{ "id": "9fdc175c-9504-4c73-9333-2b73772d908f", "created_at": "2026-04-29T10:18:11.621652Z", "updated_at": "2026-04-29T10:42:18.401574Z", "deleted_at": null, "sha1_hash": "84a0eb51b3d1209a178bf4350e6031072ca682d7", "title": "NotCarbanak Mystery - Source Code Leak", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 69935, "plain_text": "NotCarbanak Mystery - Source Code Leak\r\nPublished: 2018-07-11 · Archived: 2026-04-29 09:47:55 UTC\r\nI got a tip a very short time ago in our slack group about possible Carbanak source code leak. A quick google\r\nsearch proven this is indeed a possibility.\r\nhxxp://mal4all.com/showthread.php?tid=494\u0026action=lastpost\r\nHere is the source code in a zip file.\r\nPlease make sure you use proper security steps such as sandbox and isolated environment. The origin of this zip\r\nfiles is unknown and was not inspected for booby traps etc.\r\nThis file was uploaded for research and defense purpose only. If you plan to use this for malicious reasons you\r\nsuck.\r\nPass: f1Up$zD%QY*p5@!\u0026\r\nIf you are creating any signatures such as Yara and Snort please share back with the community.\r\nHappy Researching\r\nMy team at Minerva have organized the information into a single blog post:\r\nInitial analysis and insights about the enhanced #Buhtrap source code #leak (not #carbanak)\r\nhttps://t.co/b4hCMmc5fp\r\n— Minerva Labs (@MinervaLabs) July 12, 2018\r\nSome on-going updates posted during the initial investigation:\r\nI wouldn't put a solid carbanak tag on it just yet :) it sure has similarities...\r\n— Denis O'Brien (@Malwageddon) July 11, 2018\r\nafter deeper look into Ratopak we should say - it is not original Buhtrap but Pegasus. Pegasus and\r\nBuhtrap have very similar TTP. So, Ratopak is the right shot here.\r\n— codelancer (@codelancer) July 11, 2018\r\nComodo signed binaries from this #carbanak leak (CN=\"\\\"Allegro\\\" LLC\", O=\"\\\"Allegro\\\" LLC\",\r\nSTREET=\"Nagatinsky 2ND, 2,2\", L=Moscow, ST=Moscow, OID.2.5.4.17=115487, C=RU) leads to\r\nthis attack on Russian banks:https://t.co/LTbCr8CVu6https://t.co/gmcw2xk76H\r\n— Omri Moyal (@GelosSnake) July 11, 2018\r\nhttps://malware-research.org/carbanak-source-code-leaked/\r\nPage 1 of 4\n\nAt least some parts of the source code leak fit to Buhtrap/Ratopak\r\n(f4ae5579930f20ccc41d1f8b1e417e87) code as described here: https://t.co/zkcv05OaEC #carbanak\r\n#buhtrap #ratopak pic.twitter.com/rqQrzIxFJF\r\n— Daniel Plohmann (@push_pnx) July 11, 2018\r\nOk just clarifying this is leak is not #Carbanak leak as the source zip states. Its leak from #RatoPak\r\ngroup.\r\n— Omri Moyal (@GelosSnake) July 11, 2018\r\nThis potential #Carbanak code is very well documented. Example from the lateral movement section.\r\npic.twitter.com/DD8e5cFI5V\r\n— Omri Moyal (@GelosSnake) July 11, 2018\r\nFunny, comment: decryption of svchost will trigger @kaspersky KIS emulator.\r\npic.twitter.com/gQ5P4DtlSb\r\n— Omri Moyal (@GelosSnake) July 11, 2018\r\nInteresting information related to banking fraud on the potential #carbanak leak.\r\npic.twitter.com/kzZxi0hWzq\r\n— Omri Moyal (@GelosSnake) July 11, 2018\r\nthe #carbanak leak seems to have full AD dump of several banks such as:\r\nKazan-based Energobank pic.twitter.com/NpHKdGd35G\r\n— Omri Moyal (@GelosSnake) July 11, 2018\r\nAlso the #carbanak leak seems to have a step by step guide to use/hack swift.\r\nCan anyone experience with #swift confirm this? pic.twitter.com/9N3zgJvNCM\r\n— Omri Moyal (@GelosSnake) July 11, 2018\r\nAnd of course, Enums visible machines in current or any specified domain\r\npic.twitter.com/KD0bFGCSD1\r\n— Bʀʏᴀɴ (@bry_campbell) July 11, 2018\r\nSomebody leaked the Carbanak source code last week\r\nI've been talking with several security researchers who are currently trying to verify the code's\r\nauthenticity and they believe it to be the real thing, albeit they're not 100% sure just yet\r\npic.twitter.com/8sAUHPEgnv\r\n— Catalin Cimpanu (@campuscodi) July 11, 2018\r\nhttps://malware-research.org/carbanak-source-code-leaked/\r\nPage 2 of 4\n\nHere's a video of the arrest: https://t.co/vzKhroTYFt\r\n— Catalin Cimpanu (@campuscodi) July 11, 2018\r\nAre you wondering why the leaked #carbanak zip files are named after @groupib ? Well they are the\r\nfirs to discover #carbanak which was named Anunak by them. Also been actively working against the\r\nhacker group for many years. pic.twitter.com/UobwEj0SWK\r\n— Omri Moyal (@GelosSnake) July 11, 2018\r\nSome of the leaked files are corresponding to banks hacked by #Corkow group. Really interesting:\r\nhttps://t.co/OHeGTg7f2E\r\n— Omri Moyal (@GelosSnake) July 11, 2018\r\nThis #RatoPak / (not) #Carbanak leak investigation and discussions really shows once again how\r\ndifficult attribution can be and why security researchers should collaborate as much as possible. Long\r\nnight a head of us (:\r\n— Omri Moyal (@GelosSnake) July 11, 2018\r\nNice admin panel you've got there :) its #notcarbanak but #ratopak according to @GelosSnake and\r\n@codelancer pic.twitter.com/yUjbygZ9Yf\r\n— rik (@rikvduijn) July 11, 2018\r\nConfirmed Link: '#Pegasus' shares some code lib struct with #Buhtrap and appears to be an\r\nimproved/altered version of the leaked Buhtrap main 'lib' (machineid, mem, etc.) 🤔 h/t @push_pnx for\r\nlead\r\nExact Code Overlap:\r\nbuhtrap/11. DLL Side-Loading+panel/.../libs/ -\u003e pegasus/inc/ pic.twitter.com/NlvcD7ecLO\r\n— Vitali Kremez (@VK_Intel) July 11, 2018\r\nList of bank possibly hacked and found in the leak:\r\nAK BARS Bank\r\nIBSP Bank\r\nacropol\r\ngenbank\r\nicbru\r\ninterprombank\r\nmetallinvestbank\r\nminbank\r\nnevskybank\r\nnipbank\r\nhttps://malware-research.org/carbanak-source-code-leaked/\r\nPage 3 of 4\n\n— Omri Moyal (@GelosSnake) July 11, 2018\r\nSource: https://malware-research.org/carbanak-source-code-leaked/\r\nhttps://malware-research.org/carbanak-source-code-leaked/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://malware-research.org/carbanak-source-code-leaked/" ], "report_names": [ "carbanak-source-code-leaked" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-29T10:39:54.841601Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "a58aedbc-e89f-4e0c-8147-c6406a616cfa", "created_at": "2022-10-25T16:07:23.494355Z", "updated_at": "2026-04-29T10:39:55.236385Z", "deleted_at": null, "main_name": "Corkow", "aliases": [ "Corkow", "Metel" ], "source_name": "ETDA:Corkow", "tools": [ "Corkow", "Metel" ], "source_id": "ETDA", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-29T10:39:54.783938Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "01d569b1-f089-4a8f-8396-85078b93da26", "created_at": "2023-01-06T13:46:38.411615Z", "updated_at": "2026-04-29T10:39:53.06001Z", "deleted_at": null, "main_name": "BuhTrap", "aliases": [], "source_name": "MISPGALAXY:BuhTrap", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b046db2-f60e-49ae-8e16-0cf82a4be6fb", "created_at": "2022-10-25T16:07:23.427162Z", "updated_at": "2026-04-29T10:39:55.209295Z", "deleted_at": null, "main_name": "Buhtrap", "aliases": [ "Buhtrap", "Operation TwoBee", "Ratopak Spider", "UAC-0008" ], "source_name": "ETDA:Buhtrap", "tools": [ "AmmyyRAT", "Buhtrap", "CottonCastle", "FlawedAmmyy", "NSIS", "Niteris EK", "Nullsoft Scriptable Install System", "Ratopak" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1777457891, "ts_updated_at": 1777459338, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/84a0eb51b3d1209a178bf4350e6031072ca682d7.pdf", "text": "https://archive.orkl.eu/84a0eb51b3d1209a178bf4350e6031072ca682d7.txt", "img": "https://archive.orkl.eu/84a0eb51b3d1209a178bf4350e6031072ca682d7.jpg" } }