{ "id": "a4d263c2-06ef-4785-b865-c8a3ef48798f", "created_at": "2026-04-06T00:20:01.02041Z", "updated_at": "2026-04-10T13:12:59.108366Z", "deleted_at": null, "sha1_hash": "c318a5d6d1cea2d53155bf8fcf84354adf047542", "title": "CARBON SPIDER Embraces Big Game Hunting, Part 1 | CrowdStrike", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 507826, "plain_text": "CARBON SPIDER Embraces Big Game Hunting, Part 1 |\r\nCrowdStrike\r\nBy Eric Loui - Josh Reynolds\r\nArchived: 2026-04-02 10:57:25 UTC\r\nThroughout 2020, CARBON SPIDER dramatically overhauled their operations. In April 2020, the adversary\r\nabruptly shifted from narrow campaigns focused entirely on companies operating point-of-sale (POS) devices to\r\nbroad, indiscriminate operations that attempted to infect very many victims across all sectors. The goal of these\r\ncampaigns was to conduct big game hunting (BGH) operations using PINCHY SPIDER’s REvil ransomware.\r\nCARBON SPIDER deepened their commitment to BGH in August 2020 by using their own ransomware,\r\nDarkside. In November 2020, the adversary took another step into the world of BGH by establishing a\r\nransomware-as-a-service (RaaS) affiliate program for Darkside, allowing other actors to use the ransomware\r\nwhile paying CARBON SPIDER a portion of the ransom received.\r\nPart One of this two-part blog series details how CrowdStrike Intelligence attributed Darkside to CARBON\r\nSPIDER. Part Two will look at CARBON SPIDER’s re-emergence after the Colonial Pipeline attack, which led to\r\nthe shutdown of Darkside RaaS and the creation of BlackMatter RaaS.\r\nBackground\r\nCARBON SPIDER, commonly referred to as FIN7 and active since 2013, is one of the oldest continuously\r\noperating eCrime groups. Between 2015 and 2020, the adversary conducted low-volume campaigns targeting\r\ncompany POS devices, primarily in the hospitality sector. These campaigns featured a variety of malware,\r\nincluding the Sekur (Carbanak) RAT, VB Flash, Bateleur and Harpy (GRIFFON). Using POS malware, including\r\nPILLOWMINT, the adversary harvested credit card track data and sold this data on criminal forums such as\r\nJoker’s Stash.\r\nApril 2020: Target Scope Widens\r\nIn April 2020, CARBON SPIDER abruptly shifted from narrow campaigns focused entirely on companies\r\noperating POS devices to broad, indiscriminate operations that attempted to infect large numbers of victims across\r\nall sectors. The first of these occurred on April 14, 2020, when the adversary likely compromised a legitimate\r\nemail distribution service to conduct a broad spam campaign targeting thousands of recipients across numerous\r\nverticals.\r\nThis campaign used malicious links that led to a ZIP archive hosted on\r\nhttps\u003c:\u003e//colahasch\u003c.\u003ecom/portal/app/CommerceNetwork/ view/9b25068f2941618fb9b08d6d089a47faae552c93f\r\nThe ZIP archive contained a Leo VBS, which refers to a family of obfuscated scripts that download and execute a\r\nremote payload. The Leo VBS performs an HTTP GET request to\r\nhttps\u003c:\u003e//alphalanding\u003c.\u003ecom/successfully/warranty.eml?uid= and writes a JSS Loader binary to\r\nhttps://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/\r\nPage 1 of 6\n\n%TEMP%\\PaintHelper.exe . JSS Loader, which has both .NET and C++ versions, has multiple capabilities,\r\nincluding the ability to load additional executables, PowerShell (PS) and JavaScript (JS) files. The observed JSS\r\nLoader infection led to the download and execution of a setup VBScript from https\u003c:\u003e//petshopbook\u003c.\u003ecom .\r\nThis script installs a custom Sekur PS stager to %LOCALAPPDATA%\\Microsoft\\WindowsDefender\\ClearTemp.ps1 and\r\nestablishes persistence for this stager with a second VBS that is launched by a scheduled task. Since this\r\ncampaign, CARBON SPIDER has maintained an opportunistic target scope, using phishing attachments and links\r\nto deliver Harpy, Leo VBS, JSS Loader, Domenus VBS and Domenus JS. Domenus VBS and JS are backdoors\r\n(written in VBS and JS, respectively) that enumerate a variety of system information, capture screenshots and\r\nbrowser history, and can download secondary payloads from a command-and-control (C2) server. Secondary\r\npayloads can include JS, Portable Executables (PEs), DLLs and PS scripts.\r\nCrowdStrike Intelligence observed numerous Domenus VBS/JS phishing campaigns that made use of\r\ncompromised and legitimate services to host Domenus toolchain payloads, including compromised WordPress\r\ninstallations, compromised SharePoint services, compromised web servers and Google Docs.\r\nREvil Ransomware Campaigns\r\nOn April 28, 2020, CrowdStrike Intelligence observed a Domenus VBS distribution campaign that used a spear-phishing email containing a Google Docs link. The resulting Google Docs page contained a second link that, when\r\nclicked, directed the user to https\u003c:\u003e//chauvinistable\u003c.\u003ecom/perfsecure , ultimately redirecting to a\r\ncompromised SharePoint site. Here, the victim encountered a ZIP file containing a Domenus VBS file that, once\r\nopened, downloaded and executed Harpy from https\u003c:\u003e//electroncador\u003c.\u003ecom/info .\r\nThe redirect URL provided from the Google Docs page https\u003c:\u003e//chauvinistable\u003c.\u003ecom/perfsecure was\r\nhosted on the same IP address ( 185.163.45\u003c.\u003e249 ) resolving to a domain used by multiple Cobalt Strike samples\r\nsharing key configuration metadata with Cobalt Strike samples used in several REvil incidents. These Cobalt\r\nStrike samples were also observed in tandem with the custom PowerShell stager for Sekur. Separate reporting by\r\nSymantec further indicated that similar Cobalt Strike samples were used in campaigns delivering REvil. Based on\r\nthese multiple overlaps, CrowdStrike Intelligence assesses with moderate confidence that CARBON SPIDER was\r\nresponsible for certain REvil campaigns, likely stemming from JSS Loader or Domenus VBS/JS infections.\r\nDarkside Ransomware Campaigns + RaaS\r\nOn July 1, 2020, CARBON SPIDER sent a phishing email with the subject “Notification: Package Status Fail.”\r\nThe email purports to be from a customer who received an email from the U.S.-based delivery company UPS\r\n(Figures 1 and 2). The message body attempts to impersonate a UPS notification, but contains several grammar\r\nerrors and non-idiomatic terms (e.g., “waybill”).\r\nhttps://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/\r\nPage 2 of 6\n\nFigure 1. CARBON SPIDER phishing email\r\nFigure 2. CARBON SPIDER phishing email (continued)\r\nThe link “Check” led to a Google Docs page, which contained a link that redirected to a ZIP file. The ZIP file was\r\nhosted on a likely compromised SharePoint account and contained Domenus VBS, which downloads Harpy from\r\nhttps\u003c:\u003e//fashionableeder\u003c.\u003ecom/info . At one victim, CARBON SPIDER subsequently deployed the\r\naforementioned custom PS Sekur stager and profiled the Active Directory environment using the utility ADFind.\r\nIn this incident, CARBON SPIDER also used the KillACK PS backdoor, executing the malware using both\r\nPowerShell and PowerShell ISE. KillACK sends host information to a C2 server (in this case, againcome\u003c.\u003ecom\r\nhttps://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/\r\nPage 3 of 6\n\nor besaintegration\u003c.\u003ecom ) and executes provided PS script blocks. Multiple KillACK modules have been\r\nobserved by CrowdStrike Intelligence, including modules for conducting self-propagation and AMSI hot-patching, as well as for executing Cobalt Strike stagers and enumerating network information. On Aug. 9, 2020,\r\nCARBON SPIDER attempted to run the Darkside ransomware with the filename sleep.exe . This filename may\r\nreflect an attempt to masquerade as the legitimate Windows executable with the same name. Following this\r\nincident, CrowdStrike Intelligence identified numerous similar Darkside campaigns featuring distinctive\r\nCARBON SPIDER tooling, including Harpy, Domenus VBS/JS, KillACK and Sekur. The adversary also used the\r\ncommodity Cobalt Strike framework and Plink tunneling tool in many of these campaigns. After achieving initial\r\naccess, the adversary consistently seeks to harvest valid administrative credentials to enable lateral movement and\r\nuses a variety of tools and techniques for this purpose, including CrackMapExec, Kerberoasting, Mimikatz,\r\nPowerSploit and SessionGopher. In one incident, the adversary likely exploited the ZeroLogon vulnerability\r\n(CVE-2020-1472) against a domain controller. Using valid credentials, CARBON SPIDER moves laterally\r\nthrough victim environments using RDP and occasionally SSH. The adversary typically uses PS to run Cobalt\r\nStrike but occasionally writes Cobalt Strike stagers or KillACK backdoors to disk. Occasionally, CARBON\r\nSPIDER has deployed the legitimate GoToAssist or TightVNC tools to provide redundant control of hosts. Similar\r\nto many other ransomware operators, CARBON SPIDER not only encrypted victim files using Darkside, but also\r\nexfiltrated data for publication on a dedicated leak site (DLS) hosted on Tor. For exfiltration, CARBON SPIDER\r\nprimarily leveraged the MEGASync client for hosting provider MEGA but also employed GoToAssist. Further,\r\nCARBON SPIDER frequently conducted hypervisor jackpotting by encrypting ESXi servers using a version of\r\nDarkside specifically designed for ESXi. On Nov. 10, 2020, CARBON SPIDER announced the establishment of\r\nthe Darkside RaaS affiliate program. The announcement, posted on two major Russian-language forums, states\r\nthat the operators of Darkside are looking for Russian-speaking affiliates who understand how to recognize and\r\ndelete backups. On Nov. 11, 2020, CARBON SPIDER added a new message to their DLS concerning the new\r\naffiliate program. This announcement claims “we created the perfect product for ourselves,” indicating that\r\nDarkside was originally exclusive to one group and not shared. CrowdStrike Intelligence assesses that Darkside\r\nransomware campaigns prior to this announcement were likely conducted by CARBON SPIDER, and that\r\nCARBON SPIDER was responsible for creating Darkside and introducing the RaaS affiliate program. This\r\nassessment carries moderate confidence, based on:\r\nMultiple separate Darkside incidents attributable to CARBON SPIDER\r\nLow overall volume of Darkside campaigns\r\nThe Nov. 11, 2020 announcement described above indicating Darkside was initially exclusive to one group\r\nThe Oct. 10, 2020 press release indicating Darkside is operated by a single group\r\nSubsequent to the creation of the Darkside RaaS program, CrowdStrike Intelligence continued to observe some\r\nDarkside campaigns almost certainly conducted by CARBON SPIDER — in addition to other campaigns\r\noperated by affiliates — featuring divergent tooling and TTPs. CARBON SPIDER’s campaigns featured the\r\nmalware discussed above, in addition to heavy use of the Cobalt Strike post-exploitation framework.\r\nConclusion\r\nCARBON SPIDER’s shift from POS malware to BGH ransomware attacks exemplifies a broader trend in the\r\neCrime landscape. Numerous adversaries that previously relied on banking trojans (e.g., INDRIK SPIDER) or\r\nhttps://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/\r\nPage 4 of 6\n\nPOS compromises (e.g., GRACEFUL SPIDER) have almost entirely reinvented themselves to focus on\r\nransomware, reflecting how lucrative BGH campaigns are. Until the economics of cybercrime fundamentally\r\nchange, it is unlikely these adversaries will alter their behavior.\r\nIndicators of Compromise\r\nType Value\r\nLeo VBS 8279ce0eb52a9f5b5ab02322d1bb7cc9cb5b242b7359c3d4d754687069fcb7b8\r\nJSS Loader 98fe1d06e4c67a5a5666dd01d11e7342afc6f1c7b007c2ddbfc13779bcc51317\r\nSekur stager bbd1c244c0861c0048d5eccecbb6dee1a6f57764c7d0028a7cbfd87c93d3166b\r\nDomenus VBS 00fb044af4c92bd06699aaf1d83c4e6805e96f501f84ad1d2ff0885384aa3ea1\r\nDomenus JS 5b7115ab612dcff8e84b2258082a6e7c71b5d52237a4ae8a6642baeb36c2aa48\r\nKillACK 4f5eefe93ac2fa5f92c6bd245fff1400f6a61aeee07076c92c66d82f94dc45c3\r\nTable 1. Exemplar SHA256 hashes of CARBON SPIDER malware\r\nExplanation of Confidence Rating\r\nHigh Confidence: Judgments are based on high-quality information from multiple sources. High\r\nconfidence in the quality and quantity of source information supporting a judgment does not imply that that\r\nassessment is an absolute certainty or fact. The judgment still has a marginal probability of being\r\ninaccurate.\r\nModerate Confidence: Judgments are based on information that is credibly sourced and plausible, but not\r\nof sufficient quantity or corroborated sufficiently to warrant a higher level of confidence. This level of\r\nconfidence is used to express that judgments carry an increased probability of being incorrect until more\r\ninformation is available or corroborated.\r\nLow Confidence: Judgments are made where the credibility of the source is uncertain, the information is\r\ntoo fragmented or poorly corroborated enough to make solid analytic inferences, or the reliability of the\r\nsource is untested. Further information is needed for corroboration of the information or to fill known\r\nintelligence gaps.\r\nAdditional Resources\r\nFor more intel about CARBON SPIDER, visit the CrowdStrike Adversary Universe.\r\nTo find out how to incorporate intelligence on threat actors into your security strategy, visit the\r\nCROWDSTRIKE FALCON® INTELLIGENCE™ Threat Intelligence page.\r\nLearn about the powerful, cloud-native CrowdStrike Falcon® platform by visiting the product webpage.\r\nGet a full-featured free trial of CrowdStrike Falcon® Prevent™ to see for yourself how true next-gen AV\r\nperforms against today’s most sophisticated threats.\r\nhttps://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/\r\nPage 5 of 6\n\nSource: https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/\r\nhttps://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/" ], "report_names": [ "carbon-spider-embraces-big-game-hunting-part-1" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "8610b0d9-a6af-4010-818f-28671efc5d5e", "created_at": "2023-01-06T13:46:38.897477Z", "updated_at": "2026-04-10T02:00:03.138459Z", "deleted_at": null, "main_name": "PINCHY SPIDER", "aliases": [], "source_name": "MISPGALAXY:PINCHY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c84bbd2e-003d-4c43-8a46-d777455db2c7", "created_at": "2022-10-25T15:50:23.701006Z", "updated_at": "2026-04-10T02:00:05.378962Z", "deleted_at": null, "main_name": "GOLD SOUTHFIELD", "aliases": [ "GOLD SOUTHFIELD", "Pinchy Spider" ], "source_name": "MITRE:GOLD SOUTHFIELD", "tools": [ "ConnectWise", "REvil" ], "source_id": "MITRE", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "d706edf6-cb86-4611-99e1-4b464e9dc5b9", "created_at": "2023-01-06T13:46:38.839083Z", "updated_at": "2026-04-10T02:00:03.117987Z", "deleted_at": null, "main_name": "INDRIK SPIDER", "aliases": [ "Manatee Tempest" ], "source_name": "MISPGALAXY:INDRIK SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9df68733-9bcd-43b1-88f1-24b110fa3d56", "created_at": "2022-10-25T16:07:24.051993Z", "updated_at": "2026-04-10T02:00:04.851037Z", "deleted_at": null, "main_name": "Pinchy Spider", "aliases": [ "G0115", "Gold Garden", "Gold Southfield", "Pinchy Spider" ], "source_name": "ETDA:Pinchy Spider", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "GandCrab", "GrandCrab", "REvil", "Sodin", "Sodinokibi", "VIDAR", "Vidar Stealer", "certutil", "certutil.exe", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434801, "ts_updated_at": 1775826779, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c318a5d6d1cea2d53155bf8fcf84354adf047542.pdf", "text": "https://archive.orkl.eu/c318a5d6d1cea2d53155bf8fcf84354adf047542.txt", "img": "https://archive.orkl.eu/c318a5d6d1cea2d53155bf8fcf84354adf047542.jpg" } }