FIN7

Threat Actor updated a month ago (2024-10-15T10:02:06.724Z)
Download STIX
Preview STIX
FIN7, also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group, is a notorious cybercrime group that has been active since 2012. The group is recognized for its advanced combination of malware and social engineering tactics, having executed numerous successful attacks against global organizations, resulting in over $1.2 billion in financial gains. Despite law enforcement's attempts to disrupt their activities, FIN7 continues to pose a significant threat. Recently, they targeted a large U.S. carmaker with phishing attacks and advertised a new Endpoint Detection and Response (EDR) bypass tool on hacking forums. The group has shown sophisticated thought and planning in its campaigns, including the DeepNude Generator campaign. This campaign involved hosting honeypot domains with malicious AI DeepNude Generators, using at least seven dedicated website URLs, such as aiNude[.]ai, easynude[.]website, and ai-nude[.]cloud, to appear convincing. Additionally, FIN7 has been employing Search Engine Optimization (SEO) techniques to rank their honeypots higher in search results, keeping users engaged with footer links to adult content sites. They also continue to promote an existing malvertising campaign that targets corporate users with content from popular brands to spread the NetSupport Remote Access Trojan (RAT) and .MSIX malware. To help organizations defend against threats from FIN7, developing indicators of attack based on the group's tactics, techniques, and procedures (TTPs) is recommended. The group's recent activities include serving up Lumma Stealer, the NetSupport RAT, and Redline credential stealing malware. Researchers from Silent Push have observed the Russia-based threat group running a network of websites promising to digitally undress women, demonstrating their continued use of social engineering and artificial intelligence in their aggressive, adult-themed threat campaigns.
Description last updated: 2024-10-15T09:29:02.137Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Black Basta is a possible alias for FIN7. Black Basta is a notorious malware group known for its sophisticated ransomware attacks, which have targeted numerous high-profile entities. The group has demonstrated a remarkable ability to adapt their tactics, techniques, and procedures (TTPs), allowing them to effectively evade security defenses
7
Diceloader is a possible alias for FIN7. Diceloader is a type of malware, short for malicious software, that is designed to infiltrate and damage computer systems. It can infect systems through various means such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, it can steal personal in
6
Carbanak is a possible alias for FIN7. Carbanak is a notorious malware developed by the cybercrime collective known as FIN7, also referred to as Carbon Spider, Cobalt Group, and Navigator Group. The group, which has been active since 2012, is of Russian origin and has been particularly focused on exploiting the restaurant, gambling, and
5
Sangria Tempest is a possible alias for FIN7. Sangria Tempest, also known as Carbon Spider, Elbrus, and FIN7, is a threat actor that has been active since 2013. In mid-November 2023, Microsoft observed Sangria Tempest using Storm-1113's EugenLoader delivered through malicious MSIX package installations. The group frequently targets the restaura
5
ITG14 is a possible alias for FIN7. ITG14, a threat actor identified in the cybersecurity industry, has recently been linked to malicious activities involving the Domino Backdoor. X-Force researchers have found substantial evidence connecting the Domino Backdoor to ITG14’s Carbanak Backdoor. The Domino Backdoor not only shares signifi
3
Tirion is a possible alias for FIN7. Tirion, also known as Lizar or DiceLoader, is a type of malware developed by the threat group ITG14, also known as FIN7. First reported in March 2020, Tirion has been observed in numerous ITG14 campaigns up until the end of 2022. This malicious software can infiltrate systems through suspicious down
3
Shadowsyndicate is a possible alias for FIN7. ShadowSyndicate, a threat actor that emerged in 2019, has been implicated in multiple ransomware operations according to cybersecurity firm Group-IB. The group is known for its affiliations with various ransomware groups and programs, and has been involved in several ransomware projects such as JSWO
2
Evil Corp is a possible alias for FIN7. Evil Corp, a threat actor based in Russia, has been identified as a significant cybersecurity threat due to its involvement in various malicious activities, including the deployment of Dridex malware. The group is led by Maksim Yakubets and has been sanctioned by the Treasury Department for its cybe
2
Anunak is a possible alias for FIN7. Anunak, also known as Carbanak or FIN7, is a prominent threat actor in the cybercrime landscape. The group emerged around 2013 and specializes in financial theft, primarily targeting Eastern European banks, U.S. and European point-of-sale systems, and other entities. The name "Carbanak" was coined b
2
Carbon Spider is a possible alias for FIN7. CARBON SPIDER, also known as FIN7 and Sangria Tempest, is a threat actor that has been active in the eCrime space since approximately 2013. This criminally motivated group primarily targets the hospitality and retail sectors with the aim of obtaining payment card data. The group has been linked to s
2
Stark Industries Solutions is a possible alias for FIN7. Stark Industries Solutions has emerged as a significant threat actor in the cybersecurity landscape, with its operations intricately linked to a series of cyberattacks against Ukraine and other entities perceived as enemies of Russia. The company, a large hosting provider, materialized just two week
2
Carbanak Group is a possible alias for FIN7. The Carbanak Group, also known as FIN7, is a notorious cybercrime gang responsible for some of the largest banking heists in history. This threat actor specializes in executing actions with malicious intent, often deploying data-stealing backdoors such as the CARBANAK malware. Despite several arrest
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Malware
Cybercrime
Loader
Phishing
Backdoor
Tool
Silent Push
Exploit
Exploits
Lateral Move...
Cobalt Strike
Vulnerability
Domains
exploitation
Apt
Trojan
Veeam
Payload
Dropper
Windows
Ransom
Extortion
Proxy
Beacon
Blackberry
Reconnaissance
Spearphishing
PowerShell
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Lizar Malware is associated with FIN7. Lizar, also known as Tirion or Diceloader, is a malicious software developed by the threat group ITG14. It's designed to exploit and damage computers or devices, infiltrating systems through suspicious downloads, emails, or websites. Once installed, it can steal personal information, disrupt operatiUnspecified
6
The Conti Malware is associated with FIN7. Conti is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. Often spreading through suspicious downloads, emails, or websites, it can steal personal information, disrupt operations, or hold data hostage for ransom. Notably, Conti was linked to several raUnspecified
5
The Domino Malware is associated with FIN7. Domino is a malicious software that infiltrated various systems, most notably IBM Domino Server and ESET Mail Security for IBM Domino, causing significant disruptions and data breaches. The malware was particularly potent due to its ability to exploit vulnerabilities in one system and trigger a domiUnspecified
5
The Clop Malware is associated with FIN7. Clop, a malicious software (malware), is linked to a Russian-speaking cybercriminal group also known as Cl0p. It is designed to exploit and damage computer systems by stealing personal information, disrupting operations, or holding data hostage for ransom. In May 2023, the Clop group began exploitinUnspecified
4
The Carbanak Backdoor Malware is associated with FIN7. The Carbanak Backdoor is a notorious malware, designed to exploit and damage computer systems. It is associated with the FIN7 threat group, also known as the "Carbanak Group", although not all usage of the Carbanak Backdoor can be directly linked to FIN7. This malicious software infiltrates systems Unspecified
3
The Blackbasta Malware is associated with FIN7. BlackBasta is a notorious malware, particularly known for its ransomware attacks. The group behind it has been linked with other harmful software such as IcedID, NetSupport, Gozi, PikaBot, Pushdo, Quantum, Royal, and Nokoyawa. Artifacts and indicators of compromise (IoCs) suggest a possible relationUnspecified
3
The Ryuk Malware is associated with FIN7. Ryuk is a type of malware known as ransomware, which has been utilized by the threat group ITG23 for several years. This group has been notorious for crypting their malware, with crypters seen in use with other malware such as Trickbot, Emotet, Cobalt Strike, and Ryuk. In 2019, most ransomware invesUnspecified
3
The REvil Malware is associated with FIN7. REvil, also known as Sodinokibi, is a malicious software (malware) that operates on a Ransomware as a Service (RaaS) model. This model became increasingly popular in 2020, with first-stage malware like Dridex and Gootkit being linked to ransomware attacks such as BitPaymer and REvil respectively. ThUnspecified
3
The Domino Backdoor Malware is associated with FIN7. The Domino Backdoor is a type of malware that has been linked to multiple threat groups, highlighting the complexity of tracking these actors and their operations. This malicious software, designed to exploit and damage computers or devices, can steal personal information, disrupt operations, or holis related to
3
The Netsupport Rat Malware is associated with FIN7. NetSupport RAT is a malicious software (malware) that poses a significant threat to organizational safety. The malware, which can be spread through suspicious downloads, emails, or websites, infiltrates systems without detection and has the potential to steal personal information, disrupt operationsUnspecified
3
The Maze Malware is associated with FIN7. Maze is a form of malicious software, or malware, that pioneered a novel double-extortion tactic in the cyber threat landscape. Its modus operandi involves stealing victims' files before encrypting them, thereby enabling the threat actors to threaten both the disruption of operations and the releaseUnspecified
2
The Lockbit Malware is associated with FIN7. LockBit is a malicious software, or malware, known for its damaging and exploitative functions. It infiltrates systems via dubious downloads, emails, or websites, often without the user's knowledge, and can steal personal information, disrupt operations, or hold data hostage for ransom. The LockBit Unspecified
2
The Lockbit Black Malware is associated with FIN7. LockBit Black, also known as LockBit 3.0, is a malicious software that emerged in early 2022 following the release of its predecessor, LockBit 2.0 (or LockBit Red) in mid-2021. The malware has been developed to exploit and damage computer systems by encrypting files, often leading to ransom demands Unspecified
2
The Cobalt Strike Beacon Malware is associated with FIN7. Cobalt Strike Beacon is a type of malware, a harmful software designed to exploit and damage computer systems. It is often loaded by HUI Loader through various files such as mpc.tmp, dlp.ini, vmtools.ini, and an encrypted file vm.cfg. The Insikt Group has identified six distinct Cobalt Strike BeaconUnspecified
2
The Aukill Malware is associated with FIN7. AuKill, a malicious software (malware) developed by the notorious cybercrime collective FIN7, has been identified as a significant threat to endpoint security. The malware was designed to exploit a vulnerable version of a driver for Microsoft's Process Explorer utility, thereby disabling endpoint prUnspecified
2
The Project Nemesis Malware is associated with FIN7. Project Nemesis is a malicious software, or malware, that was first advertised on the dark web in December 2021. It is designed to exploit and damage computer systems by infiltrating them through suspicious downloads, emails, or websites. Once inside, Project Nemesis can steal personal information, Unspecified
2
The Netsupport Malware is associated with FIN7. NetSupport is a legitimate remote access software that has been repurposed as malware by various cybercriminal groups. It has been observed in several high-profile cyber-attacks, including the Royal ransomware attack and operations conducted by former ITG23 members. The malware can infiltrate systemUnspecified
2
The Lumma Stealer Malware is associated with FIN7. Lumma Stealer is a potent malware designed to exfiltrate information from compromised systems, including system details, web browsers, and browser extensions. The malware was primarily delivered to victims through websites hosting cracked games, specifically targeting gamers. In July 2024, it was diUnspecified
2
The TrickBot Malware is associated with FIN7. TrickBot is a notorious malware developed by cybercriminals to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. This malicious software can steal personal information, disrupt operations, or even hold data hostage for ransom. Vladimir Dunaev,Unspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Alphv Threat Actor is associated with FIN7. Alphv, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. Originating from Russia, this cybercriminal group has been involved in multiple high-profile ransomware attacks, specifically targeting healthcare providers. They gained significant attention after stealing 5TB Unspecified
4
The DarkSide Threat Actor is associated with FIN7. DarkSide is a threat actor known for its malicious activities, primarily in the realm of ransomware attacks. One of their most notable exploits occurred on May 7, 2021, when they targeted Colonial Pipeline Co., a major player in the U.S. energy sector. The attack disrupted the gasoline supply acrossUnspecified
4
The Blackmatter Threat Actor is associated with FIN7. BlackMatter, a threat actor in the cybersecurity realm, is known for its malicious activities and has been linked to several ransomware strains. The group emerged as a successor to the DarkSide ransomware, which was responsible for the high-profile attack on the Colonial Pipeline in May 2021. HoweveUnspecified
3
The Lapsus Threat Actor is associated with FIN7. Lapsus is a significant threat actor that has been active since its inception in early 2022. The group gained notoriety for its cyberattacks, including a high-profile breach of Nvidia, an American multinational technology company, in the same year. This attack led to the leak of thousands of passworUnspecified
2
The APT28 Threat Actor is associated with FIN7. APT28, also known as Fancy Bear and Unit 26165 of the Russian Main Intelligence Directorate, is a threat actor linked to Russia with a history of cyber-espionage activities. The group has been involved in several high-profile attacks, including the hacking of the Democratic National Committee (DNC) Unspecified
2
The TA505 Threat Actor is associated with FIN7. TA505, also known as Cl0p Ransomware Gang and Lace Tempest, is a highly active and sophisticated cybercriminal group. The group has been associated with various high-profile cyber-attacks, demonstrating adaptability through a multi-vector approach to their operations. In June 2023, the U.S. CybersecUnspecified
2
The LockBitSupp Threat Actor is associated with FIN7. LockBitSupp, a prominent threat actor, has been identified as Russian national Dmitry Yuryevich Khoroshev. The group's activities have been under scrutiny due to its involvement in ransomware attacks and other cybercrimes. Khoroshev, who was operating under the aliases "LockBit" and "LockBitSupp," iUnspecified
2
Source Document References
Information about the FIN7 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securityaffairs
a month ago
DARKReading
2 months ago
BankInfoSecurity
2 months ago
InfoSecurity-magazine
2 months ago
BankInfoSecurity
2 months ago
Securityaffairs
3 months ago
Securityaffairs
3 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
DARKReading
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Krebs on Security
4 months ago
Securityaffairs
4 months ago
Securityaffairs
5 months ago