>samit_hota
Back to adversary profiles
G0036MediumDormant

GCMAN: A Profile of Financially Motivated Bank Robbers

Samit Hota·
Suspected Origin
Suspected Russia
Motivation
Financial Gain
Aliases
None documented
Target Sectors
Financial
Associated Malware
GCMAN (GCC-compiled), Meterpreter
#threat-actor#g0036

Overview

GCMAN (MITRE ATT&CK ID: G0036) is a financially motivated threat group that primarily focuses on infiltrating banking institutions to siphon funds into e-currency services. First identified in 2016, the group demonstrated a methodical approach, leveraging advanced persistent threat (APT) techniques alongside commercially available penetration testing tools to achieve their objectives. While their activities were notably documented around 2016-2017, the group’s methodologies provide valuable insights into sophisticated financial cybercrime operations. The initial observation of GCMAN’s techniques showed similarities to other prominent banking threat actors like Corkow and Metel Group. Analysis of their custom malware indicated a suspected origin in Russia.

Tactics & Techniques

GCMAN’s operational methodology is characterized by a blend of social engineering for initial access and the abuse of legitimate system tools for persistent control and exfiltration. Their attacks typically commence with highly targeted spear-phishing campaigns. These emails are crafted to lure recipients within financial institutions into opening malicious RAR archives. Instead of a benign document, opening these archives executes a nefarious payload, initiating the infection chain.

Once a foothold is established within the target network, GCMAN exhibits a clear understanding of network environments and uses common administrative and penetration testing tools for lateral movement. Tools such as PuTTY, VNC, and Meterpreter have been observed in their operations, enabling them to navigate through compromised systems and elevate privileges discreetly. This reliance on legitimate tools, often referred to as “living off the land,” allows them to blend in with normal network traffic, making detection more challenging.

A key procedural aspect of GCMAN’s attacks involves establishing automated fund transfer mechanisms. They are known to plant cron scripts on compromised bank servers. These scripts are meticulously designed to generate and execute financial transactions at an alarming rate, reportedly transferring $200 per minute. Crucially, these scripts are configured to post transactions directly to upstream payment processing systems, effectively bypassing internal bank reporting and detection systems. This direct integration into the transaction flow allows for rapid and stealthy exfiltration of funds to e-currency services. The use of the GCC compiler for their malware was also noted as an unusual characteristic, setting them apart from many other financially motivated groups.

Notable Campaigns

While specific named “campaigns” for GCMAN are not extensively publicized beyond their general modus operandi, their activities came into prominence through detailed analyses by security researchers, notably Kaspersky Lab’s Global Research & Analysis Team in early 2016. These reports highlighted the group’s emergence as a significant threat to financial institutions, detailing their sophisticated attack methodology, malware, and tools. Their attacks demonstrated a concerted effort to infiltrate banking systems with the specific intent of automated money theft, distinguishing them through their efficiency and direct approach to fund exfiltration.

Associated Malware & Tools

GCMAN employs a targeted toolkit comprising both custom-developed malware and readily available legitimate software, maximizing their operational flexibility and minimizing their footprint.

Their custom malware, often simply referred to as “GCMAN” or detected by Kaspersky as Backdoor.Win32.GCMan, Backdoor.Win64.GCMan, and Trojan-Downloader.Win32.GCMan, is central to their operations. This malware is characterized by its compilation using the GCC compiler, a less common choice among cybercriminals, which may have contributed to its initial evasion capabilities. This bespoke component serves as the backbone for their persistence and command-and-control capabilities within compromised networks.

Beyond their custom implants, GCMAN heavily leverages legitimate penetration testing and administrative tools to achieve their objectives:

  • PuTTY: Used for secure remote access via SSH, facilitating lateral movement and command execution within victim networks.
  • VNC (Virtual Network Computing): Deployed for remote desktop control, allowing attackers to interact with compromised systems as if they were physically present, which is crucial for reconnaissance and hands-on-keyboard operations.
  • Meterpreter: A versatile payload within the Metasploit Framework, providing a comprehensive set of capabilities for post-exploitation, including privilege escalation, data exfiltration, and further compromise of systems.

The initial infection vector typically involves malicious RAR archives, delivering the initial executable payload.

Current Status

Based on available reporting, GCMAN’s observable activity largely ceased around 2017. This suggests the group may have become dormant or disbanded following increased public exposure and defensive measures implemented by financial institutions. However, it’s critical for security professionals to understand that “dormant” does not equate to “irrelevant.” Threat groups can re-emerge, or their tactics, techniques, and procedures (TTPs) may be adopted by other actors. Organizations like MITRE ATT&CK continue to maintain a profile for GCMAN (G0036), last modified in April 2025, underscoring its historical significance for threat intelligence and defensive strategy. Furthermore, security vendors like Rapid7 still provide detections for GCMAN-related indicators of compromise, reflecting the ongoing need to monitor for these past, yet potent, attack patterns. The lessons learned from GCMAN’s operations, particularly their blend of sophisticated APT techniques with common tools, remain pertinent for defending against financially motivated cyberattacks targeting the financial sector.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call