Menu
Browse

Cyber Threat Actor: Buhtrap

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Spy
Russia
1 incident
Profile

The threat actor known as Buhtrap, also referred to as the Buhtrap gang, has been observed operating from Russia. Public reporting ties the group to a compromise of the free version of Ammyy Admin, a remote administration tool, where attackers bundled their Buhtrap malware with legitimate installers distributed from ammyy.com. Users who downloaded the software between late October and early November 2015 received installers that also deployed the Buhtrap payload. The malware’s capabilities included system espionage, keystroke logging, and communication with command‑and‑control servers. By exploiting the wide adoption of Ammyy Admin, the actor was able to reach a broad audience without relying on traditional phishing or exploit‑based entry points.

Technical analysis of the campaign revealed that the Buhtrap malware was delivered via NSIS‑based droppers that employed DLL sideloading to execute malicious code alongside legitimate libraries. The same droppers were used to distribute multiple malware families, showing a modular approach to payload delivery. Researchers identified specific SHA1 hashes associated with the malicious bundles and noted that a digital certificate used to sign the installers had been revoked by Comodo, a detail that helped defenders flag the tainted files. While the actor’s location is cited as Russia, no public source has linked Buhtrap to a state sponsor or a larger criminal consortium, leaving its affiliation uncertain beyond the geographic indicator. The Ammyy incident remains the most clearly documented operation attributed to Buhtrap, illustrating how the group leverages trusted software channels to achieve its objectives.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
1 source