5 malware families

Carbanak

Also known asAnunakCarbanak

Carbanak is a financially motivated threat actor associated with targeting banks in Russia and Ukraine since early 2014. The content notes CTU researchers assess with moderate confidence that GOLD KINGSWOOD is associated with, and may be a progression of, the group referred to as Carbanak. The actor is also referred to as Anunak in the provided aliases and reporting. The content further distinguishes Carbanak from FIN7, noting they are sometimes associated but are tracked separately. Based on the provided content, Carbanak has used a VBScript named "ggldr" that leveraged Google Apps Script, Google Sheets, and Google Forms for command and control. The group has used legitimate remote access tools including AmmyyAdmin and TeamViewer for remote interactive C2, and has obtained and used open-source tools such as PsExec and Mimikatz. The content also states Carbanak malware has a plugin for VNC and the Ammyy Admin tool. Reported defense evasion and masquerading behavior includes naming malware "svchost.exe" to imitate the Windows shared service host process. ATT&CK-related behaviors explicitly associated with Carbanak in the content include use of remote access tools, scheduled tasks/jobs, Windows services, Rundll32, and disabling or modifying the system firewall. The content also references Carbanak as one of the closest groups with similar TTPs to a bank intrusion involving PowerShell-in-registry, Meterpreter, Mimikatz, SC, and NETSH, but does not directly attribute that intrusion to Carbanak.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Banks

Where they target

Geographies tied to known operations.

🇷🇺 Russia
🇺🇦 Ukraine

MITRE ATT&CK

Tradecraft

37 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

13 of 15 tactics51 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0042

Resource Development

1 technique

T1588

Obtain Capabilities

T1588.002×4

Tool

TA0001

Initial Access

2 techniques

T1078×13

Valid Accounts

T1566

Phishing

T1566.001

Spearphishing Attachment

TA0002

Execution

2 techniques

T1047×2

Windows Management Instrumentation

T1059

Command and Scripting Interpreter

T1059.003

Windows Command Shell

T1059.006

Python

T1059.007

JavaScript

TA0003

Persistence

4 techniques

T1078×13

Valid Accounts

T1098×3

Account Manipulation

T1136

Create Account

T1136.001

Local Account

T1543

Create or Modify System Process

T1543.003×13

Windows Service

TA0004

Privilege Escalation

4 techniques

T1068

Exploitation for Privilege Escalation

T1078×13

Valid Accounts

T1098×3

Account Manipulation

T1543

Create or Modify System Process

T1543.003×13

Windows Service

TA0005

Stealth

5 techniques

T1027

Obfuscated Files or Information

T1036

Masquerading

T1036.003

Rename Legitimate Utilities

T1036.005×2

Match Legitimate Resource Name or Location

T1070

Indicator Removal

T1078×13

Valid Accounts

T1218

System Binary Proxy Execution

T1218.011×12

Rundll32

TA0006

Credential Access

3 techniques

T1003×4

OS Credential Dumping

T1110

Brute Force

T1621

Multi-Factor Authentication Request Generation

TA0007

Discovery

1 technique

T1046

Network Service Discovery

TA0008

Lateral Movement

2 techniques

T1021×2

Remote Services

T1021.002×3

SMB/Windows Admin Shares

T1021.003×2

Distributed Component Object Model

T1563

Remote Service Session Hijacking

T1563.002

RDP Hijacking

TA0009

Collection

1 technique

T1074

Data Staged

T1074.001

Local Data Staging

TA0011

Command and Control

6 techniques

T1071

Application Layer Protocol

T1071.004

DNS

T1090

Proxy

T1090.001

Internal Proxy

T1102

Web Service

T1102.002×2

Bidirectional Communication

T1219×11

Remote Access Tools

T1571

Non-Standard Port

T1572

Protocol Tunneling

TA0010

Exfiltration

1 technique

T1041

Exfiltration Over C2 Channel

TA0040

Impact

1 technique

T1657

Financial Theft

ARSENAL

Associated malware families

5 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

CarbanakCarbanak has a plugin for VNC and Ammyy Admin Tool. Carbanak used legitimate programs such as AmmyyAdmin and Team Viewer for remote interactive C2 to target systems.2Apr 30, 2026

ImpacketThe following analytic detects the use of Impacket's wmiexec.py tool for lateral movement by identifying specific command-line parameters.2Mar 17, 2026

Brute Ratel C4This activity is significant as it may indicate the presence of Brute Ratel C4, a sophisticated remote access tool used for credential dumping and other malicious activities.1Mar 17, 2026

GRIFFON“They deployed their new Griffon JavaScript backdoor targeting restaurant chains.”1Mar 18, 2026

MimikatzAPT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder.1May 26, 2026

IOCS

Observables

2 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

2 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

splunk researchNews

Apr 13, 2026

Detection: Windows Azure PowerShell Module Installation Via PowerShell Script | Splunk Security Content

Listed as a threat actor associated with Azure Active Directory account takeover, persistence, privilege escalation, and related cloud-focused post-compromise activity detected via PowerShell module installation.

splunk researchNews

Apr 13, 2026

Detection: Windows Level RMM Watchdog Task Created | Splunk Security Content

Referenced as a threat actor associated with abuse of remote management tooling for persistence and command-and-control.

splunk researchNews

Apr 13, 2026

Detection: Windows Level RMM PowerShell Script Installer | Splunk Security Content

Referenced as a threat actor associated with the use of remote access tools under ATT&CK technique T1219.

splunk researchNews

Mar 27, 2026

Detection: Windows Rundll32 with Non-Standard File Extension | Splunk Security Content

Referenced as a threat actor associated with use of Rundll32 for defense evasion.

+107 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping37

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal5

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables2

Domains, IPs, and hashes tied to this actor, refreshed continuously.