Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to threat actors
10 malware families

Carbanak

Also known asAnunakCarbanak

Carbanak is a financially motivated threat actor and associated malware cluster also referred to as Anunak, and is linked in the content to Cobalt Group and to assessments that GOLD KINGSWOOD may be associated with or a progression of Carbanak. The group has targeted banks, including banks in Russia and Ukraine since early 2014, and broader financial institutions, including payment systems. The content notes Carbanak historically targeted payment systems on weekends. Observed tradecraft in the content includes phishing for initial access followed by living-off-the-land activity; use of Rundll32 to execute code embedded in DLLs; abuse of ProcDump to dump LSASS memory; internal spread via RDP and SMB; installation as a Windows service for persistence and SYSTEM privileges; use of scheduled tasks; use of remote access tools and legitimate remote administration software including AmmyyAdmin and TeamViewer for interactive command and control; use of open-source tools such as PsExec and Mimikatz; and use of netsh-related firewall or network configuration modification. The content also states Carbanak named malware svchost.exe to masquerade as the Windows shared service host process. For command and control, the content states Carbanak used a VBScript named ggldr that relied on Google Apps Script, Google Sheets, and Google Forms services. The malware is also described as having a plugin for VNC and the Ammyy Admin tool. The content repeatedly associates Carbanak with ATT&CK techniques including T1543.003 Windows Service, T1219 Remote Access Tools, T1218.011 Rundll32, T1562.004 Disable or Modify System Firewall, and T1053 Scheduled Task/Job.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

46 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

13 of 15 tactics65 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0042
Resource Development
1 technique
T1588
Obtain Capabilities
T1588.002×3
Tool
TA0001
Initial Access
3 techniques
T1078×9
Valid Accounts
T1190
Exploit Public-Facing Application
T1566
Phishing
T1566.001×2
Spearphishing Attachment
TA0002
Execution
3 techniques
T1047×2
Windows Management Instrumentation
T1053
Scheduled Task/Job
T1053.005
Scheduled Task
T1059
Command and Scripting Interpreter
T1059.001
PowerShell
T1059.003×2
Windows Command Shell
T1059.005
Visual Basic
T1059.006
Python
T1059.007×2
JavaScript
TA0003
Persistence
4 techniques
T1053
Scheduled Task/Job
T1053.005
Scheduled Task
T1078×9
Valid Accounts
T1098×2
Account Manipulation
T1543
Create or Modify System Process
T1543.003×11
Windows Service
TA0004
Privilege Escalation
4 techniques
T1053
Scheduled Task/Job
T1053.005
Scheduled Task
T1078×9
Valid Accounts
T1098×2
Account Manipulation
T1543
Create or Modify System Process
T1543.003×11
Windows Service
TA0005
Stealth
7 techniques
T1027×2
Obfuscated Files or Information
T1036×2
Masquerading
T1036.003
Rename Legitimate Utilities
T1036.005
Match Legitimate Resource Name or Location
T1070
Indicator Removal
T1078×9
Valid Accounts
T1218
System Binary Proxy Execution
T1218.010
Regsvr32
T1218.011×11
Rundll32
T1497
Virtualization/Sandbox Evasion
T1497.001
System Checks
T1622
Debugger Evasion
TA0006
Credential Access
2 techniques
T1003×4
OS Credential Dumping
T1555
Credentials from Password Stores
TA0007
Discovery
5 techniques
T1046
Network Service Discovery
T1057
Process Discovery
T1082
System Information Discovery
T1497
Virtualization/Sandbox Evasion
T1497.001
System Checks
T1622
Debugger Evasion
TA0008
Lateral Movement
1 technique
T1021×3
Remote Services
T1021.002×2
SMB/Windows Admin Shares
T1021.003×2
Distributed Component Object Model
TA0009
Collection
2 techniques
T1074
Data Staged
T1074.001
Local Data Staging
T1113
Screen Capture
TA0011
Command and Control
5 techniques
T1071
Application Layer Protocol
T1071.001
Web Protocols
T1071.004
DNS
T1090
Proxy
T1090.001
Internal Proxy
T1102
Web Service
T1102.002×2
Bidirectional Communication
T1105
Ingress Tool Transfer
T1219×9
Remote Access Tools
TA0010
Exfiltration
1 technique
T1041
Exfiltration Over C2 Channel
TA0040
Impact
2 techniques
T1489
Service Stop
T1657
Financial Theft
ARSENAL

Associated malware families

10 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
CarbanakCarbanak has a plugin for VNC and Ammyy Admin Tool. Carbanak used legitimate programs such as AmmyyAdmin and Team Viewer for remote interactive C2 to target systems.2Apr 30, 2026
GRIFFONDuring our analysis of JSSLoader, it additionally loaded a Griffon payload which is historically associated with another actor, TA3546, also known as FIN7 or Carbanak.2Jun 14, 2026
ImpacketThe following analytic detects the use of Impacket's wmiexec.py tool for lateral movement by identifying specific command-line parameters.2Mar 17, 2026
MimikatzFIN7 and Carbanak abused ProcDump to dump LSASS memory ▸ PowerShell Mimikatz scripts also widely used2Jun 25, 2026
BateleurProofpoint researchers have uncovered that the threat actor commonly referred to as FIN7 has added a new JScript backdoor called Bateleur... starting in early June, we observed this threat actor using macro documents to drop a previously undocumented JScript backdoor, which we have named “Bateleur”.1Jun 14, 2026

5 additional families tracked in Mallory.

IOCS

Observables

15 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

15 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
splunk researchNews
May 18, 2026
Detection: Windows Cloud Files Filter Loaded by Uncommon Process | Splunk Security Content

Listed as an associated threat actor for exploitation activity related to abuse of the Windows Cloud Files API / cldapi.dll detection.

Read more
splunk researchNews
Apr 27, 2026
Detection: Windows MsMpEng Writing to System32 | Splunk Security Content

Listed in the detection annotations as a threat actor associated with exploitation for privilege escalation and Windows service persistence/installation.

Read more
splunk researchNews
Apr 27, 2026
Detection: Windows Admin Password Changed by Non-Admin | Splunk Security Content

Listed as a threat actor associated with exploitation and privilege-escalation detection coverage for Windows admin password changes by non-admin users.

Read more
splunk researchNews
Apr 13, 2026
Detection: Windows Level RMM Watchdog Task Created | Splunk Security Content

Referenced as a threat actor associated with abuse of remote management tooling for persistence and command-and-control.

Read more
+113 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping46

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal10

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables15

Domains, IPs, and hashes tied to this actor, refreshed continuously.