FIN6

Threat Actor Profile Updated 25 days ago
Download STIX
Preview STIX
FIN6, also known as ITG08, Skelaton Spider, and MageCart, is a notorious threat actor that has been implicated in various cybercrime activities. The group gained notoriety for stealing credit cards through point-of-sale (POS) systems in retail and hospitality establishments, most notably in the Home Depot breach in 2015 which exposed customer credit cards in over 2000 stores, costing the company nearly $40 million in lawsuits and settlements. By 2018, Visa had attributed the use of a backdoor to FIN6 in attacks on e-commerce merchants. In the same year, FIN6 appeared to pivot to include ransomware tactics in its arsenal. The group's activities are linked with several malware-as-a-service (MaaS) offerings, including more_eggs, also known as Golden Chickens, and TrickBot's Anchor Framework. More_eggs is considered the "cyber weapon of choice" by the Russia-based FIN6 and Cobalt Group cyber gangs. The identity of the malware provider was uncovered by eSentire as a Romanian man known as VENOM SPIDER. Additionally, FIN6 has been associated with TA4557, another threat actor whose activity overlaps with other groups using more_eggs, namely Cobalt Group and Evilnum. FIN6's activities have evolved over time, with the group targeting critical Active Directory assets and deploying sophisticated malware suites such as Cobalt Strike in their attacks. In 2019, eSentire noted that FIN6 leveraged a malware suite that included the PureLocker ransomware plugin. This suite was previously used by the Cobalt Group in 2017 and 2018. Furthermore, SecurityWeek reports that the developer behind the Golden Chickens malware, used by both the Russian Cobalt Group and FIN6, was identified as a Romanian named Jack, also known as Lucky and badbullzvenom.
What's your take? (Question 1 of 5)
c175a431-ecac-498a-b44d-89e6be54554a Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
ITG08
2
ITG08 is a notable threat actor in the cybersecurity landscape, known for its malicious activities and strategic partnerships with other threat actors. This group has been linked to a series of attacks through Tactics, Techniques, and Procedures (TTPs) consistent with their known modus operandi. Whi
Ta4557
2
TA4557 is a malicious software (malware) that has been uniquely identified by cybersecurity firm Proofpoint due to its distinctive use of tools, campaign targeting, evasion measures, and controlled infrastructure. This malware is particularly notable for its sophisticated spear-phishing strategy, wh
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Cobalt Strike
Ransomware
Windows
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the FIN6 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware | Mandiant
MITRE
a year ago
Dropping Anchor: From a TrickBot Infection to the Discovery of the Anchor Malware
MITRE
a year ago
ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework
MITRE
a year ago
More_eggs, Anyone? Threat Actor ITG08 Strikes Again
CERT-EU
a year ago
Researchers Identify Second Developer of ‘Golden Chickens’ Malware
CERT-EU
a year ago
Meet 'Jack' from Romania! Mastermind Behind Golden Chickens Malware
CERT-EU
a year ago
В киберпространстве появилась новая угроза для финансовых организаций: кампания OCX#HARVESTER
CERT-EU
8 months ago
Demystifying the Dark Web and DarkNets, Part V—FINs, APTs, Rogues, Hacktivists, Cyber Warriors, and Accidentals
MITRE
a year ago
FIN8 is Back in Business, Targeting the Hospitality Industry
CERT-EU
6 months ago
Hiring? New scam campaign means ‘resume’ downloads may contain malware
CERT-EU
7 months ago
Domain of Thrones: Part I
CERT-EU
a year ago
High-severity Chrome vulnerabilities addressed
CERT-EU
a year ago
Golden Chickens malware developer unmasked
CERT-EU
a year ago
Minnesota VA medical center plagued with IT security gaps
CERT-EU
a year ago
Αποκαλύφθηκε ο προμηθευτής malware των πιο επικίνδυνων Ρώσων κυβερνο-εγκληματιών
InfoSecurity-magazine
6 months ago
Threat Actor Targets Recruiters With Malware
CERT-EU
a year ago
Researchers identify second developer behind Golden Chickens MaaS