{ "id": "1509bc98-39bf-49eb-937f-1532b38bbef9", "created_at": "2026-04-06T00:06:39.093731Z", "updated_at": "2026-04-10T13:12:56.738167Z", "deleted_at": null, "sha1_hash": "d383b96346978035f9aa744c0fe19a58933fe2d6", "title": "Corkow, Metel - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 56231, "plain_text": "Corkow, Metel - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 17:39:29 UTC\r\nHome \u003e List all groups \u003e Corkow, Metel\r\n APT group: Corkow, Metel\r\nNames\r\nCorkow (Group-IB)\r\nMetel (Kaspersky)\r\nCountry Russia\r\nMotivation Financial crime\r\nFirst seen 2011\r\nDescription\r\n(Group-IB) In February 2015 the first major successful attack on a Russian trading system\r\ntook place, when hackers gained unsanctioned access to trading system terminals using a\r\nTrojan resulting in trades of more than $400million.\r\nThe criminals made purchases and sales of US dollars in the Dollar/Ruble exchange program\r\non behalf of a bank using malware. The attack itself lasted only 14 minutes, however, it\r\nmanaged to cause a high volatility in the exchange rate of between 55/62 (Buy/Sell) rubles per\r\n1 dollar instead of the 60-62 stable range.\r\nTo conduct the attack criminals used the Corkow malware, also known as Metel, containing\r\nspecific modules designed to conduct thefts from trading systems, such as QUIK operated by\r\nARQA Technologies and TRANSAQ from ZAO “Screen market systems”. Corkow provided\r\nremote access to the ITS-Broker system terminal by «Platforma soft» Ltd., which enabled the\r\nfraud to be committed.\r\nIn August 2015 a new incident related to the Corkow (Metel) Trojan was detected. An attack\r\non a bank card systems, which included about 250 banks which used the bank card system to\r\nservice cash withdrawals from Visa and MasterCard cards under a special tariff. This attack\r\nresulted in the hundreds of millions of rubles being stolen via ATMs of the systems members.\r\nObserved\r\nSectors: Financial.\r\nCountries: Argentina, Austria, Belarus, Brazil, Croatia, Cyprus, Denmark, Estonia, France,\r\nGermany, Italy, Kazakhstan, Latvia, Mexico, Peru, Poland, Singapore, Spain, Switzerland,\r\nRussia, Thailand, Turkey, UK, Ukraine, USA.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=d2e095c9-2561-4c36-afe6-d38320bb63a9\r\nPage 1 of 2\n\nTools used Corkow, Metel.\nInformation\nLast change to this card: 14 April 2020\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=d2e095c9-2561-4c36-afe6-d38320bb63a9\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=d2e095c9-2561-4c36-afe6-d38320bb63a9\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=d2e095c9-2561-4c36-afe6-d38320bb63a9" ], "report_names": [ "showcard.cgi?u=d2e095c9-2561-4c36-afe6-d38320bb63a9" ], "threat_actors": [ { "id": "a58aedbc-e89f-4e0c-8147-c6406a616cfa", "created_at": "2022-10-25T16:07:23.494355Z", "updated_at": "2026-04-10T02:00:04.629595Z", "deleted_at": null, "main_name": "Corkow", "aliases": [ "Corkow", "Metel" ], "source_name": "ETDA:Corkow", "tools": [ "Corkow", "Metel" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433999, "ts_updated_at": 1775826776, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d383b96346978035f9aa744c0fe19a58933fe2d6.pdf", "text": "https://archive.orkl.eu/d383b96346978035f9aa744c0fe19a58933fe2d6.txt", "img": "https://archive.orkl.eu/d383b96346978035f9aa744c0fe19a58933fe2d6.jpg" } }