Carbanak
What is Carbanak?
CarbanakA financially motivated APT and malware family active since at least 2013 that targeted banks, payment processors and hospitality, estimated to have stolen around 1 billion USD.
Carbanak, also tracked as FIN7 in some clusters and Anunak in earlier reports, is a financially motivated cybercrime group and the name of its primary backdoor. Active since at least 2013, it targeted banks, payment processors, hospitality and retail across more than 30 countries. Initial access typically came via spear phishing with weaponized Word or LNK files, after which operators deployed the Carbanak backdoor, used Cobalt Strike, recorded staff screens and abused SWIFT, ATM and payment-card systems. Kaspersky estimated direct losses at around 1 billion USD by 2016. Spanish authorities arrested a key leader in 2018, but spin-offs persisted, particularly the FIN7 cluster.
● Examples
- 01
Operators study a bank's internal procedures for weeks, then trigger fraudulent SWIFT transfers and ATM cash-outs in coordinated runs.
- 02
A retailer detects Carbanak-style spear phishing of finance staff and blocks LNK and macro-laden attachments at the gateway.
● Frequently asked questions
What is Carbanak?
A financially motivated APT and malware family active since at least 2013 that targeted banks, payment processors and hospitality, estimated to have stolen around 1 billion USD. It belongs to the Malware category of cybersecurity.
What does Carbanak mean?
A financially motivated APT and malware family active since at least 2013 that targeted banks, payment processors and hospitality, estimated to have stolen around 1 billion USD.
How does Carbanak work?
Carbanak, also tracked as FIN7 in some clusters and Anunak in earlier reports, is a financially motivated cybercrime group and the name of its primary backdoor. Active since at least 2013, it targeted banks, payment processors, hospitality and retail across more than 30 countries. Initial access typically came via spear phishing with weaponized Word or LNK files, after which operators deployed the Carbanak backdoor, used Cobalt Strike, recorded staff screens and abused SWIFT, ATM and payment-card systems. Kaspersky estimated direct losses at around 1 billion USD by 2016. Spanish authorities arrested a key leader in 2018, but spin-offs persisted, particularly the FIN7 cluster.
How do you defend against Carbanak?
Defences for Carbanak typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Carbanak?
Common alternative names include: Anunak, FIN7, Carbanak APT.
● Related terms
- attacks№ 017
Advanced Persistent Threat (APT)
A stealthy, well-resourced threat actor — typically state-sponsored — that gains long-term, undetected access to a target network to steal data or pre-position for disruption.
- attacks№ 1073
Spear Phishing
A targeted phishing attack tailored to a specific individual or organization using personal or professional details collected in advance.
- malware№ 084
Banking Trojan
Malware designed to steal online-banking credentials and authorize fraudulent transactions, typically through web injects, form grabbing, or overlays.
- defense-ops№ 193
Cobalt Strike
A commercial adversary-simulation platform widely used for red-team operations and frequently abused by threat actors for post-exploitation and command-and-control.