Carbanak

Victims are typically lured through malicious advertising or SEO poisoning campaigns, believing they are downloading legitimate software such as Grammarly, Microsoft Teams, Notion, or Zoom.

FIN7 uses a range of custom and repurposed malware and tooling to support its operations. The group typically gains initial access through spearphishing emails containing malicious attachments or links hosted on compromised sites, often combined with callback phishing to increase credibility.

Many entries explicitly state malware 'can create a reverse shell' or 'launch a remote shell,' including 4H RAT, AuditCred, BLACKCOFFEE, Carbanak, DarkComet, Exaramel for Windows, PlugX, QuasarRAT, and ZxShell. | The content repeatedly describes use of cmd.exe, cmd /c, Windows command shell, and xp_cmdshell to execute commands, run payloads, launch binaries, perform reconnaissance, persistence, cleanup, and ransomware actions. Examples include: 'Sandworm Team used the xp_cmdshell command in MS-SQL', 'APT41 used cmd.exe /c to execute commands on remote machines', and many malware families 'can use cmd.exe to execute commands on a compromised host.'

Since mid-2023, multiple threat actors have been observed abusing MSIX files to deliver various malware payloads... When victims open these MSIX packages...

APT3 has been known to create or enable accounts, such as support_388945a0 . ... APT5 has created Local Administrator accounts to maintain access ... DarkGate creates a local user account, SafeMode, via net user commands.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.

A majority (95%) of samples of Carbanak obfuscate their internal data by hiding their network activity through code injection...

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.

The content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.

During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.

Akira has used legitimate names and locations for files to evade defenses.

A majority (95%) of samples of Carbanak obfuscate their internal data by hiding their network activity through code injection...

The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.

Environmental awareness allows malware samples to detect the underlying runtime environment of the system it is trying to infect... search for differences between a virtualized and bare metal environment... about one in five (17%) samples of the Carbanak malware samples analyzed by Lastline tried to detect a virtual sandbox before executing.

The content repeatedly describes malware and threat actors querying, enumerating, searching, reading, or checking Windows Registry keys and values, e.g., "ADVSTORESHELL can enumerate registry keys," "APT41 queried registry values to determine items such as configured RDP ports and network configurations," and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

Environmental awareness allows malware samples to detect the underlying runtime environment of the system it is trying to infect... search for differences between a virtualized and bare metal environment... about one in five (17%) samples of the Carbanak malware samples analyzed by Lastline tried to detect a virtual sandbox before executing.

GOLD KINGSWOOD is a cybercriminal group that uses tactics more commonly associated with government-sponsored threat actors to infiltrate the internal networks of financial institutions around the globe.

During the 2025 Poland Wiper Attacks, adversaries utilized RDP to log into jump hosts and then moved laterally to other victim devices to include a domain controller.

"Agent Tesla can capture screenshots of the victim’s desktop"; "AppleSeed can take screenshots on a compromised host"; "APT28 has used tools to take screenshots from victims"; "Cobalt Strike's Beacon payload is capable of capturing screenshots"; "PowerSploit's Get-TimedScreenshot Exfiltration module can take screenshots at regular intervals"; "Hydraq includes a component based on the code of VNC that can stream a live feed of the desktop"

Carbanak exfiltrates data in compressed chunks if a message is larger than 4096 bytes.

Examples include: "ChChes communicates to its C2 server over HTTP and embeds data within the Cookie HTTP header," "UPPERCUT has used HTTP for C2, including sending error codes in Cookie headers," and "GoldMax has used HTTPS and HTTP GET requests with custom HTTP cookies for C2."

BS2005 uses Base64 encoding for communication in the message body of an HTTP request... Helminth encodes data with base64 and sends it via the "Cookie" field of HTTP requests. For C2 over DNS, Helminth converts ASCII characters into their hexadecimal values... RDAT can communicate with the C2 via base32-encoded subdomains.

The content repeatedly describes threat actors and malware using HTTP and HTTPS for command and control, such as: "Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests."

This analytic story addresses the increasing trend of adversaries leveraging MSIX installers to deliver malware... multiple threat actors have been observed abusing MSIX files to deliver various malware payloads.

C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding... APT19 HTTP malware variant used Base64 to encode communications to the C2 server... APT33 has used base64 to encode command and control traffic.

4H RAT has the capability to create a remote shell. AuditCred can open a reverse shell on the system to execute commands. PlugX allows actors to spawn a reverse shell on a victim. QuasarRAT can launch a remote shell to execute commands on the victim’s machine.

"3PARA RAT command and control commands are encrypted within the HTTP C2 channel using the DES algorithm in CBC mode..."; "APT33 has used AES for encryption of command and control traffic."; "Carbanak encrypts the message body of HTTP traffic with RC2 (in CBC mode)."; "Duqu ... data stream can be encrypted with AES-CBC."; "PoisonIvy uses the Camellia cipher to encrypt communications."

AppleSeed has divided files if the size is 0x1000000 bytes or more. APT28 has split archived exfiltration files into chunks smaller than 1MB. APT41 transfers post-exploitation files dividing the payload into fixed-size chunks to evade detection.

GOLD KINGSWOOD has also attempted to move funds using the SWIFT network and has attacked other financial systems such as credit card processing systems and payment gateways.