{ "id": "512f78d9-8665-4092-bf3a-2dd5ae4b3334", "created_at": "2026-04-06T00:06:38.215632Z", "updated_at": "2026-04-10T03:35:53.1137Z", "deleted_at": null, "sha1_hash": "e548515c941689792b648aa40da2d04993e57615", "title": "Cybercrime Group FIN7 Using Windows 11 Alpha-Themed Docs to Drop Javascript Backdoor", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 6485540, "plain_text": "Cybercrime Group FIN7 Using Windows 11 Alpha-Themed Docs\r\nto Drop Javascript Backdoor\r\nBy Anomali Threat Research\r\nPublished: 2025-12-18 · Archived: 2026-04-05 18:37:07 UTC\r\nFIN7 is one of the most notorious financially motivated groups due to the large amounts of sensitive data they\r\nhave stolen through numerous techniques and attack surfaces.\r\nOverview\r\nTechnical Analysis\r\nAttribution\r\nEndnotes\r\nIoCs\r\nMITRE ATT\u0026CK\r\nhttps://www.anomali.com/blog/cybercrime-group-fin7-using-windows-11-alpha-themed-docs-to-drop-javascript-backdoor\r\nPage 1 of 19\n\nAuthored by: Gage Mele, Tara Gould, Rory Gould, and Sean Townsend\r\nKey Findings\r\nAnomali Threat Research discovered six malicious Windows 11 Alpha-themed Word documents with\r\nVisual Basic macros being used to drop JavaScript payloads, including a Javascript backdoor.\r\nWhile we cannot conclusively identify the attack vector for this activity, our analysis. strongly suggests the\r\nattack vector was an email phishing or spearphishing campaign.\r\nWe assess with moderate confidence that the financially motivated threat group FIN7 is responsible for this\r\ncampaign.\r\nhttps://www.anomali.com/blog/cybercrime-group-fin7-using-windows-11-alpha-themed-docs-to-drop-javascript-backdoor\r\nPage 2 of 19\n\nBased on the file names observed in this campaign, the activity likely took place around late-June to late-July 2021.\r\nOverview\r\nAnomali Threat Research conducted analysis on malicious Microsoft Word document (.doc) files themed after\r\nWindows 11 Alpha and assess with moderate confidence that these Word documents were part of a campaign\r\nconducted by the threat group FIN7. The group’s goal appears to have been to deliver a variation of a JavaScript\r\nbackdoor used by FIN7 since at least 2018.[1]\r\nFIN7\r\nFIN7 is an Eastern European threat group that has been active since at least mid-2015. They primarily target\r\nUnited States (US)-based companies across various industries but also operate on a global scale. The group is one\r\nof the world’s most notorious cybercrime groups and has been credited with the theft of over 15 million payment\r\ncard records that cost organizations around the world approximately one billion dollars (USD) in losses.[2] In the\r\nUS alone, the group has targeted over 100 companies and compromised the networks of organizations in 47 states\r\nand the District of Columbia.[3] While FIN7’s primary objective is to directly steal financial information, such as\r\ncredit and debit card data, they will also steal sensitive information to sell on underground marketplaces.\r\nThere has been a concerted attempt by law enforcement to tackle the group, including the arrest of three members\r\narrested August 2018 and a high-level organizer in April 2021.[4] Despite these personnel losses and media\r\nattention, the group has continued a steady stream of documented activity since at least 2015.[5]\r\nIn early 2021, FIN7 was identified as gaining illicit access to a law firm’s network by using a fake legal complaint\r\nthemed around Brown-Forman Inc., the parent company of Jack Daniels whiskey.\r\n[6]\r\nRelated Groups\r\nFIN7 is closely associated with the threat group referred to as “Carbanak,” with the two groups sharing a\r\nsignificant number of TTPs including the use of the Carbanak backdoor.\r\n[7]\r\n As such, news media and some\r\nintelligence vendors use the names interchangeably. To add to the confusion, different vendors will use their own\r\nnaming conventions for each group that include:\r\nFIN7 - Carbon Spider (Crowdstrike), Gold Niagara (Secureworks), Calcium (Symantec)\r\nCarbanak - Carbon Spider (Crowdstrike), Anunak (Group-IB)\r\nTrend Micro released a report in April 2021 outlining the differences in TTPs between the two groups and MITRE\r\nalso track the two groups separately.\r\n[8]\r\n For clarity, we will treat FIN7 and Carbanak as separate groups; the main\r\ndistinction being FIN7 focuses on hospitality and retail sectors, while Carbanak targets banking institutions.\r\nTechnical Analysis\r\nWord Document\r\nhttps://www.anomali.com/blog/cybercrime-group-fin7-using-windows-11-alpha-themed-docs-to-drop-javascript-backdoor\r\nPage 3 of 19\n\nMD5 d60b6a8310373c9b84e6760c24185535\r\nFile name Users-Progress-072021-1.doc\r\nThe infection chain began with a Microsoft Word document (.doc) containing a decoy image claiming to have\r\nbeen made with Windows 11 Alpha. The image asks the user to Enable Editing and Enable Content to begin the\r\nnext stage of activity, as shown in Figure 1 below.\r\nFigure 1 – Windows 11-Themed Maldoc\r\nAnalyzing the file, we can see a VBA macro populated with junk data as comments, shown in Figure 2. Once the\r\ncontent/editing has been enabled, the macro is executed.\r\nhttps://www.anomali.com/blog/cybercrime-group-fin7-using-windows-11-alpha-themed-docs-to-drop-javascript-backdoor\r\nPage 4 of 19\n\nFigure 2 – VBA Macro with Junk Data\r\nJunk data is a common tactic used by threat actors to impede analysis. Once we remove this junk data, we are left\r\nwith a VBA macro, as shown in Figure 3 below.\r\nFigure 3 – VBA Macro without Junk Data\r\nThe VBScript will take encoded values from a hidden table inside the .doc file, shown in Figure 4.\r\nhttps://www.anomali.com/blog/cybercrime-group-fin7-using-windows-11-alpha-themed-docs-to-drop-javascript-backdoor\r\nPage 5 of 19\n\nFigure 4 – Values and Key from Hidden Table\r\nThe values are deciphered with the function shown in Figure 5.\r\nFigure 5 – Decoding Function in VBScript\r\nThe values from the table are deobfuscated using an XOR cipher. In this sample, the key is\r\n“uPHdq3MxjOCfnXB.”\r\nhttps://www.anomali.com/blog/cybercrime-group-fin7-using-windows-11-alpha-themed-docs-to-drop-javascript-backdoor\r\nPage 6 of 19\n\nFigure 6 – VBA Decoding Function Ported into Python\r\nAfter deobfuscating the VBA macro, using the script shown in Figure 6, we can see what is occurring in the code.\r\nFigure 7 – Checks Carried Out\r\nShown in Table 1 are the language checks carried out.\r\nTable 1 – Language checks\r\nhttps://www.anomali.com/blog/cybercrime-group-fin7-using-windows-11-alpha-themed-docs-to-drop-javascript-backdoor\r\nPage 7 of 19\n\nCode Language\r\n1049 Russian\r\n1058 Ukrainian\r\n2073 Russian-Moldova\r\n1070 Sorbian\r\n1051 Slovak\r\n1060 Slovenian\r\n1061 Estonian\r\n3098 Serbian\r\n2074 Serbian (Latin)\r\nIf these languages are detected, the function me2XKr is called which deletes the table and stops running.\r\nFigure 8 – VM Checks\r\nThe script checks for Virtual Machines, as shown in Figure 8, and if detected it stops running.\r\nFigure 9 – Domain Check\r\nShown in Figure 9, the script checks for the domain CLEARMIND, which appears to refer to the domain of a\r\nPoint-of-Sale (POS) service provider.\r\nhttps://www.anomali.com/blog/cybercrime-group-fin7-using-windows-11-alpha-themed-docs-to-drop-javascript-backdoor\r\nPage 8 of 19\n\nThe checks include:\r\nDomain name, specifically CLEARMIND (Figure 9)\r\nLanguage, if any of the languages listed in Table 1\r\nReg Key Language Preference for Russian\r\nVirtual machine - VMWare, VirtualBox, innotek, QEMU, Oracle, Hyper and Parallels, if a VM is detected\r\nthe script is killed (Figure 8)\r\nMemory Available, if there is less than 4GB then don’t proceed\r\nCheck for RootDSE via LDAP\r\nIf the checks are satisfactory, the script proceeds to the function where a JavaScript file called word_data.js is\r\ndropped to the TEMP folder. However, if the language and VM checks are detected, the table deletes itself and\r\ndoes not proceed to the JavaScript payload. This JavaScript file is also full of junk data, as shown in Figure 10\r\nbelow.\r\nFigure 10 – JavaScript File (word_data.js) with Junk Data\r\nhttps://www.anomali.com/blog/cybercrime-group-fin7-using-windows-11-alpha-themed-docs-to-drop-javascript-backdoor\r\nPage 9 of 19\n\nOnce again, we removed the junk data to analyze the JavaScript, which we can see contains obfuscated strings,\r\nshown in Figure 11.\r\nFigure 11 – Example JavaScript Function without Junk Data\r\nThe JavaScript file also contains a deobfuscation function which is shown in Figure 12 below.\r\nhttps://www.anomali.com/blog/cybercrime-group-fin7-using-windows-11-alpha-themed-docs-to-drop-javascript-backdoor\r\nPage 10 of 19\n\nFigure 12 – JavaScript Snippet Containing the XOR Function\r\nAnalyzing the XOR cipher function, ‘ben9qtdx4t’ is the key used to decrypt the strings in the JavaScript file\r\n(word_data.js). The obfuscation is carried out using a substitution cipher that goes from A through K, displayed in\r\nTable 2 below.\r\nTable 2 – Substitution Cipher\r\nKey A B C D E F G H I J K\r\nCode 0 1 2 3 4 5 6 7 8 9 ,\r\nhttps://www.anomali.com/blog/cybercrime-group-fin7-using-windows-11-alpha-themed-docs-to-drop-javascript-backdoor\r\nPage 11 of 19\n\nFigure 13 – Deobfuscated Strings\r\nAfter replacing the obfuscated values with the deobfuscated strings, the Javascript backdoor appears to have\r\nsimilar functionality with other backdoors reportedly used by FIN7.[9]\r\nFigure 14 – First Connection\r\nA connection is first made to ‘tnskvggujjqfcskwk.com,’ (Figure 14) and based on the response, a connection is\r\nthen made to ‘bypassociation[.]com.’ This address is created by picking values from each array (Figure 15) at\r\nrandom.\r\nFigure 15 – Path and Arrays\r\nAfter connecting to the bypassociation[.]com address, the script checks for an active IP to retrieve the MAC\r\naddress and DNSHostName (Figure 16), which are then submitted via a POST request to the bypassociation\r\naddress.\r\nhttps://www.anomali.com/blog/cybercrime-group-fin7-using-windows-11-alpha-themed-docs-to-drop-javascript-backdoor\r\nPage 12 of 19\n\nFigure 16 – eq5w0 = xgq86 + z897r8d, aka the MAC address and DNSHostName are appended to the data sent\r\nBased on the response, further Javascript is executed, as shown in Figure 17.\r\nFigure 17 – Javascript Execution\r\nAttribution\r\nTargeting of a POS provider aligns with previous FIN7 activity\r\nThe use of decoy doc files with VBA macros also aligns with previous FIN7 activity\r\nFIN7 have used Javascript backdoors historically\r\nInfection stops after detecting Russian, Ukrainian, or several other Eastern European languages\r\nPassword protected document\r\nTool mark from Javascript file \"group=doc700\u0026rt=0\u0026secret=7Gjuyf39Tut383w\u0026time=120000\u0026uid=\"\r\nfollows similar pattern to previous FIN7 campaigns\r\nThe specified targeting of the Clearmind domain fits well with FIN7’s preferred modus operandi. As a California-based provider of POS technology for the retail and hospitality sector, a successful infection would allow the\r\ngroup to obtain payment card data and later sell the information on online marketplaces. The US Department of\r\nhttps://www.anomali.com/blog/cybercrime-group-fin7-using-windows-11-alpha-themed-docs-to-drop-javascript-backdoor\r\nPage 13 of 19\n\nJustice calculates that as of 2018 FIN7 was responsible for stealing over 15 million card records from 6,500 POS\r\nterminals.[10]\r\nThe use of a JavaScript backdoor is also primarily associated with FIN7 and is a common feature within its\r\ncampaigns.[11] It is worth noting that Carbanak has also been known to use Javascript payloads but, as this targets\r\nretail and health POS systems, it aligns with FIN7 activity.\r\nWhile not providing solid attribution, the language check function and table it scores against indicate a likely\r\ngeographic location for the creator of this malicious doc file. It is accepted as an almost unofficial policy that\r\ncybercriminals based in the Commonwealth of Independent States (CIS) are generally left alone, provided they do\r\nnot target interests or individuals within their respective borders, ergo the VBA macro checking the target system\r\nlanguage against a list including common CIS languages which will terminate the infection if found to match. The\r\naddition of Sorbian, a minority German Slavic language, Estonian, Slovenian and Slovak are unusual additions as\r\nthese would not be languages considered for exclusion but would be considered ‘fair game.’ It is worth noting that\r\nREvil ransomware also includes these languages in their exclusion tables, a group that is believed to work with\r\nFIN7.[12]\r\nConclusion\r\nFIN7 is one of the most notorious financially motivated groups due to the large amounts of sensitive data they\r\nhave stolen through numerous techniques and attack surfaces. Things have been turbulent for the threat group over\r\nthe past few years as with success and notoriety comes the ever-watchful eye of the authorities. Despite high-profile arrests and sentencing, including alleged higher-ranking members, the group continues to be as active as\r\never.\r\n[13]\r\n US prosecutors believe the group numbers around 70 individuals, meaning the group can likely\r\naccommodate these losses as other individuals will step in.[14] Targeting infrastructure appears to be a more\r\nsuccessful method of stopping or delaying these actors.\r\nEndnotes\r\n[1]\r\n Kremez, Vitali. 2018. Let's Learn: In-Depth Review of FIN7 VBA Macro \u0026 Lightweight JavaScript Backdoor.\r\nNovember 28. Accessed 8 18, 2021. https://www.vkremez.com/2018/11/in-depth-review-of-fin7-vba-macro.html.\r\n[2]\r\n ESentire. 2021. Notorious Cybercrime Gang, FIN7, Lands Malware in Law Firm Using Fake Legal Complaint\r\nAgainst Jack Daniels’ Owner, Brown-Forman Inc. July 21. Accessed August 17, 2019.\r\nhttps://www.esentire.com/security-advisories/notorious-cybercrime-gang-fin7-lands-malware-in-law-firm-using-fake-legal-complaint-against-jack-daniels-owner-brown-forman-inc.\r\n[3]\r\n Department of Justice. 2018. Three Members of Notorious International Cybercrime Group “Fin7” In Custody\r\nfor Role in Attacking Over 100 U.S. companies. August 1. Accessed August 19, 2019.\r\nhttps://www.justice.gov/opa/pr/three-members-notorious-international-cybercrime-group-fin7-custody-role-attacking-over-100.\r\n[4]\r\n Ibid; Department of Justice. 2021. High-level organizer of notorious hacking group FIN7 sentenced to ten\r\nyears in prison for a scheme that compromised tens of millions of debit and credit cards . April 16. Accessed\r\nhttps://www.anomali.com/blog/cybercrime-group-fin7-using-windows-11-alpha-themed-docs-to-drop-javascript-backdoor\r\nPage 14 of 19\n\nAugust 17, 2021. https://www.justice.gov/usao-wdwa/pr/high-level-organizer-notorious-hacking-group-fin7-\r\nsentenced-ten-years-prison-scheme.\r\n[5]\r\n Carr, Goody, Miller and Vengerik, On the Hunt.\r\n[6]\r\n ESentire, Notorious Cybercrime Gang.\r\n[7]\r\n Carr, Goody, Miller and Vengerik, On the Hunt.\r\n[8]\r\n Trend Micro. 2021. Carbanak and FIN7 Attack Techniques. April 20. Accessed August 17, 2021.\r\nhttps://www.trendmicro.com/en_gb/research/21/d/carbanak-and-fin7-attack-techniques.html.\r\n[9]\r\n SentinelOne. 2019. Deep Insight into “FIN7” Malware Chain: From Office Macro Malware to Lightweight JS\r\nLoader. October 3. Accessed August 19, 2021. https://labs.sentinelone.com/fin7-malware-chain-from-office-macro-malware-to-lightweight-js-loader/.\r\n[10]\r\n Department of Justice, Three Members.\r\n[11]\r\n Kaspersky. 2019. FIN7.5: the infamous cybercrime rig “FIN7” continues its activities. May 8. Accessed\r\nAugust 17, 2021. https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/.\r\n[12]\r\n Counter Threat Unit Research Team. 2019. REvil/Sodinokibi Ransomware. September 24. Accessed August\r\n24, 2021. https://www.secureworks.com/research/revil-sodinokibi-ransomware; Singleton, Camille, Christopher\r\nKiefer, and Ole Villadsen. 2020. Ransomware 2020: Attack Trends Affecting Organizations Worldwide.\r\nSeptember 28. Accessed August 24, 2021. https://securityintelligence.com/posts/ransomware-2020-attack-trends-new-techniques-affecting-organizations-worldwide/.\r\n[13]\r\n Department of Justice, High-level organizer.\r\n[14]\r\n Ibid.\r\nIoCs\r\nFilename Hash\r\nClients-Current_state-062021-0.doc dc7c07bac0ce9d431f51e2620da93398\r\nClients-Progress-072021-7.doc d17f58c6c9771e03342cdd33eb32e084\r\nClients-State-072021-4.doc ad4a6a0ddeacdf0fc74c3b45b57a1316\r\nCustomers-State-072021-3.doc de14cf1e58d288187680f5938e2250df\r\nClients-State-072021-4.doc ad4a6a0ddeacdf0fc74c3b45b57a1316\r\nUsers-Progress-072021-1.doc d60b6a8310373c9b84e6760c24185535\r\nhttps://www.anomali.com/blog/cybercrime-group-fin7-using-windows-11-alpha-themed-docs-to-drop-javascript-backdoor\r\nPage 15 of 19\n\nFilename Hash\r\nUsers-Progress-072021-1.lnk 72149bbd364326618df00dc6b0e0b4c4\r\nword_data.bin/word_data.js 0d12e8754adacc645a981426e69b91ec\r\nword_data.bin/word_data.js 8f5302dafa90958117cbee992a0e09a9\r\nword_data.bin/word_data.js f4c77f40e325a420be4660370a97158c\r\nword_data.bin/word_data.js ce80bf89bbc800547039844d400ab27c\r\nword_data.bin/word_data.js 41c48b16a01f0322b4e851aa4e1c4e0e\r\nIP Address\r\n85.14.253.178\r\nDomains\r\ntnskvggujjqfcskwk[.]com\r\nhttps://bypassociation[.]com\r\nhttps://bypassociation[.]com/images/sync?type=name\r\nhttps://bypassociation[.]com/new?type=name\r\nhttps://bypassociation[.]com/pictures/hide?type=name\r\nhttps://bypassociation[.]com/pictures/show?type=name\r\nhttps://bypassociation[.]com/images/hide?type=name\r\nhttps://bypassociation[.]com/img/hide?type=name\r\nhttps://bypassociation[.]com/img/add?type=name\r\nhttps://bypassociation[.]com/images/add?type=name\r\nhttps://bypassociation[.]com/info/hide?type=name\r\nMITRE ATT\u0026CK\r\nTechnique ID Name\r\nExecution T1059.005 Command and Scripting Interpreter: Visual Basic\r\nT1059.007 Command and Scripting Interpreter: Javascript\r\nT1204.002 User Execution: Malicious File\r\nT1047 Windows Management Instrument\r\nDefense Evasion T1140 Deobfuscate/Decode Files or Information\r\nT1027 Obfuscated Files or Information\r\nhttps://www.anomali.com/blog/cybercrime-group-fin7-using-windows-11-alpha-themed-docs-to-drop-javascript-backdoor\r\nPage 16 of 19\n\nTechnique ID Name\r\nT1497 Virtualization/Sandbox Evasion\r\nT1497.001 Virtualization/Sandbox: System Checks\r\nDiscovery T1087.002 Account Discovery: Domain Account\r\nAppendix\r\nScript for deobfuscating VBA:\r\ndef fin_decode(list, keyS):\r\nkeyOrd = [ord(l)for l in keyS]\r\nfinal_list = []\r\ncount = 0\r\nfor num in list:\r\nkey_2 = keyOrd[count % len(keyS)]\r\ncount += 1\r\nfinal_list.append(str(num - key_2))\r\nfinalList = ' '.join(final_list)\r\nfor n in range(0, len(final_list)):\r\nfinal_list[n] = int(final_list[n])\r\nlet = chr(final_list[n])\r\nprint(let, end='')\r\nScript for deobfuscating the Javascript files:\r\ndef xor(data, key):\r\ndict = {'A': 0, 'B': 1, 'C': 2, 'D': 3, 'E': 4, 'F': 5, 'G': 6, 'H': 7, 'I': 8, 'J': 9, 'K': \",\"}\r\nlength = len(key)\r\ndictD = [dict[d] for d in data]\r\nvalues = \"\".join(str(x) for x in dictD)\r\nvalues = values.strip(',')\r\nvalues = values.split(',')\r\nd = [int(k) for k in values]\r\nkey_ord = [ord(m) for m in key]\r\ndecode = \"\"\r\ncount = 0\r\nhttps://www.anomali.com/blog/cybercrime-group-fin7-using-windows-11-alpha-themed-docs-to-drop-javascript-backdoor\r\nPage 17 of 19\n\nfor i in d:\r\ndecode += chr(i ^ key_ord[count % length])\r\ncount += 1\r\nprint(decode)\r\n abcdef\r\nIran’s IRGC Names Western Tech Giants as “Legitimate Targets”: What CISOs Must Do Now\r\nWhen 766 Systems Fall in 24 Hours: The Threats Bearing Down on State Government Networks\r\nhttps://www.anomali.com/blog/cybercrime-group-fin7-using-windows-11-alpha-themed-docs-to-drop-javascript-backdoor\r\nPage 18 of 19\n\nThe Iran Cyber Threat Machine Isn’t Slowing Down — Here’s What CISOs Need to Know Now\r\nSource: https://www.anomali.com/blog/cybercrime-group-fin7-using-windows-11-alpha-themed-docs-to-drop-javascript-backdoor\r\nhttps://www.anomali.com/blog/cybercrime-group-fin7-using-windows-11-alpha-themed-docs-to-drop-javascript-backdoor\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.anomali.com/blog/cybercrime-group-fin7-using-windows-11-alpha-themed-docs-to-drop-javascript-backdoor" ], "report_names": [ "cybercrime-group-fin7-using-windows-11-alpha-themed-docs-to-drop-javascript-backdoor" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433998, "ts_updated_at": 1775792153, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e548515c941689792b648aa40da2d04993e57615.pdf", "text": "https://archive.orkl.eu/e548515c941689792b648aa40da2d04993e57615.txt", "img": "https://archive.orkl.eu/e548515c941689792b648aa40da2d04993e57615.jpg" } }