{ "id": "36f13393-2b65-428b-94bc-f4e361218310", "created_at": "2026-04-06T01:31:00.142614Z", "updated_at": "2026-04-10T03:38:20.160041Z", "deleted_at": null, "sha1_hash": "dcb2172fc9fe524167b4ae8dde9428285c9287d0", "title": "Financial Cyberthreats in 2020", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2876366, "plain_text": "Financial Cyberthreats in 2020\r\nBy Kaspersky\r\nPublished: 2021-03-31 · Archived: 2026-04-06 00:23:21 UTC\r\n2020 was challenging for everyone: companies, regulators, individuals. Due to the limitations imposed by the\r\nepidemiological situation, particular categories of users and businesses were increasingly targeted by\r\ncybercriminals. While we were adjusting to remote work and the rest of the new conditions, so were scammers. As\r\na result, 2020 was extremely eventful in terms of digital threats, in particular those faced by financial institutions.\r\nAt the same time, some of the known APT (Advanced persistent threats) groups that are not generally targeting\r\nfinancial institutions have tried their hand at it. Existing at a special crossroads between APT and financial crime,\r\nthe Lazarus group has already been among the most active ones in the financial sphere. In 2020, the group tried its\r\nhand at the big extortion game with the VHD ransomware family. Later on other groups, such as MuddyWater,\r\nfollowed suit.\r\nMoreover, in 2020, we saw regional actors go global. A few Brazilian malware families expanded their operations\r\nto other continents, targeting victims in Europe and Asia. We have dubbed the first four families to have done this\r\n(Guildma, Javali, Melcoz, Grandoreiro) “the Tétrade”. Later on the authors of Guildma also created the new\r\nbanking malware Ghimob targeting users located in Brazil, Paraguay, Peru, Portugal, Germany, Angola, and\r\nMozambique.\r\nOf course, the known financial threats have remained, too. Thus, the year 2020 saw a surge in the use of Emotet,\r\ndescribed by Interpol as “the world’s most dangerous malware”. In the beginning of 2021, law enforcement\r\nagencies all over the world joined their forces to disrupt the botnet’s infrastructure. According to Kaspersky\r\nexperts, the operation will frustrate Emotet’s activities for at least several months. In the meantime, at least some\r\nof Emotet customers have switched to Trickbot.\r\nEven though, in 2020, we have seen ever more sophisticated cyberattacks, the overall statistics look encouraging:\r\nthe number of users hit by computer and mobile malware declines, so does financial phishing. Still, that does not\r\nmean that the cyber world has become a safer place – it means that the cybercriminals’ goals and tactics have\r\nundergone a number of changes. Despite the decreasing general statistics, we see that attacks have become more\r\ntargeted and business-oriented. At the same time, we observe cybercriminals to skillfully adapt themselves to the\r\nglobal changes and benefit from the teleworking vulnerabilities and the rising popularity of online shopping. This\r\nreport aims to shed a light on more details of financial cyberthreats in 2020.\r\nThis research is a continuation of our annual financial threat reports (2019, 2018 and 2017) providing an overview\r\nof the latest trends and key events across the financial threat landscape. Traditionally, the study covers the\r\ncommon phishing threats encountered by users, along with Windows and Android-based financial malware.\r\nMethodology\r\nhttps://securelist.com/financial-cyberthreats-in-2020/101638/\r\nPage 1 of 28\n\nIn this research, by financial malware we mean several types of malevolent software. Firstly, we identify as\r\nfinancial the malware targeting users of financial services such as online banking, payment systems, e-money\r\nservices, e-shops, and cryptocurrency services. Secondly, we use the term to define the malware attempting to gain\r\naccess to financial organizations and their infrastructure. In most cases, financial malware attacks rely on\r\nspamming and phishing activities, such as creating and distributing fake finance themed web pages and emails to\r\nsteal the victims’ payment info.\r\nTo examine the financial sector threat landscape, Kaspersky researchers have analyzed the malicious activities on\r\ndevices owned by individuals using the Kaspersky security products, which they volunteered to make available to\r\nus through the Kaspersky Security Network. The corporate user statistics were collected from the enterprise\r\nsecurity solutions, after our customers agreed to share their data with Kaspersky.\r\nThe data for 2020 was mostly compared against 2019 to monitor the malware development trends. However, in\r\nsome parts, for better insight into the financial malware evolution, the study also refers to earlier times.\r\nKey findings\r\nPhishing:\r\nIn 2020, the percentage of users hit by phishing declined slightly from 15.7% to 13.2%.\r\nThis time around, e-shops became the target of choice for phishing attacks. Almost every fifth attempted\r\nvisit to a phishing page blocked by Kaspersky products has been related to online store phishing.\r\nPhishing attacks against PayPal users soared from 26.8% in 2019 to 38.7% in 2020. The longtime leader of\r\nthe category, Visa, dropped to the fourth place with 10.2% of phishing attacks against users of payment\r\nsystems successfully prevented by Kaspersky in 2020.\r\nPC:\r\nIn 2020, 625,364 users were attacked by banking Trojans – 148,579 less from 773,943 in 2019.\r\nThis year, users in Russia, Germany and Kazakhstan were the most frequent targets of financial malware.\r\nZbot is still the most widespread banking malware (22.2 % of attacked users), the second place is now held\r\nby CliptoShuffler (15.3%), with Emotet (14.5%) in the third place as before.\r\n36% of users hit by banking malware are corporate ones – an increase of one percentage point from the\r\nprevious year.\r\nMobile:\r\nThis year, the number of users attacked by Android banking malware rapidly dropped by more than 55%:\r\nfrom 675,772 in 2019 to 294,158 in 2020.\r\nJapan, Taiwan and Spain ended up with the highest percentage of users hit by Android banking malware.\r\nFinancial phishing\r\nFinancial phishing is one of the most popular tools used by cybercriminals to make money. Its prevalence is\r\nexplained by the fact that it does not require much investment or technical expertise. In most cases, successful\r\nscammers win access either to the victim’s money or data that can be sold or otherwise monetized.\r\nhttps://securelist.com/financial-cyberthreats-in-2020/101638/\r\nPage 2 of 28\n\nPercentage of financial phishing attacks (of the overall phishing attacks) detected by Kaspersky, 2016 – 2020\r\n(download)\r\nIn 2020, Kaspersky anti-phishing technologies detected 434,898,635 attempted visits to various types of phishing\r\npages. As can be seen from the graph above, 37.2% of those were related to financial phishing – 14.2 p.p. less than\r\nthe figure registered in 2019 (51.4%). The lowest financial phishing percentage in the past five years.\r\nBy “financial phishing” we mean not banking phishing alone but several other types as well. For one, there are the\r\n‘payment systems’, which include pages mimicking the well-known payment brands like PayPal, Visa,\r\nMasterCard, American Express and others. There are also the ‘e-shops’ which include online stores and auction\r\nsites like Amazon, Apple store, Steam, E-bay and others.\r\nIn 2019, the financial phishing cases detected by Kaspersky products were distributed as follows:\r\nhttps://securelist.com/financial-cyberthreats-in-2020/101638/\r\nPage 3 of 28\n\nDistribution of financial phishing cases by type in 2019 (download)\r\nhttps://securelist.com/financial-cyberthreats-in-2020/101638/\r\nPage 4 of 28\n\nDistribution of financial phishing cases by type in 2020 (download)\r\nThe year 2020 was definitely a unique one when it comes to financial phishing. One year back, we reported an\r\nincrease in bank-related phishing from less than 22% to almost 30%. In 2020, banking phishing reached only\r\n10.72 percent of the total. The e-shops, with 7.57% in 2019, on the contrary, almost tripled reaching 18.12%.\r\nKaspersky experts connect these changes with the lockdown measures due to the pandemic – at home most of the\r\ntime, people turned to online shopping and digital entertainment. Thus, growing demand from the users has led to\r\nincreased “supply” from the cybercriminals. It should be noted that, while online shopping proved the most\r\nappealing field for scammers, payment systems were not that much of a lure – their share barely reaching 8.41%.\r\n2019 statistics on payment systems:\r\nhttps://securelist.com/financial-cyberthreats-in-2020/101638/\r\nPage 5 of 28\n\nThe most frequently used brands in ‘payment systems’ financial phishing schemes in 2019 (download)\r\nAs can be observed from the graph above, the users of Visa Inc. (37.6%) were targeted the most in 2019. PayPal\r\ncame in second with 26.8%, while MasterCard closed the top 3.\r\nhttps://securelist.com/financial-cyberthreats-in-2020/101638/\r\nPage 6 of 28\n\nThe most frequently used brands in ‘payment systems’ financial phishing schemes in 2020 (download)\r\nIn 2020, the PayPal brand name (38.7%) was used for scam more than those of any other popular payment system.\r\nIts share grew by 12 p.p.\r\nhttps://securelist.com/financial-cyberthreats-in-2020/101638/\r\nPage 7 of 28\n\nExample of a phishing page targeting PayPal users\r\nMastercard made it to the second place slightly increasing its share from 16.3% to 17.5%. The third and the fourth\r\nplaces, with a tiny difference between them, were taken by American Express (10.6%) and Visa (10.2%). As was\r\nobserved, in 2020, scammers mimicked Visa Inc. 3.5 times less than in 2019 (37.6%).\r\nhttps://securelist.com/financial-cyberthreats-in-2020/101638/\r\nPage 8 of 28\n\nExample of a phishing page targeting Visa users\r\nIn 2019, we analyzed the ‘e- shop’ brands most frequently used by cybercriminals in financial phishing schemes.\r\nThe results showed Apple (42.8%) to be the number one choice for scam. The online stores Amazon (23.6%) and\r\neBay (14.2%) took the second and the third place respectively.\r\nhttps://securelist.com/financial-cyberthreats-in-2020/101638/\r\nPage 9 of 28\n\nBrands most frequently used in ‘e-shop’ financial phishing schemes, 2019 (download)\r\nhttps://securelist.com/financial-cyberthreats-in-2020/101638/\r\nPage 10 of 28\n\nExamples of phishing pages based on the online store brands most used by cybercriminals\r\nIn 2020, as the e-shop phishing continued to grow, Amazon made it to the first place with 27.84% of total.\r\nChallenged by the popular online store, Apple (27.07%) stepped down to the second place, its share reduced by 15\r\np.p. Steam and eBay swapped their positions – Steam (14.90%) finished third, and eBay (12.85%) fourth.\r\nhttps://securelist.com/financial-cyberthreats-in-2020/101638/\r\nPage 11 of 28\n\nBrands most frequently used in ‘e-shop’ financial phishing schemes, 2020 (download)\r\nBanking malware for PC\r\nIn this study, we analyze the banking malware that steals the credentials used to access online banking or payment\r\nsystem accounts and to intercept one-time passwords.\r\nAfter an upsurge of malware activity in October 2016, when as many as 1,494,236 users were hit, we observed a\r\ngradual decline in the number of users attacked with banking malware. 2020 was no exception. The number of\r\nattacked users has declined from 773,943 in 2019 to 625,364 – almost a 20% drop.\r\nThe reduction can be explained by the fact that attacks are becoming more targeted – cybercriminals now prefer to\r\nattack large businesses. Yet common users and small entities continue to fall victim to cybercriminal groups such\r\nas Zbot, CliptoShuffler, Emotet, RTM and others.\r\nDynamic change in the number of unique users attacked with banking malware 2018 – 2020 (download)\r\nThe main actors\r\nEvery year we detect multiple families of banking malware: some of them become outdated, some, on the\r\ncontrary, gain popularity among cybercriminals. Below is a list of top 10 most active banking malware families\r\ndetected in 2019. The leading ones were Zbot (21.6%), RTM (19.8%), Emotet (12.6%), CliptoShuffler (5.6%) and\r\nTrickster (5.5%).\r\nhttps://securelist.com/financial-cyberthreats-in-2020/101638/\r\nPage 12 of 28\n\nTOP 10 most widespread banking malware families in 2019 (download)\r\nThis year we continued tracking the most active banking malware families. It is quite noteworthy that only four of\r\nthem (Zbot, CliptoShuffler, Emotet and RTM) account for more than one half of the attacked users. Below is a list\r\nof top 10 banking malware families we detected in 2020.\r\nhttps://securelist.com/financial-cyberthreats-in-2020/101638/\r\nPage 13 of 28\n\nTOP 10 most widespread banking malware families in 2020 (download)\r\nWhile Zbot (22.2%) still enjoys the status of the most used malware in the financial sphere, there were some\r\nchanges in the list. RTM, with 10.5%, dropped from the second to the fourth place, while two other families,\r\nCliptoShuffler (15.3%) and Emotet (14.5%), both climbed higher in 2020. Notably, Gozi (3.3%), the second most\r\nactive family just two years ago, was pushed out to the ninth place.\r\nWhat is more, year 2020 has also been special for expansion of regional threat actors into the outside world. Thus,\r\nthe four large Brazilian families we have called the Tétrade went global targeting not only Latin America but\r\nAsian and European countries as well.\r\nGeography of attacked users\r\nTo assess and compare the degree of computer infection risk faced by users in different countries of the world, we\r\nhave calculated for each country the proportion of Kaspersky product users faced by the threat during the period\r\nof report versus the total number of users attacked by financial malware.\r\nTraditionally, more than half of all users hit with banking malware in 2019 and 2020 came from 10 countries. In\r\n2019, the top 10 was as follows:\r\nRussian Federation 33.6%\r\nGermany 7.4%\r\nhttps://securelist.com/financial-cyberthreats-in-2020/101638/\r\nPage 14 of 28\n\nChina 3.3%\r\nBrazil 3%\r\nIndia 3%\r\nMexico 3%\r\nVietnam 2.70%\r\nItaly 2.60%\r\nKazakhstan 2%\r\nUnited States 2%\r\nIn 2019, Russia’s share reached 33.6% of the total, Germany finishing second with 7.4%, and China closing the\r\ntop three with 3.3%.\r\nIn 2020, the situation was as follows:\r\nRussian Federation 26.6%\r\nGermany 4.5%\r\nKazakhstan 4.1%\r\nBrazil 3.4%\r\nChina 3.4%\r\nItaly 3.3%\r\nIndia 3.1%\r\nMexico 2.8%\r\nVietnam 2.8%\r\nUzbekistan 2.3%\r\nAs can be seen from the chart, despite the decline Russia (26.6%) and Germany (4.5%) still hold the first and\r\nsecond places in the top 10. Notably, Russia’s figures always tend to be the highest due to the fact that most\r\nKaspersky users are located in Russia. Kazakhstan, which used to be 9th with 2%, this year broke into the top\r\nthree having added 2 more percentage points.\r\nTypes of users attacked\r\nIt can be noticed that financial malware becomes more corporate-oriented. This year we observed that 36% of\r\nusers attacked by banking malware are corporate ones – one percentage point up from the previous year. This\r\nhttps://securelist.com/financial-cyberthreats-in-2020/101638/\r\nPage 15 of 28\n\npartly confirms our hypothesis about cybercriminals shifting their attention to the corporate sector. Still, the\r\nincrease is relatively small, and we expect the redistribution of attacks between corporate and private users to clear\r\nup in the near future.\r\nCorporate vs consumer product users, 2019–2020 (download)\r\nAll in all, in 2020, companies became more vulnerable due to the restrictions for onsite work and staff, coupled\r\nwith increased number of employees using the corporate network remotely. The hasty transition to teleworking\r\nhas affected the corporate security – most businesses were not ready to go online. Some of them lacked the\r\ndevices, so employees had to use their home computers for work. Lack of online security training, default laptop\r\nconfigurations left as is, vulnerable remote access connections – together these factors have paved way to all sorts\r\nof attacks, including banking malware scams.\r\nThree years ago, in 2018, cryptocurrencies made the hottest topic and turned the eyes of the whole cybersecurity\r\ncommunity to the new danger. We have analyzed the hidden mining software cybercriminals spread to coin money\r\nat the users’ cost, and found that today the malicious activity is not that widespread.\r\nhttps://securelist.com/financial-cyberthreats-in-2020/101638/\r\nPage 16 of 28\n\nNumber of users attacked by mining malware in 2019 (download)\r\nhttps://securelist.com/financial-cyberthreats-in-2020/101638/\r\nPage 17 of 28\n\nNumber of users attacked by mining malware in 2020 (download)\r\nhttps://securelist.com/financial-cyberthreats-in-2020/101638/\r\nPage 18 of 28\n\nGeography of mining attacks, 2020 (download)\r\nThus, in 2020, we continued to observe a downward trend for this type of threat. Yet by the end of the year the\r\nnumbers reached a certain plateau, and we even saw local trend reversals. It is likely that the sharp increase in\r\ncryptocurrency prices at the end of 2020 may boost the threat in early 2021. Moreover, due to the COVID crisis,\r\nwe may yet see some economies collapsing and local currencies plummeting in 2021, which would turn\r\ncryptomining a lot more attractive.\r\nMobile banking malware\r\nAndroid banking malware is a well-known threat Kaspersky experts have been analyzing for years. Last year was\r\na dramatic one in terms of mobile banking malware. As stated in our previous annual report, in 2019, the number\r\nof users hit by it dropped to just over 675 thousand from around 1.8 million in 2018.\r\nhttps://securelist.com/financial-cyberthreats-in-2020/101638/\r\nPage 19 of 28\n\nNumber of users attacked with Android banking malware, 2018 – 2019 (download)\r\nIn 2020, we observed a continuation of this trend as the number of attacked users decreased by more than 55% to\r\n294,158.\r\nhttps://securelist.com/financial-cyberthreats-in-2020/101638/\r\nPage 20 of 28\n\nNumber of users attacked with Android banking malware, 2019 – 2020 (download)\r\nTo get a better view of the reasons behind these dramatic changes, Kaspersky experts took a closer look at the\r\nlandscape and reviewed the most widespread families over the year. In 2019, the situation was as follows:\r\nhttps://securelist.com/financial-cyberthreats-in-2020/101638/\r\nPage 21 of 28\n\nMost widespread Android banking malware in 2019 (download)\r\nIn 2020, Asacub’s (25.6%) share is still the weightiest. Yet it shrank by 18.8 percentage points since 2019. Agent\r\n(18.0%) is still in the second position, although a bit lighter from the year before. Svpeng (12.8%), which mostly\r\nhunts for the administrator rights on the infected device, this year was challenged by Rotexy (17.9%), in which the\r\nbanking Trojan’s features are combined with those of a ransomware blocker.\r\nhttps://securelist.com/financial-cyberthreats-in-2020/101638/\r\nPage 22 of 28\n\nMost widespread Android banking malware in 2020 (download)\r\nAll in all, 2020 was rich in new mobile banking malware. Let us give a brief overview of this year’s major\r\nfindings:\r\nTrojan-Banker.AndroidOS.Ghimob.a\r\nNew banking malware from the Tétrade group that went global this year and attacked banks, exchanges,\r\ncryptocurrency exchangers and fintech organizations in Brazil, Paraguay, Peru, Portugal, Germany, Angola,\r\nand Mozambique. Ghimob was able to spy on a total of 153 mobile apps, which is impressive for a\r\nbanking Trojan.\r\nTrojan-Banker.AndroidOS.Gorgona.a\r\nThe malware mimics Google Play and uses the notification panel to attract the user’s attention. It can make\r\nand redirect calls, execute USSD commands, install additional apps and block the device, if needed. If\r\ngranted the permission to use Accessibility, it can get even more rights, for example, to receive and process\r\ntext messages. Thus, it can gain control of the two-factor authentication. Uses TCP for C2 communication.\r\nTends to target banks in Turkey.\r\nTrojan-Banker.AndroidOS.Knobot.a\r\nThe new financial threat market player. Alongside phishing windows and interception of the two-factor\r\nauthentication messages, the Trojan offers several features not typical of financial threats. For example, a\r\nmechanism for interception of device PIN code through Accessibility services.\r\nhttps://securelist.com/financial-cyberthreats-in-2020/101638/\r\nPage 23 of 28\n\nIronically, it asks its victim to delegate the rights and even provides a small instruction on how to do it.\r\nhttps://securelist.com/financial-cyberthreats-in-2020/101638/\r\nPage 24 of 28\n\nhttps://securelist.com/financial-cyberthreats-in-2020/101638/\r\nPage 25 of 28\n\nA screenshot of Trojan-Banker.AndroidOS.Knobot.a on user’s phone\r\nGeography of attacked users\r\nTop 10 countries by percentage of users hit by Android banking malware in 2019:\r\nRussian Federation 0.72%\r\nSouth Africa 0.66%\r\nAustralia 0.59%\r\nSpain 0.29%\r\nTajikistan 0.21%\r\nTurkey 0.20%\r\nUnited States 0.18%\r\nItaly 0.17%\r\nUkraine 0.17%\r\nArmenia 0.16%\r\nTop 10 countries by percentage of users hit by Android banking malware in 2020:\r\nJapan 2.83%\r\nTaiwan (province of China) 0.87%\r\nSpain 0.77%\r\nItaly 0.71%\r\nTurkey 0.60%\r\nKorea 0.34%\r\nRussian Federation 0.25%\r\nTajikistan 0.21%\r\nPoland 0.17%\r\nAustralia 0.15%\r\nhttps://securelist.com/financial-cyberthreats-in-2020/101638/\r\nPage 26 of 28\n\nAs can be seen from the statistics, all the countries were completely reshuffled year on year. Russia from it top\r\nposition in 2019 moved to the 7th place in 2020. Armenia, which used to close the 2019 chart, left it altogether. On\r\nthe other hand, Japan (2.83%) and Taiwan (0.87%), not even mentioned in 2019, rapidly gained more users hit by\r\nAndroid banking malware and made it to the top. Meanwhile Spain (0.77%) ousted Australia from the third place\r\nwith almost 3 thousand of affected users.\r\nConclusion\r\nThe year 2020 has shown that cybercriminals can easily adapt to new realities of the changing world. They keep\r\nupdating their malware with new features and improving the detection avoidance techniques. The general statistics\r\nin all the areas we have analyzed (PC and mobile malware, phishing) is on the downward trend, which is a good\r\nsign.\r\nWe have observed that, in 2020, the phishing scammers have switched their attention from banks to e-shops. This\r\ntrend is closely related to the pandemic, which has greatly changed the public’s attitude towards online shopping:\r\ncriminals have marked its growing popularity and turned focus on it. We have registered a slight increase of the\r\nshare of malware attacks against corporate users. The emerging trend of banking Trojans targeting corporate users\r\nis also of concern, as such attacks are likely to bring more problems than attacks on individuals. At the same time,\r\nthe regional scam factories targeting financial organizations are increasingly reaching the global level, potentially\r\nresulting in more growth in 2021. Thus, even though the general statistics look positive, we have to consider the\r\nmassive threat landscape still faced by financial organizations.\r\nFor protection against financial threats, Kaspersky recommends users to:\r\nInstall only applications obtained from reliable sources, such as the official websites;\r\nCheck the access rights and permissions requested by the application – do not grant them if they fail to\r\nmatch the app’s feature set;\r\nNever follow links from spam messages and never open documents attached to them;\r\nInstall a trusted security solution, such as Kaspersky Security Cloud – it will protect you from a broad\r\nrange of financial cyberthreats.\r\nTo protect your business from financial malware, Kaspersky security experts recommend:\r\nIntroduce cybersecurity awareness training for your employees, particularly those responsible for\r\naccounting, to teach them to detect phishing pages and improve the digital literacy of staff in general;\r\nFor critical user profiles, such as those in financial departments, enable the default deny mode for web\r\nresources to ensure that only legitimate ones can be accessed;\r\nInstall the latest updates and patches for all the software you use;\r\nFor protection from complex threat and targeted attacks, install the anti-APT and EDR solutions for\r\nnetwork threat detection, incident investigation and timely recovery action. Provide your SOC team with\r\naccess to the latest threat intelligence and regular upskill training. All these are available within the\r\nKaspersky Expert Security framework.\r\nhttps://securelist.com/financial-cyberthreats-in-2020/101638/\r\nPage 27 of 28\n\nSource: https://securelist.com/financial-cyberthreats-in-2020/101638/\r\nhttps://securelist.com/financial-cyberthreats-in-2020/101638/\r\nPage 28 of 28\n\nMastercard made places, with a it to the second tiny difference place slightly between them, were increasing its taken by American share from 16.3% Express to 17.5%. The (10.6%) and Visa third and the (10.2%). fourth As was\nobserved, in 2020, scammers mimicked Visa Inc. 3.5 times less than in 2019 (37.6%).\n Page 8 of 28 \n\nAndroid banking a dramatic malware one in terms of is a well-known threat mobile banking malware. Kaspersky experts As stated in have been analyzing our previous annual for report, in years. Last year 2019, the was number\nof users hit by it dropped to just over 675 thousand from around 1.8 million in 2018.\n Page 19 of 28", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://securelist.com/financial-cyberthreats-in-2020/101638/" ], "report_names": [ "101638" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439060, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dcb2172fc9fe524167b4ae8dde9428285c9287d0.pdf", "text": "https://archive.orkl.eu/dcb2172fc9fe524167b4ae8dde9428285c9287d0.txt", "img": "https://archive.orkl.eu/dcb2172fc9fe524167b4ae8dde9428285c9287d0.jpg" } }