>samit_hota
Back to adversary profiles
G0105HighDormant

DarkVishnya (G0105) Threat Actor Profile

Samit Hota·
Suspected Origin
Unknown
Motivation
Financial Gain
Aliases
None documented
Target Sectors
Financial
Associated Malware
Impacket, Winexe, PsExec, DameWare Mini Remote Control, custom shellcodes
#threat-actor#g0105

Overview

DarkVishnya, tracked as G0105 by MITRE ATT&CK, is a financially motivated threat actor primarily targeting financial institutions in Eastern Europe. The group gained notoriety for a series of sophisticated cyber-robberies between 2017 and 2018, during which they reportedly stole tens of millions of dollars from at least eight banks. What distinguishes DarkVishnya from many other financially driven groups is their reliance on physical intrusion as the initial access vector, rather than purely digital means like phishing or exploiting external vulnerabilities. This blend of physical access and advanced cyber capabilities allowed them to bypass conventional perimeter defenses and establish a foothold deep within victim networks. While their origin remains unconfirmed, their targeted approach and the significant financial impact of their operations underscore their professionalism and focus on illicit financial gain.

Tactics & Techniques

DarkVishnya employs a unique and effective set of tactics, techniques, and procedures (TTPs) that combine physical infiltration with a range of cyber attack methods once inside the target network.

Their initial access technique is particularly noteworthy, involving the physical planting of malicious hardware within the target organization’s premises. Attackers would often gain entry under the guise of a legitimate visitor, such as a courier or job seeker, to covertly connect devices like inexpensive laptops, netbooks, Raspberry Pi mini-computers, or Bash Bunny USB-sized penetration testing tools directly to the corporate network. These devices are frequently equipped with GPRS, 3G, or LTE modems, enabling the attackers to establish remote access to the planted device from an external location. Once connected, these rogue devices were often hidden to avoid detection and appeared as unknown computers, external flash drives, or even keyboards on the network.

Following successful physical access, DarkVishnya pivoted to extensive network discovery. They remotely connected to their implanted devices to scan the local network for public shared folders, web servers, and other open resources. Their primary objective during this phase was to map the network and identify servers and workstations involved in payment processing. This reconnaissance included performing port scanning to enumerate active services and network share discovery to locate accessible folders.

For credential access, DarkVishnya frequently resorted to brute-force attacks to obtain login data for internal systems. They also employed network sniffing techniques to intercept credentials and other sensitive information traversing the compromised network segments.

Lateral movement and execution within the network were achieved using a variety of legitimate administrative tools and custom shellcodes. The group leveraged PowerShell to create shellcode loaders and distribute them by establishing new system services. To bypass network segmentation and firewall restrictions, they deployed shellcodes that established local TCP servers, allowing reverse connections and creating tunnels where direct access was blocked. DarkVishnya also made extensive use of readily available remote execution toolkits such as Impacket, Winexe (specifically winexesvc.exe), and PsExec. For remote access and control, they utilized commercial software like DameWare Mini Remote Control.

Their defense evasion tactics were sophisticated, primarily focusing on fileless attacks and the abuse of legitimate tools. By using PowerShell scripts, DarkVishnya could execute commands and malicious payloads without writing files to disk, thereby evading traditional antivirus and allowlisting technologies. The use of legitimate utilities like Impacket, Winexe, and PsExec further complicated detection and incident response efforts.

For command and control (C2), DarkVishnya configured their shellcode listeners and C2 servers to communicate over non-standard ports, specifically using ports 5190 and 7900 for listeners and ports 4444, 4445, and 31337 for C2 communications. This approach aimed to blend C2 traffic with normal network activity and avoid detection by security tools monitoring common malicious ports.

Notable Campaigns

The most significant and documented campaigns attributed to DarkVishnya occurred between 2017 and 2018. During this period, the group successfully attacked at least eight financial institutions across Eastern Europe. These cyber-robberies resulted in substantial financial losses, estimated to be in the tens of millions of dollars.

The defining characteristic of these campaigns was the initial physical compromise. Attackers consistently introduced hardware devices directly into the banks’ local networks. These incidents often involved compromises in central or regional offices, sometimes even in different countries, all linked to the same overarching network. The attacks typically followed a multi-stage process: physical device insertion, remote network exploration, credential harvesting, lateral movement to payment systems, and ultimately, funds transfer. Kaspersky Lab played a key role in investigating these incidents and publicly documenting DarkVishnya’s modus operandi in late 2018.

Associated Malware & Tools

DarkVishnya predominantly relies on readily available penetration testing tools, commercial remote access software, and operating system utilities to achieve their objectives.

The physical devices used for initial access include:

  • Netbooks/Inexpensive Laptops: Used as covert entry points, often equipped with wireless modems for remote access.
  • Raspberry Pi: Miniature computers that are inexpensive and inconspicuous, easily hidden within an office environment and powered via USB.
  • Bash Bunny: A specialized USB-sized hardware tool designed for automated USB attacks and penetration testing.

For post-exploitation activities, lateral movement, and persistence, DarkVishnya utilizes:

  • Impacket: A collection of Python classes for programmatic access to network protocols, used for remote execution.
  • Winexe (winexesvc.exe): A tool for remote execution of commands on Windows systems.
  • PsExec: A legitimate Microsoft Sysinternals tool abused for remote command execution and lateral movement.
  • PowerShell: Abused for creating shellcode loaders, deploying services, and executing commands in a fileless manner.
  • DameWare Mini Remote Control: Commercial remote access software used to maintain control over compromised systems.
  • Custom Shellcodes: Developed to establish local TCP servers for bypassing firewall restrictions and facilitating network traversal.

Current Status

Publicly available information indicates that DarkVishnya’s primary period of activity was between 2017 and 2018. Following the extensive investigations and subsequent reporting by cybersecurity firms like Kaspersky Lab in late 2018, it was reported that the attacks had ceased after the targeted banks implemented additional security measures. There have been no widely publicized reports of new campaigns or confirmed activities attributed to DarkVishnya since that time. While the group’s MITRE ATT&CK profile was last modified in April 2025, this reflects updates to the ATT&CK knowledge base rather than new activity from the group itself. Based on the lack of recent incident reports and the statement from 2018 regarding the cessation of attacks, DarkVishnya appears to be dormant.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call