Protect What Matters
Secure endpoints, email, and employees with the power of our 24/7 SOC. Try Huntress for free and deploy in minutes to start fighting threats.
Carbanak Malware
Published: 12/28/2025
Written by: Lizzie Danielson
What is Carbanak malware?
Carbanak is a sophisticated remote access backdoor and banking trojan designed primarily for financial theft on an enterprise scale. Initially based on the Carberp malware source code, it was purpose-built to infiltrate financial institutions, conduct prolonged reconnaissance, and execute large-scale fraudulent transactions, including direct manipulation of ATM networks and the SWIFT international funds transfer system. First publicly documented in 2015 by Kaspersky Lab, the Carbanak malware has been used by at least two distinct threat groups — the Carbanak Group (also tracked as Anunak) and FIN7 — though these are separate organizations that share the same tool, not a single group. Its long dwell times, operational patience, and deep familiarity with financial software make it one of the most consequential banking malware families ever documented.
When was Carbanak first discovered?
The Carbanak malware was first publicly disclosed in February 2015 by Kaspersky Lab researchers in a landmark report titled "The Great Bank Robbery." Financial losses from the campaigns exceeded an estimated $1 billion across more than 100 financial institutions in over 30 countries, making it one of the largest cybercrime operations ever publicly exposed at the time.
Who created Carbanak?
The Carbanak malware has been used by at least two distinct threat groups, and it is important not to conflate them:
- Carbanak Group (G0008): also tracked as Anunak and associated with the alias Carbon Spider, is the group primarily responsible for the large-scale bank heists documented in the 2015 Kaspersky report. This group targeted financial institutions directly, manipulating banking infrastructure to steal funds via ATMs and SWIFT transfers. In March 2018, Europol announced the arrest of a key alleged mastermind of the Carbanak/Cobalt group in Alicante, Spain — though operations continued after the arrest.
- FIN7 (G0046): also tracked as Carbanak Group by some vendors, Sangria Tempest by Microsoft, and formerly operating a front company called Combi Security, is a separate financially motivated group that also used the Carbanak backdoor but primarily targeted retail, restaurant, hospitality, and point-of-sale environments, not banks directly. In August 2018, the U.S. DOJ unsealed indictments and announced arrests of three senior FIN7 members.
The overlap in tooling caused widespread confusion in the industry. As Mandiant noted, the Carbanak backdoor has been used by multiple groups — attributing all Carbanak activity to a single actor is incorrect.
What does Carbanak target?
The Carbanak Group specifically targeted financial institutions — banks, ATM networks, money processing services, and financial accounts — across more than 30 countries including Russia, Ukraine, the United States, Germany, China, and Poland. FIN7's use of the same Carbanak tool extended targeting to retail, restaurant, hospitality, and point-of-sale environments across the United States. Combined, victims have spanned hundreds of organizations globally.
Carbanak distribution method
Carbanak is delivered through spear-phishing emails containing malicious attachments, often disguised as legitimate documents. These emails aim to lure employees into opening payloads that exploit vulnerabilities, granting attackers access to the organization’s network.
Technical analysis of Carbanak malware
Carbanak operates through several stages. It begins with phishing email delivery, followed by remote access tool (RAT) installation for persistence. Once inside, it enables lateral movement across the network, targeting critical financial systems. Carbanak employs sophisticated tactics to execute fraudulent transactions, including inputting remote ATM commands for cash withdrawals.
The attack lifecycle follows several distinct stages:
- Initial access via spear-phishing with malicious Office or .cpl attachments
- Persistence and reconnaissance — Carbanak installs itself and begins recording video footage of victim screens and keylogging activity, sending both to C2 servers to give attackers an understanding of how internal banking software is operated
- Lateral movement — using stolen credentials and tools such as the Ammyy Remote Administration Tool, attackers pivot through the bank's network to reach critical financial systems
- Financial fraud execution via three primary methods:
- ATM jackpotting — remote commands instruct ATMs to dispense cash at preset times, with money mules waiting to collect
- SWIFT manipulation — fraudulent international wire transfers through the SWIFT network to attacker-controlled accounts
- Account balance inflation — Oracle database modifications to inflate account balances, which are then transferred out before the manipulation is detected
The entire dwell period from initial infection to cash-out typically spanned two to four months, with attackers studying victim operations before executing any fraudulent transactions.
Tactics, Techniques & Procedures (TTPs)
Per MITRE ATT&CK (Group G0008) and the Kaspersky/MITRE Carbanak+FIN7 evaluation:
- T1566.001 – Spearphishing Attachment (malicious .doc and .cpl files for initial access)
- T1059.003 – Command and Scripting Interpreter: Windows Command Shell
- T1053.005 – Scheduled Task/Job: Scheduled Task (persistence)
- T1078 – Valid Accounts (use of stolen credentials for lateral movement)
- T1056.001 – Input Capture: Keylogging (credential and operational intelligence harvesting)
- T1113 – Screen Capture (video recording of victim screens to learn banking workflows)
- T1021 – Remote Services (Ammyy RAT and SSH for lateral movement)
- T1041 – Exfiltration Over C2 Channel (video and keystroke data sent to C2)
- T1485 / Financial system abuse — direct manipulation of ATM dispensing systems, SWIFT transfers, and Oracle banking databases (no standard ATT&CK technique fully captures this; it is a defining characteristic of the Carbanak Group's operational approach)
Indicators of Compromise (IoCs)
The full, authoritative IoC set was published in the original Kaspersky Carbanak APT report (February 2015) and in subsequent Group-IB/Fox-IT Anunak reporting. Organizations should consult these primary sources for validated indicators:
Behavioral/artifact indicators to monitor:
- Presence of the Ammyy Remote Administration Tool on systems where it was not explicitly deployed
- Outbound video or large data streams to unknown C2 addresses from financial workstations
- Unusual database queries modifying account balances in Oracle banking systems
- ATM management software accessed from unexpected endpoints or accounts
- Scheduled tasks created with randomized or obfuscated names on bank employee workstations
Malware Guide
Our malware guide shows you how to shut down those infiltration paths before they ever become a crisis.
How to know if you’re infected with Carbanak?
Systems compromised by Carbanak may exhibit unusual network activity, unexpected software installations, or unauthorized financial transactions. Unexplained video capture activity, large outbound data transfers from financial workstations, and unfamiliar scheduled tasks are also warning signs. For financial institutions specifically, anomalous ATM dispense commands, unexpected SWIFT transaction initiation, or unusual Oracle database activity involving account balances are highly specific indicators that Carbanak-style activity may be in progress.
Carbanak removal instructions
Removing Carbanak requires a comprehensive approach given its long dwell times and deep lateral movement. Begin by isolating affected systems to prevent further compromise. Use Huntress-provided endpoint detection and response (EDR) tools to identify and neutralize the malware. Critical steps include patching vulnerabilities, revoking stolen credentials, and rebuilding infected systems. Assume attackers have had extended access and have mapped the full internal banking environment.
Is Carbanak still active?
The original Carbanak Group's operations were significantly disrupted following the March 2018 Europol arrest in Spain, though activity continued afterward. FIN7 — which also used the Carbanak backdoor — continued active operations well beyond those arrests; after 2020 FIN7 shifted toward big game hunting ransomware operations, including use of REvil and later DarkSide ransomware. The Carbanak backdoor's source code was found on VirusTotal, meaning variants remain available to other threat actors. While the original large-scale bank-heist campaigns of 2013–2018 are not actively ongoing at the same scale, the techniques and tooling remain relevant, particularly for financial sector defenders.
Mitigation & prevention strategies
Protect against Carbanak by implementing robust multi-factor authentication (MFA), regularly patching vulnerabilities, and educating employees about phishing tactics. Utilize 24/7 network monitoring services like Huntress to detect advanced threats and mitigate risks. Additionally, ensure your organization employs endpoint protection tools to reduce vulnerabilities.
Related educational articles & videos
Carbanak Malware FAQs
Carbanak is a remote access backdoor and banking trojan used by cybercriminals to steal funds from financial institutions. It infiltrates bank networks via spear-phishing, conducts months-long reconnaissance by recording screens and keylogging, then executes fraudulent transactions through ATM networks, SWIFT wire transfers, and direct database manipulation, without exploiting vulnerabilities in those systems, but by impersonating legitimate internal operators.
Carbanak typically spreads through spear-phishing emails containing malicious attachments or links. Once a user interacts with the payload, the malware exploits vulnerabilities to gain network access and maintain persistence.
The original large-scale Carbanak Group campaigns were significantly disrupted by the 2018 Europol arrest, and FIN7, which also used Carbanak, has since shifted toward ransomware operations. However, the Carbanak source code is publicly available, meaning the tool or its derivatives can be used by other actors. Financial institutions should still treat Carbanak-style techniques as a relevant threat model.
Organizations can safeguard against Carbanak by deploying MFA, conducting employee training on phishing threats, maintaining endpoint protection tools, monitoring for anomalous remote administration tool installations and unusual database activity, and engaging in constant vulnerability management with services like Huntress.
