Skip to main content

Home Carbanak


Also known as: Anunak, Sekur RAT

Category: Malware

Type: Remote access trojan (RAT), banking trojan, spyware, backdoor, keylogger

Platform: Windows

Variants: (none found)

Damage potential: Stolen financial information, financial loss, stolen data (including credentials and proprietary files), malicious code injection, keylogging, traffic monitoring, opening backdoors for other malware (like ransomware), screen and video capture


Carbanak is a backdoor malware that was originally associated with the eponymous Carbanak gang, although in recent years it had been adopted by other hacker groups (like FIN7). Carbanak is primarily used to spy on the victim’s workflow, allowing attackers to use the knowledge obtained to stealthily manipulate financial records. It has historically targeted financial institutions in Russia and Ukraine, with disputed evidence suggesting that it may also have been used against banks in the US, Germany, and China.

Possible symptoms

Carbanak relies on the victim remaining unaware of the infection for as long as possible — as such, the compromised system will display little to no obvious signs that something is wrong.

Possible indicators of a Carbanak infection include:

  • Your device frequently freezes or stutters.
  • You realize you’ve been redirected to a fake website after clicking a legitimate link.
  • Other malware appears on your device without a known cause.
  • Your device’s fan seems to be constantly on, even when the device is idle.
  • Your device periodically sends data to unknown remote servers (Carbanak is uploading device information to its handlers).
  • You notice that money has been sent to strangers from your account (or other accounts that you manage within a financial institution).

Sources of the infection

Originally, Carbanak spread through spear phishing emails, with attackers masquerading as friends or colleagues of the victim to trick them into downloading infected attachments. More recently, hackers have also started camouflaging Carbanak as business-related software (including HubSpot, Veeam, and Xero) hosted on compromised websites. Once the malware has been deployed, the attackers will scout the network and use lateral movement to reach critical payment-processing services.

Your device may also get infected with Carbanak from:

  • Infected files shared through messaging platforms.
  • Infected files downloaded from cloud storage or online repositories.
  • Other viruses that drop Carbanak as part of their operations.
  • Drive-by downloading (malicious scripts on compromised websites that force your device to automatically download malware when the page loads).
  • Peer-to-peer (P2P) sharing of infected files.
  • Infected external devices, such as hard drives or USB sticks.


Protecting yourself and your organization from Carbanak requires that you follow good cybersecurity practices. Never blindly trust email messages with attachments, even if they seem to come from reputable sources — unlike mass phishing campaigns, Carbanak attacks use convincing messages crafted after hackers study your organization. If in doubt, verify with the person responsible. In a similar vein, do not download software from untrustworthy websites (or websites that have not been vetted by your IT department.)

Other protective measures include:

  • Use email scanning tools to identify and automatically block messages with suspicious attachments.
  • Use reliable antivirus software to detect, quarantine, and eliminate a Carbanak infection
  • Use multi-factor authentication to protect your accounts in the event that someone steals your password using Carbanak.
  • Avoid potentially dangerous websites like dark web pages, torrent repositories, or illegal download hubs. In certain situations, these websites may even attempt to download malware (including Carbanak) to your device automatically by exploiting vulnerabilities.
  • Use NordVPN’s Threat Protection to scan programs and files for malware while they’re being downloaded. Threat Protection will also alert you if you’re about to enter a known infected website to prevent drive-by download attacks.


To remove Carbanak, use a reputable antivirus solution. Carbanak frequently deploys persistence mechanisms that may be left intact after manual removal, prompting the malware to reinstall itself after a reboot.