{ "id": "d464d376-1166-4b5b-b63f-4fecc2555279", "created_at": "2026-04-06T00:06:59.826324Z", "updated_at": "2026-04-10T13:12:49.570275Z", "deleted_at": null, "sha1_hash": "fc8cc0b432e672aec8ac601b12375f6d0a798046", "title": "Anubis Backdoor - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 45590, "plain_text": "Anubis Backdoor - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 17:45:08 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Anubis Backdoor\r\n Tool: Anubis Backdoor\r\nNames Anubis Backdoor\r\nCategory Malware\r\nType Backdoor\r\nDescription\r\n(The Hacker News) The financially motivated threat actor known as FIN7 has been linked to a\r\nPython-based backdoor called Anubis (not to be confused with an Android banking trojan of\r\nthe same name) that can grant them remote access to compromised Windows systems.\r\n'This malware allows attackers to execute remote shell commands and other system\r\noperations, giving them full control over an infected machine,' Swiss cybersecurity company\r\nPRODAFT said in a technical report of the malware.\r\nInformation \u003chttps://thehackernews.com/2025/04/fin7-deploys-anubis-backdoor-to-hijack.html\u003e\r\nLast change to this tool card: 21 April 2025\r\nDownload this tool card in JSON format\r\nAll groups using tool Anubis Backdoor\r\nChanged Name Country Observed\r\nAPT groups\r\n  FIN7 2013-Jul 2024\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8283dd8a-538a-463b-89b2-528f6885a386\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8283dd8a-538a-463b-89b2-528f6885a386\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8283dd8a-538a-463b-89b2-528f6885a386" ], "report_names": [ "listgroups.cgi?u=8283dd8a-538a-463b-89b2-528f6885a386" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434019, "ts_updated_at": 1775826769, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fc8cc0b432e672aec8ac601b12375f6d0a798046.pdf", "text": "https://archive.orkl.eu/fc8cc0b432e672aec8ac601b12375f6d0a798046.txt", "img": "https://archive.orkl.eu/fc8cc0b432e672aec8ac601b12375f6d0a798046.jpg" } }