{ "id": "a52ef86e-922d-4e63-8eed-d46c5b0df330", "created_at": "2026-04-06T00:12:29.171809Z", "updated_at": "2026-04-10T13:12:49.765492Z", "deleted_at": null, "sha1_hash": "8de835bbe36f6496c7038aeb02ec1570d5881b79", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 31486, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 17:51:55 UTC\r\nDescription(Kaspersky) When we first encountered Lurk, in 2011, it was a nameless Trojan. It all started when we\r\nbecame aware of a number of incidents at several Russian banks that had resulted in the theft of large sums of\r\nmoney from customers. To steal the money, the unknown criminals used a hidden malicious program that was able\r\nto interact automatically with the financial institution’s remote banking service (RBS) software; replacing bank\r\ndetails in payment orders generated by an accountant at the attacked organization, or even generating such orders\r\nby itself.\r\nIn 2016, it is hard to imagine banking software that does not demand some form of additional authentication, but\r\nthings were different back in 2011. In most cases, the attackers only had to infect the computer on which the RBS\r\nsoftware was installed in order to start stealing the cash. Russia’s banking system, like those of many other\r\ncountries, was unprepared for such attacks, and cybercriminals were quick to exploit the security gap.\r\nSo we decided to take a closer look at the malware. The first attempts to understand how the program worked\r\ngave our analysts nothing. Regardless of whether it was launched on a virtual or a real machine, it behaved in the\r\nsame way: it didn’t do anything. This is how the program, and later the group behind it, got its name. To “lurk”\r\nmeans to hide, generally with the intention of ambush.\r\nWe were soon able to help investigate another incident involving Lurk. This time we got a chance to explore the\r\nimage of the attacked computer. There, in addition to the familiar malicious program, we found a .dll file with\r\nwhich the main executable file could interact. This was our first piece of evidence that Lurk had a modular\r\nstructure.\r\nLater discoveries suggest that, in 2011, Lurk was still at an early stage of development. It was formed of just two\r\ncomponents, a number that would grow considerably over the coming years.\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=20da2b77-e300-48ff-afb9-a997e6c0f297\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=20da2b77-e300-48ff-afb9-a997e6c0f297\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=20da2b77-e300-48ff-afb9-a997e6c0f297" ], "report_names": [ "showcard.cgi?u=20da2b77-e300-48ff-afb9-a997e6c0f297" ], "threat_actors": [ { "id": "dcba8e2b-93e0-4d6e-a15f-5c44faebc3b1", "created_at": "2022-10-25T16:07:23.816991Z", "updated_at": "2026-04-10T02:00:04.758143Z", "deleted_at": null, "main_name": "Lurk", "aliases": [], "source_name": "ETDA:Lurk", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434349, "ts_updated_at": 1775826769, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8de835bbe36f6496c7038aeb02ec1570d5881b79.pdf", "text": "https://archive.orkl.eu/8de835bbe36f6496c7038aeb02ec1570d5881b79.txt", "img": "https://archive.orkl.eu/8de835bbe36f6496c7038aeb02ec1570d5881b79.jpg" } }