Carberp is a Windows banking trojan associated with Russian-speaking cybercriminal activity and historically used in online banking fraud. It became one of the better-known financial malware families of the early 2010s and was notable both for its modular design and for the later leak of its source code, which influenced subsequent criminal tooling. Carberp has also been referenced in law-enforcement reporting on selective Russian cybercrime enforcement, including arrests tied to the Carberp gangs in 2012.
Carberp is designed to steal sensitive account data and credentials from infected systems. Its credential-theft functionality includes a plugin commonly referred to as passw.plug, which can collect account information from instant messaging, email, social media, FTP, VNC, and VPN clients, as well as passwords stored in major web browsers including Opera, Internet Explorer, Safari, Firefox, and Chrome. The malware has also been observed exfiltrating stolen data over HTTP to command-and-control infrastructure.
The malware includes multiple defense-evasion and anti-analysis features. It has queried the Windows Registry to identify installed antivirus products and inspected Image File Execution Options debugger settings, behavior consistent with security-software discovery and anti-analysis checks. Carberp has attempted to disable security software by creating suspended processes associated with security products, injecting code, and deleting antivirus core files when execution resumes. It has also removed hooks before installing its trojan or bootkit components to evade sandboxing and other analysis environments.
For persistence, Carberp has created hidden artifacts in the current user’s Startup folder. Leaked source code also showed use of DLL hijacking to bypass User Account Control through abuse of a trusted Windows executable. Separately, a Carberp variant used by Sofacy was observed in targeted attacks leveraging a Microsoft Office registry-based persistence mechanism that caused Office applications to load a malicious DLL at startup.
Carberp’s influence extended beyond its own operations. The Carbanak backdoor was built in part on leaked Carberp code, illustrating the family’s downstream impact on later financially motivated intrusion sets targeting banks and payment systems. Carberp is therefore significant both as a banking trojan in its own right and as a code lineage that contributed to later criminal malware development.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
4 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Carberp has exploited multiple Windows vulnerabilities (CVE-2010-2743, CVE-2010-3338, CVE-2010-4398, CVE-2008-1084) and a .NET Runtime Optimization vulnerability for privilege escalation.
Carberp has exploited multiple Windows vulnerabilities (CVE-2010-2743, CVE-2010-3338, CVE-2010-4398, CVE-2008-1084) and a .NET Runtime Optimization vulnerability for privilege escalation.
Carberp has exploited multiple Windows vulnerabilities (CVE-2010-2743, CVE-2010-3338, CVE-2010-4398, CVE-2008-1084) and a .NET Runtime Optimization vulnerability for privilege escalation.
Carberp has exploited multiple Windows vulnerabilities (CVE-2010-2743, CVE-2010-3338, CVE-2010-4398, CVE-2008-1084) and a .NET Runtime Optimization vulnerability for privilege escalation.
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
We checked our WildFire data and found only a handful of samples using this registry key for persistence, all of which were used to load the Carberp variant of Sofacy.
28 distinct techniques documented for this family, organized by ATT&CK tactic.
Carberp 'creating a suspended process for the security software and injecting code to delete antivirus core files when the process is resumed.'
Numerous malware families and threat groups are described as achieving persistence by adding values under Run/RunOnce/Policies\Explorer\Run Registry keys or by placing shortcuts/files in the Windows Startup folder.
The source code shows the malware bypassing User Account Control (UAC) via a DLL hijack of sysprep.exe... it was found to be vulnerable to a DLL hijacking attack and would load a maliciously planted DLL (named cryptbase.dll) into its elevated process context.
The content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.
Carberp has removed various hooks before installing the trojan or bootkit to evade sandbox analysis or other analysis software.
During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.
Akira has used legitimate names and locations for files to evade defenses.
Carberp 'creating a suspended process for the security software and injecting code to delete antivirus core files when the process is resumed.'
Carberp 'inject[ed] code to delete antivirus core files when the process is resumed.'
Agent Tesla has created hidden folders. AppleJeus has added a leading . to plist filenames, unlisting them from the Finder app and default Terminal directory listings. APT28 has saved files with hidden file attributes. FIN13 has created hidden files and folders within a compromised Linux system /tmp directory and also used attrib.exe to hide gathered local host information.
"malicious capabilities which include self-spreading through USB and network shares, TOR network access, screen captures and web injects"
Agent Tesla has the ability to steal credentials from FTP clients and wireless profiles... APT33 has used a variety of publicly available tools like LaZagne to gather credentials... Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from the credential vault and DPAPI.
The content repeatedly describes malware and threat actors querying, enumerating, opening, and reading Windows Registry keys and values, e.g., "APT41 queried registry values to determine items such as configured RDP ports and network configurations" and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
The content is a long ATT&CK-style listing of malware and threat actors that collect host details such as OS version, hostname, architecture, CPU, memory, BIOS, language, and other basic system characteristics; examples include use of commands like systeminfo, ver, uname, sw_vers, and WMI queries.
The Spamhaus Botnet C&C (BGPCC) is designed to protect networks and their users from botnet traffic. It can be used to block traffic from/to servers on the internet that are operated by cybercriminals and used to control infected computers (bots) or exfiltrate data.
The content repeatedly describes threat actors and malware using HTTP and HTTPS for command and control, such as: "Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests."
ADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.
The content repeatedly describes threat actors and malware disabling, stopping, uninstalling, or modifying antivirus, EDR, Windows Defender, AMSI, logging, and other security controls.
Examples include 'Aquatic Panda has attempted to stop endpoint detection and response (EDR) tools', 'BlackByte disabled security tools such as Windows Defender', 'Scattered Spider has uninstalled and disabled security tools', and many malware families terminating AV/EDR processes or services.
57 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Banking trojan referenced historically as part of prior Russian cybercrime enforcement actions.
A banking trojan whose leaked code was used in part to build Carbanak.
Referenced as a heavyweight commodity malware family from the period of frequent public reverse-engineering reports.
Software changes: ... Carberp
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.