{ "id": "9b01ae6b-3924-4745-ac79-690584490b66", "created_at": "2026-04-06T02:11:40.502337Z", "updated_at": "2026-04-10T03:36:33.426581Z", "deleted_at": null, "sha1_hash": "80ed5248e57966f7160ec549e563340b4f6afd94", "title": "DarkVishnya: Banks attacked through direct connection to local network", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2025103, "plain_text": "DarkVishnya: Banks attacked through direct connection to local\r\nnetwork\r\nBy Sergey Golovanov\r\nPublished: 2018-12-06 · Archived: 2026-04-06 02:00:41 UTC\r\n06 Dec 2018\r\n 2 minute read\r\n Sergey Golovanov\r\nhttps://securelist.com/darkvishnya/89169/\r\nPage 1 of 7\n\nWhile novice attackers, imitating the protagonists of the U.S. drama Mr. Robot, leave USB flash drives lying\r\naround parking lots in the hope that an employee from the target company picks one up and plugs it in at the\r\nworkplace, more experienced cybercriminals prefer not to rely on chance. In 2017-2018, Kaspersky Lab\r\nspecialists were invited to research a series of cybertheft incidents. Each attack had a common springboard: an\r\nunknown device directly connected to the company’s local network. In some cases, it was the central office, in\r\nothers a regional office, sometimes located in another country. At least eight banks in Eastern Europe were the\r\ntargets of the attacks (collectively nicknamed DarkVishnya), which caused damage estimated in the tens of\r\nmillions of dollars.\r\nEach attack can be divided into several identical stages. At the first stage, a cybercriminal entered the\r\norganization’s building under the guise of a courier, job seeker, etc., and connected a device to the local network,\r\nfor example, in one of the meeting rooms. Where possible, the device was hidden or blended into the\r\nsurroundings, so as not to arouse suspicion.\r\nhttps://securelist.com/darkvishnya/89169/\r\nPage 2 of 7\n\nHigh-tech tables with sockets are great for planting hidden devices\r\nThe devices used in the DarkVishnya attacks varied in accordance with the cybercriminals’ abilities and personal\r\npreferences. In the cases we researched, it was one of three tools:\r\nnetbook or inexpensive laptop\r\nRaspberry Pi computer\r\nBash Bunny, a special tool for carrying out USB attacks\r\nInside the local network, the device appeared as an unknown computer, an external flash drive, or even a\r\nkeyboard. Combined with the fact that Bash Bunny is comparable in size to a USB flash drive, this seriously\r\ncomplicated the search for the entry point. Remote access to the planted device was via a built-in or USB-connected GPRS/3G/LTE modem.\r\nAt the second stage, the attackers remotely connected to the device and scanned the local network seeking to gain\r\naccess to public shared folders, web servers, and any other open resources. The aim was to harvest information\r\nabout the network, above all, servers and workstations used for making payments. At the same time, the attackers\r\ntried to brute-force or sniff login data for such machines. To overcome the firewall restrictions, they planted\r\nshellcodes with local TCP servers. If the firewall blocked access from one segment of the network to another, but\r\nallowed a reverse connection, the attackers used a different payload to build tunnels.\r\nHaving succeeded, the cybercriminals proceeded to stage three. Here they logged into the target system and used\r\nremote access software to retain access. Next, malicious services created using msfvenom were started on the\r\ncompromised computer. Because the hackers used fileless attacks and PowerShell, they were able to avoid\r\nallowlisting technologies and domain policies. If they encountered a allowlisting that could not be bypassed, or\r\nhttps://securelist.com/darkvishnya/89169/\r\nPage 3 of 7\n\nPowerShell was blocked on the target computer, the cybercriminals used impacket, and winexesvc.exe or\r\npsexec.exe to run executable files remotely.\r\nVerdicts\r\nnot-a-virus.RemoteAdmin.Win32.DameWare\r\nMEM:Trojan.Win32.Cometer\r\nMEM:Trojan.Win32.Metasploit\r\nTrojan.Multi.GenAutorunReg\r\nHEUR:Trojan.Multi.Powecod\r\nHEUR:Trojan.Win32.Betabanker.gen\r\nnot-a-virus:RemoteAdmin.Win64.WinExe\r\nTrojan.Win32.Powershell\r\nPDM:Trojan.Win32.CmdServ\r\nTrojan.Win32.Agent.smbe\r\nHEUR:Trojan.Multi.Powesta.b\r\nHEUR:Trojan.Multi.Runner.j\r\nnot-a-virus.RemoteAdmin.Win32.PsExec\r\nShellcode listeners\r\ntcp://0.0.0.0:5190\r\ntcp://0.0.0.0:7900\r\nShellcode connects\r\ntcp://10.**.*.***:4444\r\ntcp://10.**.*.**:4445\r\ntcp://10.**.*.**:31337\r\nShellcode pipes\r\n\\\\.\\xport\r\n\\\\.\\s-pipe\r\nhttps://securelist.com/darkvishnya/89169/\r\nPage 4 of 7\n\nLatest Webinars\r\nhttps://securelist.com/darkvishnya/89169/\r\nPage 5 of 7\n\nhttps://securelist.com/darkvishnya/89169/\r\nPage 6 of 7\n\nReports\r\nKaspersky researchers analyze updated CoolClient backdoor and new tools and scripts used in HoneyMyte (aka\r\nMustang Panda or Bronze President) APT campaigns, including three variants of a browser data stealer.\r\nKaspersky discloses a 2025 HoneyMyte (aka Mustang Panda or Bronze President) APT campaign, which uses a\r\nkernel-mode rootkit to deliver and protect a ToneShell backdoor.\r\nKaspersky GReAT experts analyze the Evasive Panda APT’s infection chain, including shellcode encrypted with\r\nDPAPI and RC5, as well as the MgBot implant.\r\nKaspersky expert describes new malicious tools employed by the Cloud Atlas APT, including implants of their\r\nsignature backdoors VBShower, VBCloud, PowerShower, and CloudAtlas.\r\nSource: https://securelist.com/darkvishnya/89169/\r\nhttps://securelist.com/darkvishnya/89169/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://securelist.com/darkvishnya/89169/" ], "report_names": [ "89169" ], "threat_actors": [ { "id": "81a7ab21-3aaa-4399-b1a7-77ce38130a77", "created_at": "2022-10-25T15:50:23.5229Z", "updated_at": "2026-04-10T02:00:05.326942Z", "deleted_at": null, "main_name": "DarkVishnya", "aliases": [ "DarkVishnya" ], "source_name": "MITRE:DarkVishnya", "tools": [ "Winexe", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "76e65a03-eb20-4248-978a-c6be30fc118a", "created_at": "2023-01-06T13:46:38.844934Z", "updated_at": "2026-04-10T02:00:03.120025Z", "deleted_at": null, "main_name": "DarkVishnya", "aliases": [], "source_name": "MISPGALAXY:DarkVishnya", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "04a7ebaa-ebb1-4971-b513-a0c86886d932", "created_at": "2023-01-06T13:46:38.784965Z", "updated_at": "2026-04-10T02:00:03.099088Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "Clean Ursa", "Cloud Atlas", "G0100", "ATK116", "Blue Odin" ], "source_name": "MISPGALAXY:Inception Framework", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f35997d9-ca1e-453f-b968-0e675cc16d97", "created_at": "2023-01-06T13:46:39.490819Z", "updated_at": "2026-04-10T02:00:03.345364Z", "deleted_at": null, "main_name": "Evasive Panda", "aliases": [ "BRONZE HIGHLAND" ], "source_name": "MISPGALAXY:Evasive Panda", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "05cb998c-6e81-47f0-9806-ee4fda72fe0a", "created_at": "2024-11-01T02:00:52.763555Z", "updated_at": "2026-04-10T02:00:05.263997Z", "deleted_at": null, "main_name": "Daggerfly", "aliases": [ "Daggerfly", "Evasive Panda", "BRONZE HIGHLAND" ], "source_name": "MITRE:Daggerfly", "tools": [ "PlugX", "MgBot", "BITSAdmin", "MacMa", "Nightdoor" ], "source_id": "MITRE", "reports": null }, { "id": "812f36f8-e82b-41b6-b9ec-0d23ab0ad6b7", "created_at": "2023-01-06T13:46:39.413725Z", "updated_at": "2026-04-10T02:00:03.31882Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Evasive Panda", "Daggerfly" ], "source_name": "MISPGALAXY:BRONZE HIGHLAND", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "19ac84cc-bb2d-4e0c-ace0-5a7659d89ac7", "created_at": "2022-10-25T16:07:23.422755Z", "updated_at": "2026-04-10T02:00:04.592069Z", "deleted_at": null, "main_name": "Bronze Highland", "aliases": [ "Daggerfly", "Digging Taurus", "Evasive Panda", "Storm Cloud", "StormBamboo", "TAG-102", "TAG-112" ], "source_name": "ETDA:Bronze Highland", "tools": [ "Agentemis", "CDDS", "CloudScout", "Cobalt Strike", "CobaltStrike", "DazzleSpy", "KsRemote", "LOLBAS", "LOLBins", "Living off the Land", "MacMa", "Macma", "MgBot", "Mgmbot", "NetMM", "Nightdoor", "OSX.CDDS", "POCOSTICK", "RELOADEXT", "Suzafk", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "4f7d2815-7504-4818-bf8d-bba18161b111", "created_at": "2025-08-07T02:03:24.613342Z", "updated_at": "2026-04-10T02:00:03.732192Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Daggerfly", "Daggerfly ", "Evasive Panda ", "Evasive Panda ", "Storm Bamboo " ], "source_name": "Secureworks:BRONZE HIGHLAND", "tools": [ "Cobalt Strike", "KsRemote", "Macma", "MgBot", "Nightdoor", "PlugX" ], "source_id": "Secureworks", "reports": null }, { "id": "02c9f3f6-5d10-456b-9e63-750286048149", "created_at": "2022-10-25T16:07:23.722884Z", "updated_at": "2026-04-10T02:00:04.72726Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "ATK 116", "Blue Odin", "Clean Ursa", "Cloud Atlas", "G0100", "Inception Framework", "Operation Cloud Atlas", "Operation RedOctober", "The Rocra" ], "source_name": "ETDA:Inception Framework", "tools": [ "Lastacloud", "PowerShower", "VBShower" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775441500, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/80ed5248e57966f7160ec549e563340b4f6afd94.pdf", "text": "https://archive.orkl.eu/80ed5248e57966f7160ec549e563340b4f6afd94.txt", "img": "https://archive.orkl.eu/80ed5248e57966f7160ec549e563340b4f6afd94.jpg" } }