GEMCUTTER (Malware Family)
By Fraunhofer FKIE
Archived: 2026-04-06 00:20:53 UTC
According to FireEye, GEMCUTTER is used in a similar capacity as BACKBEND (downloader), but maintains
persistence by creating a Windows registry run key.
GEMCUTTER checks for the presence of the mutex MicrosoftGMMZJ to ensure only one copy of
GEMCUTTER is executing. If the mutex doesn't exist, the malware creates it and continues execution; otherwise,
the malware signals the MicrosoftGMMExit event.
[TLP:WHITE] win_gemcutter_auto (20251219 | Detects win.gemcutter.)
Source: https://malpedia.caad.fkie.fraunhofer.de/details/win.gemcutter
https://malpedia.caad.fkie.fraunhofer.de/details/win.gemcutter
Page 1 of 1