{ "id": "188ac6c6-eba7-49e9-976f-95ed287f687e", "created_at": "2026-04-06T00:08:24.132869Z", "updated_at": "2026-04-10T13:12:21.657831Z", "deleted_at": null, "sha1_hash": "e295f81919c5c443144423ef661774a901f4f0a7", "title": "BOOSTWRITE (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 31148, "plain_text": "BOOSTWRITE (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 16:42:44 UTC\r\nBOOSTWRITE\r\nActor(s): Anunak\r\nFireEye describes BOOSTWRITE as a loader crafted to be launched via abuse of the DLL search order of\r\napplications which load the legitimate ‘Dwrite.dll’ provided by the Microsoft DirectX Typography Services. The\r\napplication loads the ‘gdi’ library, which loads the ‘gdiplus’ library, which ultimately loads ‘Dwrite’. Mandiant\r\nidentified instances where BOOSTWRITE was placed on the file system alongside the RDFClient binary to force\r\nthe application to import DWriteCreateFactory from it rather than the legitimate DWrite.dll.\r\nReferences\r\nYara Rules\r\n[TLP:WHITE] win_boostwrite_w0 (20191012 | No description)\r\nDownload all Yara Rules\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.boostwrite\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.boostwrite\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.boostwrite" ], "report_names": [ "win.boostwrite" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434104, "ts_updated_at": 1775826741, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e295f81919c5c443144423ef661774a901f4f0a7.pdf", "text": "https://archive.orkl.eu/e295f81919c5c443144423ef661774a901f4f0a7.txt", "img": "https://archive.orkl.eu/e295f81919c5c443144423ef661774a901f4f0a7.jpg" } }