Threat Actor Profile
High
APT
Description
RTM is a cybercriminal group that has been active since at least 2015 and is primarily interested in users of remote banking systems in Russia and neighboring countries. The group uses a Trojan by the same name (RTM). (Citation: ESET RTM Feb 2017)
Confidence Score
Known Aliases
RTM
Tags
mitre-attack
stix-2.1
intrusion-set
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (7)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'aliases': ['RTM'],
'created': '2017-05-31T21:32:10.206Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': '[RTM](https://attack.mitre.org/groups/G0048) is a '
'cybercriminal group that has been active since at least 2015 '
'and is primarily interested in users of remote banking '
'systems in Russia and neighboring countries. The group uses a '
'Trojan by the same name '
'([RTM](https://attack.mitre.org/software/S0148)). (Citation: '
'ESET RTM Feb 2017)',
'external_references': [{'external_id': 'G0048',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/groups/G0048'},
{'description': '(Citation: ESET RTM Feb 2017)',
'source_name': 'RTM'},
{'description': 'Faou, M. and Boutin, J. (2017, '
'February). Read The Manual: A Guide '
'to the RTM Banking Trojan. Retrieved '
'March 9, 2017.',
'source_name': 'ESET RTM Feb 2017',
'url': 'https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf'}],
'id': 'intrusion-set--c416b28c-103b-4df1-909e-78089a7e0e5f',
'modified': '2025-04-25T14:49:01.288Z',
'name': 'RTM',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'spec_version': '2.1',
'type': 'intrusion-set',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Oleg Skulkin, Group-IB'],
'x_mitre_deprecated': False,
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_version': '1.1'}