{ "id": "386b4807-3646-48a8-879b-7509414ff815", "created_at": "2026-04-06T00:21:02.605659Z", "updated_at": "2026-04-10T03:31:13.341433Z", "deleted_at": null, "sha1_hash": "af5382a738e0ba6828563f846abc64453866376c", "title": "Carbanak Banking Malware Resurfaces with New Ransomware Tactics", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 306059, "plain_text": "Carbanak Banking Malware Resurfaces with New Ransomware\r\nTactics\r\nBy The Hacker News\r\nPublished: 2023-12-26 · Archived: 2026-04-05 16:41:32 UTC\r\nThe banking malware known as Carbanak has been observed being used in ransomware attacks with updated\r\ntactics.\r\n\"The malware has adapted to incorporate attack vendors and techniques to diversify its effectiveness,\"\r\ncybersecurity firm NCC Group said in an analysis of ransomware attacks that took place in November 2023.\r\n\"Carbanak returned last month through new distribution chains and has been distributed through compromised\r\nwebsites to impersonate various business-related software.\"\r\nSome of the impersonated tools include popular business-related software such as HubSpot, Veeam, and Xero.\r\nCarbanak, detected in the wild since at least 2014, is known for its data exfiltration and remote control features.\r\nStarting off as a banking malware, it has been put to use by the FIN7 cybercrime syndicate.\r\nhttps://thehackernews.com/2023/12/carbanak-banking-malware-resurfaces.html\r\nPage 1 of 3\n\nIn the latest attack chain documented by NCC Group, the compromised websites are designed to host malicious\r\ninstaller files masquerading as legitimate utilities to trigger the deployment of Carbanak.\r\nThe development comes as 442 ransomware attacks were reported last month, up from 341 incidents in October\r\n2023. A total of 4,276 cases have been reported so far this year, which is \"less than 1000 incidents fewer than the\r\ntotal for 2021 and 2022 combined (5,198).\"\r\nThe company's data shows that industrials (33%), consumer cyclicals (18%), and healthcare (11%) emerged as the\r\ntop targeted sectors, with North America (50%), Europe (30%), and Asia (10%) accounting for most of the\r\nattacks.\r\nAs for the most commonly spotted ransomware families, LockBit, BlackCat, and Play contributed to 47% (or 206\r\nattacks) of 442 attacks. With BlackCat dismantled by authorities this month, it remains to be seen what impact the\r\nmove will have on the threat landscape for the near future.\r\n\"With one month of the year still to go, the total number of attacks has surpassed 4,000 which marks a huge\r\nincrease from 2021 and 2022, so it will be interesting to see if ransomware levels continue to climb next year,\"\r\nMatt Hull, global head of threat intelligence at NCC Group, said.\r\nThe spike in ransomware attacks in November has also been corroborated by cyber insurance firm Corvus, which\r\nsaid it identified 484 new ransomware victims posted to leak sites.\r\n\"The ransomware ecosystem at large has successfully pivoted away from QBot,\" the company said. \"Making\r\nsoftware exploits and alternative malware families part of their repertoire is paying off for ransomware groups.\"\r\nWhile the shift is the result of a law enforcement takedown of QBot's (aka QakBot) infrastructure, Microsoft, last\r\nweek, disclosed details of a low-volume phishing campaign distributing the malware, underscoring the challenges\r\nin fully dismantling these groups.\r\nThe development comes as Kaspersky revealed Akira ransomware's security measures prevent its communication\r\nsite from being analyzed by raising exceptions while attempting to access the site using a debugger in the web\r\nbrowser.\r\nThe Russian cybersecurity company further highlighted ransomware operators' exploitation of different security\r\nflaws in the Windows Common Log File System (CLFS) driver – CVE-2022-24521, CVE-2022-37969, CVE-2023-23376, CVE-2023-28252 (CVSS scores: 7.8) – for privilege escalation.\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nhttps://thehackernews.com/2023/12/carbanak-banking-malware-resurfaces.html\r\nPage 2 of 3\n\nSource: https://thehackernews.com/2023/12/carbanak-banking-malware-resurfaces.html\r\nhttps://thehackernews.com/2023/12/carbanak-banking-malware-resurfaces.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://thehackernews.com/2023/12/carbanak-banking-malware-resurfaces.html" ], "report_names": [ "carbanak-banking-malware-resurfaces.html" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434862, "ts_updated_at": 1775791873, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/af5382a738e0ba6828563f846abc64453866376c.pdf", "text": "https://archive.orkl.eu/af5382a738e0ba6828563f846abc64453866376c.txt", "img": "https://archive.orkl.eu/af5382a738e0ba6828563f846abc64453866376c.jpg" } }