypts the embedded payloads and performs sanity\r\nchecks on the results. The payloads are expected to be PE32.DLLs which, if the tests pass, are loaded into\r\nmemory without touching the filesystem.\r\nThe malware logs various plaintext messages to the previously created logfile %TEMP%\\~rds\u003crnd_numbers\u003e\r\nwhich are indicative of the loader’s execution progress. An example of the file content is shown in Figure 1:\r\nLoading...\r\nStarting...\r\nInit OK\r\nKey OK\r\nData: 4606941\r\nHS: 20\r\nK:[32] V:[8]\r\nDCnt: 732642317(ERR)\r\nFigure 1: BOOSTWRITE log file\r\nBefore exiting, the malware resolves the location of the benign DWrite.dll library and passes the execution control\r\nto its DWriteCreateFactory method.\r\nThe malware decrypts and loads two payload DLLs. One of the DLLs is an instance of the CARBANAK\r\nbackdoor; the other DLL is a tool tracked by FireEye as RDFSNIFFER which allows an attacker to hijack\r\ninstances of the NCR Aloha Command Center Client application and interact with victim systems via existing\r\nlegitimate 2FA sessions.\r\nRDFSNIFFER Module: We Smell a RAT\r\nRDFSNIFFER is a module loaded by BOOSTWRITE which allows an attacker to monitor and tamper with\r\nlegitimate connections made via NCR Corporation’s ‘Aloha Command Center Client’ (RDFClient), an application\r\ndesigned to provide visibility and system management capabilities to remote IT techs. RDFSNIFFER loads into\r\nthe same process as the legitimate RDFClient by abusing the utility’s DLL load order, launching each time the\r\n‘Aloha Command Center Client’ is executed on an impacted system.\r\nWhen the RDFSNIFFER module is loaded by BOOSTWRITE it hooks several Win32 API functions intended to\r\nenable it to tamper with NCR Aloha Command Center Client sessions or hijack elements of its user-interface\r\n(Table 1). Furthermore, this enables the malware to alter the user’s last input time to ensure application sessions\r\ndo not time out.\r\nWin32 API Function Hook Description\r\nCertVerifyCertificateChainPolicy Used to man-in-the-middle SSL sessions\r\nCertGetCertificateChain Used to man-in-the-middle SSL sessions\r\nWSAConnect Used to man-in-the-middle socket connections\r\nhttps://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html\r\nPage 2 of 9\n\nconnect Used to man-in-the-middle socket connections\r\nConnectEx Used to man-in-the-middle socket connections\r\nDispatchMessageW Used to hijack the utility's UI\r\nDispatchMessageA Used to hijack the utility's UI\r\nDefWindowProcW Used to hijack the utility's UI\r\nDefWindowProcA Used to hijack the utility's UI\r\nGetLastInputInfo Used to change the user's last input time (to avoid timed lock outs)\r\nTable 1: RDFSNIFFER’s Hooked Win32 API Functions\r\nThis module also contains a backdoor component that enables it to inject commands into an active RDFClient\r\nsession. This backdoor allows an attacker to upload, download, execute and/or delete arbitrary files (Table 2).\r\nCommand\r\nName\r\nLegit Function in\r\nRDFClient\r\nRDFClient\r\nCommand ID\r\nDescription\r\nUpload FileMgrSendFile 107\r\nUploads a file to the remote\r\nsystem\r\nDownload FileMgrGetFile 108\r\nRetrieves a file from the remote\r\nsystem\r\nExecute RunCommand 3001\r\nExecutes a command on the\r\nremote system\r\nDeleteRemote FileMgrDeleteFile 3019 Deletes file on remote system\r\nDeleteLocal - - Deletes a local file\r\nTable 2: RDFSNIFFER’s Backdoor Functions\r\nSigned: Yours Truly, FIN7\r\nWhile the majority of BOOSTWRITE variants recovered from investigations have been unsigned, Mandiant\r\nidentified a signed BOOSTWRITE sample used by FIN7 during a recent investigation. Following that discovery, a\r\nsigned BOOSTWRITE sample was uploaded to VirusTotal on October 3. This executable uses a code signing\r\ncertificate issued by MANGO ENTERPRISE LIMITED (Table 3).\r\nMD5 Organization Country Serial\r\na67d6e87283c34459b4660f19747a306 mango\r\nENTERPRISE\r\nGB 32 7F 8F 10 74 78 42 4A BE\r\nB8 2A 85 DC 36 57 03 CC\r\nhttps://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html\r\nPage 3 of 9\n\nLIMITED 82 70 5B\r\nTable 3: Code signing certificate used for BOOSTWRITE\r\nThis indicates the operators may be actively altering this malware to avoid traditional detection mechanisms.\r\nNotably, the signed BOOSTWRITE sample had a 0/68 detection ratio when it was uploaded to VirusTotal,\r\ndemonstrating the effectiveness of this tactic (Figure 2).\r\nFigure 2: Current VirusTotal detection ratio for signed BOOSTWRITE\r\nUse of a code signing certificate for BOOSTWRITE is not a completely new technique for FIN7 as the group has\r\nused digital certificates in the past to sign their phishing documents, backdoors, and later stage tools. By\r\nexploiting the trust inherently provided by code certificates, FIN7 increases their chances of bypassing various\r\nsecurity controls and successfully compromising victims. The full evasion achieved against the detection engines\r\ndeployed to VirusTotal – as compared to an unsigned BOOSTWRITE sample with an invalid checksum–\r\nillustrates that FIN7’s methods were effective in subverting both traditional detection and ML binary classification\r\nengines. This is a known issue and has been deeply studied since at least 2016’s “Chains of Distrust” research and\r\n2017’s “Certified Malware” paper. Since there are plenty of goodware samples with bad or no signatures – and a\r\ngrowing number of malware samples with good signatures – there is no easy solution here. The upside is that\r\nvendors selectively deploy engines to VirusTotal (including FireEye) and VT detection performance often isn’t a\r\ncomprehensive representation of encountering full security technology stacks that implement detection-in-depth.\r\nLater in this blog we further explore BOOSTWRITE’s PE Authenticode signature, its anomalies, and how code\r\nsigning can be turned from a detection challenge into detection opportunities.\r\nOutlook and Implications\r\nWhile these incidents have also included FIN7’s typical and long-used toolsets, such as CARBANAK and\r\nBABYMETAL, the introduction of new tools and techniques provides further evidence FIN7 is continuing to\r\nhttps://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html\r\nPage 4 of 9\n\nevolve in response to security enhancements. Further, the use of code signing in at least one case highlights the\r\ngroup's judicious use of resources, potentially limiting their use of these certificates to cases where they have been\r\nattempting to bypass particular security controls. Barring any further law enforcement actions, we expect at least a\r\nportion of the actors who comprise the FIN7 criminal organization to continue conducting campaigns. As a result,\r\norganizations need to remain vigilant and continue to monitor for changes in methods employed by the FIN7\r\nactors.\r\nSigs Up Dudes! Indicators, Toolmarks, and Detection Opportunities\r\nWhile FireEye does not release our production detection logic for the code families, this section does contain\r\nsome identification and hunting concepts that we adopt in our layered detection strategy. Table 4 contains malware\r\nsamples referenced in this blog that FireEye is able to share from the larger set recovered during active\r\ninvestigations.\r\nType Indicator(s)\r\nBOOSTWRITE\r\n(signed)\r\nMD5: a67d6e87283c34459b4660f19747a306\r\nSHA-1: a873f3417d54220e978d0ca9ceb63cf13ec71f84\r\nSHA-256:\r\n18cc54e2fbdad5a317b6aeb2e7db3973cc5ffb01bbf810869d79e9cb3bf02bd5\r\nC2: 109.230.199[.]227\r\nBOOSTWRITE\r\n(unsigned)\r\nMD5: af2f4142463f42548b8650a3adf5ceb2\r\nSHA1: 09f3c9ae382fbd29fb47ecdfeb3bb149d7e961a1\r\nSHA256:\r\n8773aeb53d9034dc8de339651e61d8d6ae0a895c4c89b670d501db8dc60cd2d0\r\nC2: 109.230.199[.]227\r\nTable 4: Publicly-shareable BOOSTWRITE samples\r\nThe signed BOOSTWRITE sample has a PE Authenticode anomaly that can be detected using yara’s PE signature\r\nmodule. Specifically, the PE linker timestamp is prior to the Authenticode validity period, as seen in Table 5.\r\nTimestamp Description\r\n2019-05-20 09:50:55\r\nUTC\r\nSigned BOOSTWRITE’s PE compilation time\r\n2019-05-22 00:00 UTC\r\nthrough\r\n2020-05-21 23:59 UTC\r\nSigned BOOSTWRITE’s “mango ENTERPRISE LIMITED” certificate validity\r\nwindow\r\nhttps://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html\r\nPage 5 of 9\n\nTable 5: Relevant executabe timestamps\r\nA public example of a Yara rule covering this particular PE Authenticode timestamp anomaly is available in a blog\r\npost from David Cannings, with the key logic shown in Figure 3.\r\npe.number_of_signatures \u003e 0 and not for all i in (0..pe.number_of_signatures - 1):\r\n pe.signatures[i].valid_on(pe.timestamp)\r\nFigure 3: Excerpt of NCC Group’s research Yara rule\r\nThere are other PE Authenticode anomalies that can also be represented as Yara rules to surface similarly\r\nsuspicious files. Of note, this signed BOOSTWRITE sample has no counter signature and, while the\r\nunauthenticated attributes timestamp structure is present, it is empty. In preparing this blog, FireEye’s Advanced\r\nPractices team identified a possible issue with VirusTotal’s parsing of signed executable timestamps as seen in\r\nFigure 4.\r\nFigure 4: Inconsistency in VirusTotal file signature timestamps for the signed BOOSTWRITE sample\r\nFireEye filed a bug report with Google to address the discrepancy in VirusTotal in order to remove confusion for\r\nother users.\r\nhttps://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html\r\nPage 6 of 9\n\nTo account for the detection weaknesses introduced by techniques like code signing, our Advanced Practices team\r\ncombines the malicious confidence spectrum that comes from ML detection systems with file oddities and\r\nanomalies (weak signals) to surface highly interesting and evasive malware. This technique was recently\r\ndescribed in our own Dr. Steven Miller’s Definitive Dossier of Devilish Debug Details. In fact, the exact same\r\nprogram database (PDB) path-based approach from his blog can be applied to the toolmarks seen in this sample\r\nfor a quick hunting rule. Figure 5 provides the PDB path of the BOOSTWRITE samples from this blog.\r\nF:\\projects\\DWriteImpl\\Release\\DWriteImpl.pdb\r\nFigure 5: BOOSTWRITE PDB path\r\nThe Yara rule template can be applied to result in the quick rule in Figure 6.\r\nrule ConventionEngine_BOOSTWRITE\r\n{\r\n meta:\r\n author = \"Nick Carr (@itsreallynick)\"\r\n reference = \"https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-deta\r\nstrings:\r\n $weetPDB = /RSDS[\\x00-\\xFF]{20}[a-zA-Z]?:?\\\\[\\\\\\s|*\\s]?.{0,250}\\\\DWriteImpl[\\\\\\s|*\\s]?.{0,250}\\.pdb\\x00/ no\r\n condition:\r\n (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $weetPDB and filesize \u003c 6MB\r\n}\r\nFigure 6: Applying BOOSTWRITE’s PDB path to a Yara rule\r\nWe can apply this same concept across other executable traits, such as BOOSTWRITE’s export DLL name\r\n(DWriteImpl.dll), to create quick and easy rules that can aid in quick discovery as seen in Figure 7.\r\nrule Exports_BOOSTWRITE\r\n{\r\nmeta:\r\n author = \"Steve Miller (@stvemillertime) \u0026 Nick Carr (@itsreallynick)\"\r\nstrings:\r\n $exyPants = \"DWriteImpl.dll\" nocase\r\ncondition:\r\n uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $exyPants at pe.rva_to_offset(uint32(pe.rva_\r\n}\r\nFigure 7: Applying BOOSTWRITE’s export DLL names to a Yara rule (Note: this rule was updated following\r\npublication. It previously read \"module_ls.dll\", which is for Turla and unrelated.)\r\nOf course, resilient prevention capabilities are needed and to that end, FireEye detects this activity across our\r\nplatforms. Table 6 contains several specific detection names from a larger list of detection capabilities that\r\nhttps://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html\r\nPage 7 of 9\n\ncaptured this activity natively.\r\nPlatform Signature Name\r\nEndpoint Security MalwareGuard ML detection (unsigned variants)\r\nNetwork Security and Email\r\nSecurity\r\nMalware.binary.dll (dynamic detection)\r\nMalwareGuard ML detection (unsigned variants)\r\nAPTFIN.Dropper.Win.BOOSTWRITE (network traffic)\r\nAPTFIN.Backdoor.Win.RDFSNIFFER (network traffic)\r\nFE_APTFIN_Dropper_Win_BOOSTWRITE (static code family\r\ndetection)\r\nFE_APTFIN_Backdoor_Win_RDFSNIFFER (static code family\r\ndetection)\r\nTable 6: FireEye detection matrix\r\nDon’t Sweat the Techniques – MITRE ATT\u0026CK Mappings\r\nBOOSTWRITE\r\nID Tactic BOOSTWRITE Context\r\nT1022 Data Encrypted\r\nBOOSTWRITE encodes its payloads using a ChaCha stream cipher\r\nwith a 256-bit key and 64-bit IV to evade detection\r\nT1027\r\nObfuscated Files or\r\nInformation\r\nBOOSTWRITE encodes its payloads using a ChaCha stream cipher\r\nwith a 256-bit key and 64-bit IV to evade detection\r\nT1038\r\nDLL Search Order\r\nHijacking\r\nBOOSTWRITE exploits the applications’ loading of the ‘gdi’\r\nlibrary, which loads the ‘gdiplus’ library, which ultimately loads the\r\nlocal ‘Dwrite’ dll\r\nT1116 Code Signing BOOSTWRITE variants were observed signed by a valid CA\r\nT1129\r\nExecution through Module\r\nLoad\r\nBOOSTWRITE exploits the applications’ loading of the ‘gdi’\r\nlibrary, which loads the ‘gdiplus’ library, which ultimately loads the\r\nlocal ‘Dwrite’ dll\r\nT1140\r\nDeobfuscate/Decode Files\r\nor Information\r\nBOOSTWRITE decodes its payloads at runtime using using a\r\nChaCha stream cipher with a 256-bit key and 64-bit IV\r\nRDFSNIFFER\r\nID Tactic RDFSNIFFER Context\r\nhttps://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html\r\nPage 8 of 9\n\nT1106\r\nExecution\r\nthrough API\r\nRDFSNIFFER hooks several Win32 API functions intended to enable it to\r\ntamper with NCR Aloha Command Center Client sessions or hijack elements of\r\nits user-interface\r\nT1107 File Deletion RDFSNIFFER has the capability of deleting local files\r\nT1179 Hooking\r\nRDFSNIFFER hooks several Win32 API functions intended to enable it to\r\ntamper with NCR Aloha Command Center Client sessions or hijack elements of\r\nits user-interface\r\nAcknowledgements\r\nThe authors want to thank Steve Elovitz, Jeremy Koppen, and the many Mandiant incident responders that go toe-to-toe with FIN7 regularly, quietly evicting them from victim environments. We appreciate the thorough detection\r\nengineering from Ayako Matsuda and the reverse engineering from FLARE’s Dimiter Andonov, Christopher\r\nGardner and Tyler Dean. A special thanks to FLARE’s Troy Ross for the development of his PE Signature analysis\r\nservice and for answering our follow-up questions. Shout out to Steve Miller for his hot fire research and Yara\r\nanomaly work. And lastly, the rest of the Advanced Practices team for both the unparalleled front-line FIN7\r\ntechnical intelligence expertise and MITRE ATT\u0026CK automated mapping project – with a particular thanks to\r\nRegina Elwell and Barry Vengerik.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html\r\nhttps://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MITRE" ], "origins": [ "web" ], "references": [ "https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html" ], "report_names": [ "mahalo-fin7-responding-to-new-tools-and-techniques.html" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434124, "ts_updated_at": 1775826732, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7e7421266f14e54dd74b8f644383dcab2295643c.pdf", "text": "https://archive.orkl.eu/7e7421266f14e54dd74b8f644383dcab2295643c.txt", "img": "https://archive.orkl.eu/7e7421266f14e54dd74b8f644383dcab2295643c.jpg" } }