Lurk is a Russian cybercrime malware family best known as a banking trojan used to steal funds from banks, financial institutions, and commercial organizations. It has been associated with the Lurk gang, a criminal group disrupted by Russian law enforcement in 2016 after investigators linked it to large-scale financial theft. Lurk has also been tied in reporting to operators connected with the Angler exploit kit ecosystem, and historical observations indicate it was delivered as a payload by early Angler-related exploit activity.
Lurk is characterized in public reporting as a banking-focused malware operation rather than a general-purpose commodity threat. Its operators were implicated in building and managing networks of infected computers and using those infections to facilitate theft from financial targets. The malware’s operational model places it in the broader lineage of post-Carberp Russian-speaking financial malware campaigns that combined exploit-driven infection chains with organized monetization.
Observed delivery relationships connect Lurk to exploit-kit-based compromise, particularly Angler, including early fileless-style exploit activity against browser users. Reporting also links the broader Lurk gang to criminal advertising and exploit-kit distribution ecosystems active in the mid-2010s. The campaign’s victimology centered on financial entities and businesses, with activity especially noted in Russia and neighboring regional contexts.
At high confidence, Lurk should be understood as Windows banking malware used for financially motivated intrusions and theft, with exploit-kit delivery playing a documented role in at least part of its historical deployment.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
2015-01-27 - Angler EK "indexm" exploiting CVE-2015-2551 and firing Java exploits [Payload here is most probably Lurk]
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Qaiser's associates are believed to be the Lurk malware gang, responsible for creating the Lurk banking trojan and the Angler exploit kit.
1 distinct technique documented for this family, organized by ATT&CK tactic.
This indexm.html variant of Angler EK is most probably still being used in RU/UA and was one of the early adopter of CVE-2015-0311 ... There was still java exploit inside in march 2015-01-27 - Angler EK "indexm" exploiting CVE-2015-2551 and firing Java exploits
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Banking malware referenced as part of historical Russian arrests and enforcement patterns.
Banking trojan attributed to the Lurk gang; the same group was also described as responsible for the Angler exploit kit.
Referenced as a comparison point for short-lived loader behavior (very limited active lifespan) used to hinder analysis.
Lurk is a banking trojan used to create botnets of infected computers for stealing money from banks, financial institutions, and commercial organizations.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.