Threat Actor Profile
High APT
Description

Carbanak is a cybercriminal group that has used Carbanak malware to target financial institutions since at least 2013. Carbanak may be linked to groups tracked separately as Cobalt Group and FIN7 that have also used Carbanak malware.(Citation: Kaspersky Carbanak)(Citation: FireEye FIN7 April 2017)(Citation: Europol Cobalt Mar 2018)(Citation: Secureworks GOLD NIAGARA Threat Profile)(Citation: Secureworks GOLD KINGSWOOD Threat Profile)

Confidence Score
90%
Known Aliases
Carbanak Anunak
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (9)
T1102.002 - Bidirectional Communication
Command and Control
T1219 - Remote Access Tools
Command and Control
T1036.004 - Masquerade Task or Service
Defense Evasion
T1036.005 - Match Legitimate Resource Name or Locat…
Defense Evasion
T1078 - Valid Accounts
Defense Evasion
T1218.011 - Rundll32
Defense Evasion
T1562.004 - Disable or Modify System Firewall
Defense Evasion
T1543.003 - Windows Service
Persistence
T1588.002 - Tool
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['Carbanak', 'Anunak'],
 'created': '2017-05-31T21:31:49.021Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Carbanak](https://attack.mitre.org/groups/G0008) is a '
                'cybercriminal group that has used '
                '[Carbanak](https://attack.mitre.org/software/S0030) malware '
                'to target financial institutions since at least 2013. '
                '[Carbanak](https://attack.mitre.org/groups/G0008) may be '
                'linked to groups tracked separately as [Cobalt '
                'Group](https://attack.mitre.org/groups/G0080) and '
                '[FIN7](https://attack.mitre.org/groups/G0046) that have also '
                'used [Carbanak](https://attack.mitre.org/software/S0030) '
                'malware.(Citation: Kaspersky Carbanak)(Citation: FireEye FIN7 '
                'April 2017)(Citation: Europol Cobalt Mar 2018)(Citation: '
                'Secureworks GOLD NIAGARA Threat Profile)(Citation: '
                'Secureworks GOLD KINGSWOOD Threat Profile)',
 'external_references': [{'external_id': 'G0008',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0008'},
                         {'description': '(Citation: Kaspersky Carbanak) '
                                         '(Citation: Fox-It Anunak Feb 2015)',
                          'source_name': 'Carbanak'},
                         {'description': '(Citation: Fox-It Anunak Feb 2015)',
                          'source_name': 'Anunak'},
                         {'description': "Kaspersky Lab's Global Research and "
                                         'Analysis Team. (2015, February). '
                                         'CARBANAK APT THE GREAT BANK ROBBERY. '
                                         'Retrieved August 23, 2018.',
                          'source_name': 'Kaspersky Carbanak',
                          'url': 'https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf'},
                         {'description': 'Carr, N., et al. (2017, April 24). '
                                         'FIN7 Evolution and the Phishing LNK. '
                                         'Retrieved April 24, 2017.',
                          'source_name': 'FireEye FIN7 April 2017',
                          'url': 'https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html'},
                         {'description': 'Europol. (2018, March 26). '
                                         'Mastermind Behind EUR 1 Billion '
                                         'Cyber Bank Robbery Arrested in '
                                         'Spain. Retrieved October 10, 2018.',
                          'source_name': 'Europol Cobalt Mar 2018',
                          'url': 'https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain'},
                         {'description': 'CTU. (n.d.). GOLD NIAGARA. Retrieved '
                                         'September 21, 2021.',
                          'source_name': 'Secureworks GOLD NIAGARA Threat '
                                         'Profile',
                          'url': 'https://www.secureworks.com/research/threat-profiles/gold-niagara'},
                         {'description': 'Secureworks. (n.d.). GOLD KINGSWOOD. '
                                         'Retrieved October 18, 2021.',
                          'source_name': 'Secureworks GOLD KINGSWOOD Threat '
                                         'Profile',
                          'url': 'https://www.secureworks.com/research/threat-profiles/gold-kingswood?filter=item-financial-gain'},
                         {'description': 'Prins, R. (2015, February 16). '
                                         'Anunak (aka Carbanak) Update. '
                                         'Retrieved January 20, 2017.',
                          'source_name': 'Fox-It Anunak Feb 2015',
                          'url': 'https://www.fox-it.com/en/news/blog/anunak-aka-carbanak-update/'}],
 'id': 'intrusion-set--55033a4d-3ffe-46b2-99b4-2c1541e9ce1c',
 'modified': '2025-04-25T14:49:30.378Z',
 'name': 'Carbanak',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Anastasios Pingios'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '2.0'}
Quick Actions
Related TTPs (9)
Bidirectional Communication
Command and Control
Remote Access Tools
Command and Control
Masquerade Task or Service
Defense Evasion
Match Legitimate Resource Nam…
Defense Evasion
Valid Accounts
Defense Evasion
View All 9 TTPs
Back to Threat Actors
Dashboard Home