diff --git a/nselib/data/ssl-fingerprints b/nselib/data/ssl-fingerprints
index b304d79a9..510e98971 100644
--- a/nselib/data/ssl-fingerprints
+++ b/nselib/data/ssl-fingerprints
@@ -2047,7 +2047,7 @@ FFD51A486C89C80C126A6767FA967D7883570858
 FFF1C6FD1DBD58604E5E5C4D444C9072CFCDF8EF
 FFFEB1B7BEC6D2A261CCA510808A4BAC8DE712EA
 
-[APT1 - https://www.mandiant.com/blog/md5-sha1/]
+[APT1 - https://www.fireeye.com/blog/threat-research/2013/03/md5-sha1.html]
 7BC0CC2CF7C3A996C32DBE7E938993F7087105B4
 7855C132AF1390413D4E4FF4EAD321F8802D8243
 F3E3C590D7126BD227733E9D8313D2575C421243
@@ -2072,3 +2072,6 @@ B3DB37A0EDDE97B3C3C15DA5F2D81D27AF82F583
 B66E230F404B2CC1C033CCACDA5D0A14B74A2752
 4ACBADB86A91834493DDE276736CDF8F7EF5D497
 86A48093D9B577955C4C9BD19E30536AAE5543D4
+
+[CARBANAK - https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-two-continuing-source-code-analysis.html]
+0BCBD1C184809164A9E83F308AD6FF4DBAFDA22C
diff --git a/scripts/ssl-known-key.nse b/scripts/ssl-known-key.nse
index 36e7d6164..bbea63593 100644
--- a/scripts/ssl-known-key.nse
+++ b/scripts/ssl-known-key.nse
@@ -5,20 +5,19 @@ local stdnse = require "stdnse"
 local sslcert = require "sslcert"
 local tls = require "tls"
 
--- -*- mode: lua -*-
--- vim: set filetype=lua :
-
 description = [[
 Checks whether the SSL certificate used by a host has a fingerprint
 that matches an included database of problematic keys.
 
-The only databases currently checked are the LittleBlackBox 0.1
-database of compromised keys from various devices and some keys
-reportedly used by the Chinese state-sponsored hacking division APT1
-(https://www.mandiant.com/blog/md5-sha1/).  However, any file of
-fingerprints will serve just as well. For example, this could be used
-to find weak Debian OpenSSL keys using the widely available (but too
-large to include with Nmap) list.
+The only databases currently checked are the LittleBlackBox 0.1 database of
+compromised keys from various devices, some keys reportedly used by the Chinese
+state-sponsored hacking division APT1
+(https://www.fireeye.com/blog/threat-research/2013/03/md5-sha1.html),
+and the key used by CARBANAK malware
+(https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html).
+However, any file of fingerprints will serve just as well. For example, this
+could be used to find weak Debian OpenSSL keys using the widely available (but
+too large to include with Nmap) list.
 ]]
 
 ---