Fortinet Finds Loader Uses Updated Version of Backdoor of Carbanak Backdoor Malware. Fortinet finds traces of how FIN7 group manages to keep on delivering the malware. The malware subverts the normal way that Windows will load a Dynamic Linked Library (DLL) by a technique known as DLL search order hijacking (or binary planting) In this case, the attackers use FaceFodUninstaller. This exists on a clean OS installation starting from Windows 10 RS4 (1803) at the. “%WINDR%System32WinBioPlugIns” folder, which is usually found in the parent directory.”]