{
	"id": "6952de12-d02a-436d-9f3d-80cf53753531",
	"created_at": "2026-04-06T00:11:14.991001Z",
	"updated_at": "2026-04-10T13:13:06.585966Z",
	"deleted_at": null,
	"sha1_hash": "e3a92f4c27bc9d7c71197d7efc8999296ddc6318",
	"title": "Introducing BIOLOAD: FIN7 BOOSTWRITE’s Lost Twin",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 59119,
	"plain_text": "Introducing BIOLOAD: FIN7 BOOSTWRITE’s Lost Twin\r\nBy Omri Misgav\r\nPublished: 2019-12-26 · Archived: 2026-04-05 16:57:43 UTC\r\nA couple of months ago, enSilo’s endpoint protection platform blocked malicious payloads running in legitimate\r\nMicrosoft Windows processes. A deeper look uncovered that the attacker abused the DLL search order to load\r\ntheir own malicious DLL. Some of the samples in the environment matched ones described in a recent publication\r\nby FireEye about FIN7’s new tools and techniques, specifically BOOSTWRITE. Comparing the rest of the\r\nsamples to BOOSTWRITE revealed they have a common codebase and carry the Carbanak backdoor.\r\nThe Abused Target\r\nWindows OS uses a common method to look for required DLLs to load into a program. Adversaries may use this\r\nbehavior to cause the program to load a malicious DLL, a technique known as DLL search order hijacking (or\r\nbinary planting).\r\nThe abused application in this case is FaceFodUninstaller.exe. It exists on a clean OS installation starting from\r\nWindows 10 RS4 (1803) at the “%WINDR%\\System32\\WinBioPlugIns” folder. The executable is dependent on\r\nwinbio.dll, which is usually found in the parent directory (“%WINDR%\\System32”).\r\nWhat makes this executable even more attractive in the eyes of an attacker is the fact that it is started from a built-in scheduled task named FODCleanupTask, thereby minimizing the footprint on the machine and reducing the\r\nchances of detection even further. This demonstrates the group’s ongoing technological research efforts.\r\nBIOLOAD\r\nThe loader file name is WinBio.dll (note the uppercase characters) and is placed by the attacker alongside the\r\nexecutable in the same folder (“WinBioPlugIns\"), thus leveraging the default DLL search order. Because the file\r\npath is under %WINDIR%, it means that in order to plant it the attacker needed to have elevated privileges on the\r\nvictim’s machine such as administrator or a SYSTEM account.\r\nLike BOOSTWRITE, this loader was also developed in C++. It exports only a single function which is the one\r\nFaceFodUninstaller.exe imports.\r\nThe samples target a 64-bit OS and were compiled in March and July of 2019. BOOSTWRITE targets 32-bit\r\nmachines and was compiled (and signed) in May 2019. According to previous reports on the group, they do not\r\nfalsify compilation timestamps of the binaries.\r\nWhen the DLL is started it checks the number of command line arguments of the process to decide how to act.\r\nWhen the executable is started by the task scheduler it doesn’t have command line arguments and the malware\r\nworks as follows:\r\nhttps://www.fortinet.com/blog/threat-research/bioload-fin7-boostwrite-lost-twin.html\r\nPage 1 of 3\n\n1. Creates a log file at %TEMP%\\~bio\u003cepoch_time\u003e. Logs are textual and aren’t encrypted.\r\n2. Starts itself again as a child process with one command line argument comprised of 32 random upper-case\r\nletters.\r\n3. Establishes persistency by using COM objects to access the task scheduler. The malware makes sure the\r\ntask is enabled, adds a trigger to start it 30 seconds after Windows boots and does not wait for idle state.\r\nWhen WinBioGetEnrolledFactors is called, the malware loads the original winbio.dll and invokes the original\r\nfunction.\r\nThe worker process loads and executes the payload DLL in-memory. It starts by creating a log file at\r\n%TEMP%\\~wrk\u003cepoch_time\u003e. It then makes sure only a single instance is currently running by creating a named\r\nmutex based on environments variables in this fashion:\r\nBIOLOAD also has the encrypted payload DLL embedded in it. In contrast to BOOSTWRITE, it does not support\r\nmultiple payloads. Furthermore, to decrypt the payload it uses a simple XOR decryption rather than a ChaCha\r\ncipher, nor does it access a remote server to fetch the key. Instead, BIOLOAD is tailor-made for every machine it\r\ninfects as it relies on the machine name to properly derive the decryption key.\r\nThe length of the key is 16 bytes and is also embedded in the loader. A portion of the key is overwritten with the\r\nresult of MurmurHash3 on the key using a CRC32 checksum of the computer name as the seed. This hinders\r\ndetection by sandboxes and obstruct researchers from analyzing the payload when the relevant context is missing.\r\nThe PE loader implementation is the same as the one in BOOSTWRITE. The format of the log file name is similar\r\nas well.\r\nThe Carbanak Backdoor\r\nAs mentioned, the payload this loader carries is the Carbanak backdoor. The samples we extracted from\r\nBIOLOAD are newer builds of the backdoor, dated January and April of 2019, according to their timestamps.\r\nOne notable addition is that it checks to see if another Anti-Virus (AV) is running on the machine, besides\r\nKaspersky, AVG and TrendMicro. The result, however, has no effect on the operations of the backdoor, unlike\r\nwith previously detected AVs.\r\nFinal Thoughts\r\nThis is the first public case of FaceFodUninstaller.exe being abused as host process by a threat actor.\r\nThe shared codebase with recent tools attributed to FIN7, together with the same techniques and backdoor, allows\r\nto attribute this new loader to the cybercrime group. The timestamps, together with simpler functionality, suggest\r\nBIOLOAD is a preceding iteration of BOOSTWRITE.\r\nSince the loader is specifically built for each targeted machine and requires administrative permissions to deploy,\r\nit suggests the group gathers information about its targets’ networks.\r\nSolutions\r\nhttps://www.fortinet.com/blog/threat-research/bioload-fin7-boostwrite-lost-twin.html\r\nPage 2 of 3\n\nThis malware uses a common, yet stealthy and effective, method to execute its payload in the context of legitimate\r\nprocesses. \r\nCountermeasures should be in place to detect this malicious behavior. The recently acquired FortiEDR – an\r\nEndpoint Detection and Response solution integrated into FortiGate firewalls, FortiSIEM and FortiSandbox -\r\ndetects and blocks such behavior post-infection to help incident responders quickly mitigate and respond to such\r\nthreats.\r\nFortiClient detects and blocks the IOCs listed below as W64/Inject.B!tr.spy and W64/Carbanak.A2EB!tr.\r\nIn addition, as part of our membership in the Cyber Threat Alliance, details of this threat were shared in real time\r\nwith other Alliance members to help create better protections for customers.\r\nIOCs\r\nWinBio.dll (scrubbed key and payload) SHA256\r\n7bdae0dfc37cb5561a89a0b337b180ac6a139250bd5247292f470830bd96dda7\r\nc1c68454e82d79e75fefad33e5acbb496bbc3f5056dfa26aaf1f142cee1af372\r\nCarbanak SHA256\r\n77a6fbd4799a8468004f49f5929352336f131ad83c92484b052a2eb120ebaf9a\r\n42d3cf75497a724e9a9323855e0051971816915fc7eb9f0426b5a23115a3bdcb    \r\nLearn more about FortiGuard Labs and the FortiGuard Security Services portfolio. Sign up for our weekly\r\nFortiGuard Threat Brief.\r\nRead about the FortiGuard Security Rating Service, which provides security audits and best practices.\r\nSource: https://www.fortinet.com/blog/threat-research/bioload-fin7-boostwrite-lost-twin.html\r\nhttps://www.fortinet.com/blog/threat-research/bioload-fin7-boostwrite-lost-twin.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/bioload-fin7-boostwrite-lost-twin.html"
	],
	"report_names": [
		"bioload-fin7-boostwrite-lost-twin.html"
	],
	"threat_actors": [
		{
			"id": "c9617bb6-45c8-495e-9759-2177e61a8e91",
			"created_at": "2022-10-25T15:50:23.405039Z",
			"updated_at": "2026-04-10T02:00:05.387643Z",
			"deleted_at": null,
			"main_name": "Carbanak",
			"aliases": [
				"Carbanak",
				"Anunak"
			],
			"source_name": "MITRE:Carbanak",
			"tools": [
				"Carbanak",
				"Mimikatz",
				"PsExec",
				"netsh"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "9de1979b-40fc-44dc-855d-193edda4f3b8",
			"created_at": "2025-08-07T02:03:24.92723Z",
			"updated_at": "2026-04-10T02:00:03.755516Z",
			"deleted_at": null,
			"main_name": "GOLD LOCUST",
			"aliases": [
				"Anunak",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Silicon "
			],
			"source_name": "Secureworks:GOLD LOCUST",
			"tools": [
				"Carbanak"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf",
			"created_at": "2023-01-06T13:46:38.405479Z",
			"updated_at": "2026-04-10T02:00:02.961112Z",
			"deleted_at": null,
			"main_name": "FIN7",
			"aliases": [
				"ATK32",
				"G0046",
				"G0008",
				"Sangria Tempest",
				"ELBRUS",
				"GOLD NIAGARA",
				"Coreid",
				"Carbanak",
				"Carbon Spider",
				"JokerStash",
				"CARBON SPIDER"
			],
			"source_name": "MISPGALAXY:FIN7",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ed3810b7-141a-4ed0-8a01-6a972b80458d",
			"created_at": "2022-10-25T16:07:23.443259Z",
			"updated_at": "2026-04-10T02:00:04.602946Z",
			"deleted_at": null,
			"main_name": "Carbanak",
			"aliases": [
				"Anunak",
				"Carbanak",
				"Carbon Spider",
				"ELBRUS",
				"G0008",
				"Gold Waterfall",
				"Sangria Tempest"
			],
			"source_name": "ETDA:Carbanak",
			"tools": [
				"AVE_MARIA",
				"Agentemis",
				"AmmyyRAT",
				"Antak",
				"Anunak",
				"Ave Maria",
				"AveMariaRAT",
				"BABYMETAL",
				"BIRDDOG",
				"Backdoor Batel",
				"Batel",
				"Bateleur",
				"BlackMatter",
				"Boostwrite",
				"Cain \u0026 Abel",
				"Carbanak",
				"Cl0p",
				"Cobalt Strike",
				"CobaltStrike",
				"DNSMessenger",
				"DNSRat",
				"DNSbot",
				"DRIFTPIN",
				"DarkSide",
				"FOXGRABBER",
				"FlawedAmmyy",
				"HALFBAKED",
				"JS Flash",
				"KLRD",
				"MBR Eraser",
				"Mimikatz",
				"Nadrac",
				"Odinaff",
				"POWERPIPE",
				"POWERSOURCE",
				"PsExec",
				"SQLRAT",
				"Sekur",
				"Sekur RAT",
				"SocksBot",
				"SoftPerfect Network Scanner",
				"Spy.Agent.ORM",
				"TEXTMATE",
				"TeamViewer",
				"TiniMet",
				"TinyMet",
				"Toshliph",
				"VB Flash",
				"WARPRISM",
				"avemaria",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f4f16213-7a22-4527-aecb-b964c64c2c46",
			"created_at": "2024-06-19T02:03:08.090932Z",
			"updated_at": "2026-04-10T02:00:03.6289Z",
			"deleted_at": null,
			"main_name": "GOLD NIAGARA",
			"aliases": [
				"Calcium ",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Navigator ",
				"Sangria Tempest ",
				"TelePort Crew "
			],
			"source_name": "Secureworks:GOLD NIAGARA",
			"tools": [
				"Bateleur",
				"Carbanak",
				"Cobalt Strike",
				"DICELOADER",
				"DRIFTPIN",
				"GGLDR",
				"GRIFFON",
				"JSSLoader",
				"Meterpreter",
				"OFFTRACK",
				"PILLOWMINT",
				"POWERTRASH",
				"SUPERSOFT",
				"TAKEOUT",
				"TinyMet"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "bfded1cf-be73-44f9-a391-0751c9996f9a",
			"created_at": "2022-10-25T15:50:23.337107Z",
			"updated_at": "2026-04-10T02:00:05.252413Z",
			"deleted_at": null,
			"main_name": "FIN7",
			"aliases": [
				"FIN7",
				"GOLD NIAGARA",
				"ITG14",
				"Carbon Spider",
				"ELBRUS",
				"Sangria Tempest"
			],
			"source_name": "MITRE:FIN7",
			"tools": [
				"Mimikatz",
				"AdFind",
				"JSS Loader",
				"HALFBAKED",
				"REvil",
				"PowerSploit",
				"CrackMapExec",
				"Carbanak",
				"Pillowmint",
				"Cobalt Strike",
				"POWERSOURCE",
				"RDFSNIFFER",
				"SQLRat",
				"Lizar",
				"TEXTMATE",
				"BOOSTWRITE"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82",
			"created_at": "2022-10-25T16:07:23.619566Z",
			"updated_at": "2026-04-10T02:00:04.690061Z",
			"deleted_at": null,
			"main_name": "FIN7",
			"aliases": [
				"APT-C-11",
				"ATK 32",
				"G0046",
				"Gold Niagara",
				"GrayAlpha",
				"ITG14",
				"TAG-CR1"
			],
			"source_name": "ETDA:FIN7",
			"tools": [
				"7Logger",
				"Agentemis",
				"Anubis Backdoor",
				"Anunak",
				"Astra",
				"BIOLOAD",
				"BIRDWATCH",
				"Bateleur",
				"Boostwrite",
				"CROWVIEW",
				"Carbanak",
				"Cobalt Strike",
				"CobaltStrike",
				"DICELOADER",
				"DNSMessenger",
				"FOWLGAZE",
				"HALFBAKED",
				"JSSLoader",
				"KillACK",
				"LOADOUT",
				"Lizar",
				"Meterpreter",
				"Mimikatz",
				"NetSupport",
				"NetSupport Manager",
				"NetSupport Manager RAT",
				"NetSupport RAT",
				"NetSupportManager RAT",
				"POWERPLANT",
				"POWERSOURCE",
				"RDFSNIFFER",
				"Ragnar Loader",
				"SQLRAT",
				"Sardonic",
				"Sekur",
				"Sekur RAT",
				"TEXTMATE",
				"Tirion",
				"VB Flash",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434274,
	"ts_updated_at": 1775826786,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e3a92f4c27bc9d7c71197d7efc8999296ddc6318.pdf",
		"text": "https://archive.orkl.eu/e3a92f4c27bc9d7c71197d7efc8999296ddc6318.txt",
		"img": "https://archive.orkl.eu/e3a92f4c27bc9d7c71197d7efc8999296ddc6318.jpg"
	}
}