{
	"id": "799e4918-478a-4711-a823-16fa6fa2b4e8",
	"created_at": "2026-04-06T01:30:24.696963Z",
	"updated_at": "2026-04-10T13:11:59.816346Z",
	"deleted_at": null,
	"sha1_hash": "c5931c04d987c7fb790afae8dc03a424f3a418b1",
	"title": "GEMCUTTER (Malware Family)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 29268,
	"plain_text": "GEMCUTTER (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-06 00:20:53 UTC\r\nAccording to FireEye, GEMCUTTER is used in a similar capacity as BACKBEND (downloader), but maintains\r\npersistence by creating a Windows registry run key.\r\nGEMCUTTER checks for the presence of the mutex MicrosoftGMMZJ to ensure only one copy of\r\nGEMCUTTER is executing. If the mutex doesn't exist, the malware creates it and continues execution; otherwise,\r\nthe malware signals the MicrosoftGMMExit event.\r\n[TLP:WHITE] win_gemcutter_auto (20251219 | Detects win.gemcutter.)\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.gemcutter\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.gemcutter\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://malpedia.caad.fkie.fraunhofer.de/details/win.gemcutter"
	],
	"report_names": [
		"win.gemcutter"
	],
	"threat_actors": [],
	"ts_created_at": 1775439024,
	"ts_updated_at": 1775826719,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c5931c04d987c7fb790afae8dc03a424f3a418b1.pdf",
		"text": "https://archive.orkl.eu/c5931c04d987c7fb790afae8dc03a424f3a418b1.txt",
		"img": "https://archive.orkl.eu/c5931c04d987c7fb790afae8dc03a424f3a418b1.jpg"
	}
}