FIN12

Threat Actor Profile Updated 13 days ago
Download STIX
Preview STIX
FIN12, also known as Pistachio Tempest and tracked by Microsoft as DEV-0237, is a significant threat actor in the cybersecurity landscape. Notably associated with the distribution of Hive, Conti, and Ryuk ransomware, FIN12 has been responsible for numerous high-profile attacks, particularly targeting the U.S. healthcare sector since 2020. The group has shown a propensity for expanding its target range over time, employing a variety of techniques and tools such as BEACON via the WEIRDLOOP in-memory dropper, DAVESHELL, and DICELOADER. The group's operations highlight the complexities of technical attribution in cybercrime. For instance, during one intrusion, both FIN7 and FIN12 were active on the same victim system using the same Remote Desktop Protocol (RDP) account, but with different infrastructure and tradecraft. In another notable attack, the group compromised a French hospital by using valid credentials of a healthcare professional to gain backdoor access to the network. They are known to deploy SystemBC alongside Cobalt Strike or CS Beacon to execute their ransomware attacks. FIN12 has connections to other threat actors and groups, including the Russian financially-motivated cybercrime group Exotic Lily and the Conti ransomware group. Furthermore, researchers have identified the group's command-and-control (C2) servers hosted on Cloudzy infrastructure, which is also used by more than two dozen different threat actors worldwide. Despite remediation efforts, the persistent and evolving nature of FIN12's activities continues to pose significant challenges to cybersecurity defenses.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Pistachio Tempest
3
Pistachio Tempest, also known as FIN12, is a threat actor that has been identified as a significant cybersecurity risk, particularly to the healthcare industry. According to a report by the U.S. Department of Health and Human Services (HHS) in 2022, this group has specifically targeted healthcare en
EXOTIC LILY
2
Exotic Lily, an initial access broker (IAB), has been active since at least September 2021. The entity conducts highly sophisticated phishing campaigns to gain initial access to organizations and then sells this access to other threat actors, including ransomware groups. A notable example of their m
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Beacon
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ContiUnspecified
2
Conti is a malware program known for its disruptive capabilities, including stealing personal information and holding data hostage for ransom. It gained notoriety as part of the arsenal of ITG23, a cybercrime group that used it in conjunction with other malicious software like Trickbot, BazarLoader,
SystembcUnspecified
2
SystemBC is a type of malware, a harmful program designed to exploit and damage computer systems. It has been used in numerous attacks, often in conjunction with other malware types. In 2023, it was observed being used heavily with Quicksand and BlackBasta. SystemBC has also been associated with Pla
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the FIN12 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
BankInfoSecurity
5 months ago
Sizing Up the Worst Healthcare Hacks of 2023
InfoSecurity-magazine
9 months ago
DroxiDat-Cobalt Strike Duo Targets Power Generator Network
MITRE
5 months ago
FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7
Securityaffairs
9 months ago
Power Generator in South Africa hit with DroxiDat and Cobalt Strike
MITRE
5 months ago
The many lives of BlackCat ransomware | Microsoft Security Blog
MITRE
a year ago
Exposing initial access broker with ties to Conti
CERT-EU
7 months ago
Southern African power generator targeted with DroxiDat malware | #daitngscams | #lovescams | #datingscams | #love | #relationships | #scams | #pof | #match.com | #dating | National Cyber Security Consulting
CERT-EU
10 months ago
US internet hosting company appears to facilitate global cybercrime, researchers say
CERT-EU
10 months ago
Iranian ISP suspected of aiding cybercriminals and nation-state hackers
CERT-EU
9 months ago
Focus on DroxiDat/SystemBC – GIXtools
CERT-EU
9 months ago
Focus on DroxiDat/SystemBC
CERT-EU
10 months ago
Iranian Company Cloudzy Accused of Aiding Cybercriminals and Nation-State Hackers
CERT-EU
10 months ago
US internet hosting company appears to facilitate global cybercrime, researchers say