G0105: DarkVishnya
DarkVishnya is a financially motivated threat actor targeting financial institutions in Eastern Europe. In 2017-2018 the group attacked at least 8 banks in this region.[1]
Analyst context for executives and security teams
DarkVishnya matters because ATT&CK describes it as a financially motivated group that targeted Eastern European financial institutions, with public reporting tied to direct connection to local networks. For leaders, the practical lesson is not just “bank threat actor”; it is that physical or local-network access, legitimate administration tools, credential attacks, discovery, and remote access can combine into a high-consequence intrusion path that may bypass perimeter-focused assumptions.
Executive priority
Prioritize questions that test resilience against local-network compromise: Who can connect hardware to sensitive network segments? Are banks, branches, offices, and data-center areas enforcing network access control and segmentation? Can SOC and IR teams distinguish authorized administration from PsExec, Winexe, PowerShell, Windows service creation, network sniffing, brute force, and remote access tool abuse? This object is especially relevant to financial-sector continuity, fraud-risk reduction, audit evidence for privileged access controls, and incident decision-making when an intrusion may start from inside the network boundary.
Technical view
ATT&CK provides no group-level platforms or official detection text, so defenders should validate coverage through the related behaviors. The relationship set points to initial access via Hardware Additions, credential access through Network Sniffing and Brute Force, discovery through Network Service Discovery and Network Share Discovery, execution through PowerShell, persistence or privilege escalation through Windows Service creation/modification, command and control through Remote Access Tools and Non-Standard Port use, and operational use of tools such as PsExec and Winexe. SOC teams should test whether logs correlate physical or switch-port events with new hosts, SMB/admin activity, remote execution, abnormal authentication attempts, service changes, and unusual outbound protocol-port pairings.
Likely telemetry
- Physical access, visitor, asset, and change-management records for network-connected equipment
- Network access control, DHCP, switch, wireless, ARP, and MAC address inventory events for newly connected devices
- NetFlow, packet capture, IDS, firewall, and proxy evidence for sniffing indicators, scanning, remote access sessions, and non-standard protocol-port use
- Windows security, PowerShell, service control, registry, and endpoint telemetry for PowerShell execution, PsExec-like activity, and Windows service creation or modification
- Authentication logs from hosts, directory services, VPN, identity providers, and exposed services for brute-force patterns
Detection direction
- Do not rely on malware-only detection; the related software and techniques emphasize legitimate or dual-use tooling, including PsExec, Winexe, PowerShell, and remote access tools.
- Validate alerting for new or unexpected devices on sensitive network segments, especially when followed by service discovery, share enumeration, authentication failures, or remote execution.
- Tune detections for administrative-tool abuse by comparing source host, user, time, target system criticality, and change-ticket context to reduce false positives from normal IT operations.
- Correlate brute-force attempts with subsequent successful logons, network share access, PowerShell execution, or Windows service creation.
- Review egress and internal traffic analytics for protocols on unusual ports, but avoid treating all non-standard ports as malicious without business-service context.
Mitigation priorities
- Start with physical and local-network controls: restrict unauthorized hardware connections, enforce network access control where feasible, and maintain switch-port and asset accountability.
- Segment financial, payment, administrative, and privileged-management networks so a locally connected device or compromised host cannot broadly discover services and shares.
- Harden identity controls against brute force with strong authentication, lockout or throttling policies where appropriate, privileged account separation, and review of service exposure.
- Restrict and monitor dual-use remote administration tools such as PsExec-like utilities, Winexe-like remote execution, PowerShell, and remote access tools according to approved administration workflows.
- Baseline and monitor Windows service creation or modification on critical systems, with incident response playbooks for unauthorized service changes.
Analyst notes and limits
The strongest decision value in this object comes from the relationship context: physical or local-network entry, discovery, credential access, legitimate tool abuse, remote access, and persistence behaviors. For Glexia-style advisory work, this maps to assessments of branch/site security, network segmentation, identity controls, SOC telemetry, and IR readiness rather than a single signature or malware family.
The official ATT&CK group object is sparse: platforms, tactics, and detection are not specified at the group level. The description is limited to financially motivated targeting of Eastern European financial institutions in 2017-2018 and at least eight banks. Any claim about current activity, customer exposure, exact intrusion sequence, or confirmed detection coverage requires local telemetry and additional validated intelligence beyond the supplied fields.
DarkVishnya
DarkVishnya is a financially motivated threat actor targeting financial institutions in Eastern Europe. In 2017-2018 the group attacked at least 8 banks in this region.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1200 | Hardware Additions | DarkVishnya physically connected Bash Bunny, Raspberry Pi, netbooks, and inexpensive laptops to the target organization's environment to access the company’s local network.CitationSecurelist DarkVishnya Dec 2018 |
| Enterprise | T1588.002 | Tool Sub-technique | DarkVishnya has obtained and used tools such as Impacket, Winexe, and PsExec.CitationSecurelist DarkVishnya Dec 2018 |
| Enterprise | T1543.003 | Windows Service Sub-technique | DarkVishnya created new services for shellcode loaders distribution.CitationSecurelist DarkVishnya Dec 2018 |
| Enterprise | T1046 | Network Service Discovery | DarkVishnya performed port scanning to obtain the list of active services.CitationSecurelist DarkVishnya Dec 2018 |
| Enterprise | T1135 | Network Share Discovery | DarkVishnya scanned the network for public shared folders.CitationSecurelist DarkVishnya Dec 2018 |
| Enterprise | T1110 | Brute Force | DarkVishnya used brute-force attack to obtain login data.CitationSecurelist DarkVishnya Dec 2018 |
| Enterprise | T1219 | Remote Access Tools | DarkVishnya used DameWare Mini Remote Control for lateral movement.CitationSecurelist DarkVishnya Dec 2018 |
| Enterprise | T1059.001 | PowerShell Sub-technique | DarkVishnya used PowerShell to create shellcode loaders.CitationSecurelist DarkVishnya Dec 2018 |
| Enterprise | T1040 | Network Sniffing | DarkVishnya used network sniffing to obtain login data. CitationSecurelist DarkVishnya Dec 2018 |
| Enterprise | T1571 | Non-Standard Port | DarkVishnya used ports 5190 and 7900 for shellcode listeners, and 4444, 4445, 31337 for shellcode C2.CitationSecurelist DarkVishnya Dec 2018 |
Groups, software, and campaigns
S0191: Winexe
S0029: PsExec
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | fa1ca8f2ba08… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Securelist DarkVishnya Dec 2018
Golovanov, S. (2018, December 6). DarkVishnya: Banks attacked through direct connection to local network. Retrieved May 15, 2020.
Open source URL -
[2]
DarkVishnya
(Citation: Securelist DarkVishnya Dec 2018)
-
[3]
mitre-attack G0105Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.