The Odinaff trojan has been active since January 2016, carrying out attacks against organisations operating in the banking, securities, trading, and payroll sectors, as well as those which provide support services to these industries.

According to Symantec, the Trojan contains custom-built malware tools purposely built for exploring compromised networks, stealing credentials, and monitoring and recording employee activity in attacks which researchers say can be highly lucrative for hackers.

Cybersecurity researchers suspect that Odinaff is related to the Carbanak hacking group which has stolen over one billion dollars from banks since first appearing in 2013. Researchers note that one of the IP addresses used by Odinaff has been mentioned in connection to the Oracle Micros breach, an attack which saw the compromise of hundreds of POS devices.

Also, three Odinaff command and control IP addresses have been connected to previous Carbanak campaigns, which saw banks in 30 countries being targeted by cybercriminals suspected to originate from Russia, Ukraine, Europe, and China.