FIN7

Threat Actor Profile Updated 7 days ago
Download STIX
Preview STIX
FIN7, a prominent threat actor in the cybersecurity landscape, has been linked to a series of malicious activities over recent years. In November 2022, Sentinel Labs researchers reported a connection between the financially motivated hacking group FIN7 and the Black Basta ransomware gang. This discovery highlighted FIN7's expanding arsenal of cyber threats, which includes custom EDR evasion tools tied specifically to the group. Further analysis revealed code overlap between the Domino Backdoor and Loader with the Lizar malware, also known as Tirion and DiceLoader, affirming FIN7's affiliation with the threat group ITG14. In 2023, the group's malicious activity escalated with the incorporation of several additional malware families into their operations. These included Nokoyawa and BlackBasta ransomware, as well as malware obtained or purchased from other developers such as Minodo and Diceloader. A new malware family dubbed Canyon, along with Aresloader and the information stealers Vidar and LummaC2, were also part of this expanded toolkit. This diversification of malware indicates a strategic evolution within the group, aimed at enhancing their attack capabilities. Recently, in 2024, FIN7 launched a sophisticated phishing campaign targeting a large U.S. carmaker, demonstrating their continued threat to industries across the globe. BlackBerry's network infrastructure analysis unveiled an interconnected network of domains and proxy servers that FIN7 used to deliver and maintain access to compromised systems. Furthermore, reports suggest FIN7's involvement in deploying notorious ransomware strains such as REvil and DarkSide, signaling a shift towards more aggressive tactics. As such, it is crucial for organizations to remain vigilant and implement robust cybersecurity measures to counter these evolving threats.
What's your take? (Question 1 of 5)
96b19931-e989-4689-8337-3da8d1b43ae3 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Black Basta
6
Black Basta is a malicious ransomware program that has been active since April 2022. It operates using a double-extortion attack model, infecting systems and holding data hostage for ransom. The malware typically infiltrates systems through suspicious downloads, emails, or websites, often without th
Diceloader
6
Diceloader is a type of malware, short for malicious software, that is designed to infiltrate and damage computer systems. It can infect systems through various means such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, it can steal personal in
Carbanak
5
Carbanak is a potent form of malware, short for malicious software, which infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, Carbanak can steal personal information, disrupt operations, or even hold data hostage for ransom. The
Sangria Tempest
5
Sangria Tempest, also known as FIN7, Carbon Spider, and ELBRUS, is a threat actor that has been active since 2014. This Russian advanced persistent threat (APT) group is known for its malicious activities, including spear-phishing campaigns, malware distribution, and theft of payment card data. In m
ITG14
3
ITG14, a threat actor identified in the cybersecurity industry, has recently been linked to malicious activities involving the Domino Backdoor. X-Force researchers have found substantial evidence connecting the Domino Backdoor to ITG14’s Carbanak Backdoor. The Domino Backdoor not only shares signifi
Tirion
3
Tirion, also known as Lizar or DiceLoader, is a type of malware developed by the threat group ITG14, also known as FIN7. First reported in March 2020, Tirion has been observed in numerous ITG14 campaigns up until the end of 2022. This malicious software can infiltrate systems through suspicious down
Anunak
2
Anunak, also known as Carbanak or FIN7, is a prominent threat actor in the cybercrime landscape. The group emerged around 2013 and specializes in financial theft, primarily targeting Eastern European banks, U.S. and European point-of-sale systems, and other entities. The name "Carbanak" was coined b
Carbon Spider
2
CARBON SPIDER, also known as FIN7 and Sangria Tempest, is a threat actor that has been active in the eCrime space since approximately 2013. This criminally motivated group primarily targets the hospitality and retail sectors with the aim of obtaining payment card data. The group has been linked to s
Evil Corp
2
Evil Corp, a threat actor group based in Russia, has been identified as a significant cybercrime entity responsible for the execution of malicious actions. The alleged leader of this group is Maksim Yakubets, who is notably associated with Dridex malware operations. The U.S. Treasury imposed sanctio
Carbanak Group
2
The Carbanak Group, also known as FIN7, is a notorious cybercrime gang responsible for some of the largest banking heists in history. This threat actor specializes in executing actions with malicious intent, often deploying data-stealing backdoors such as the CARBANAK malware. Despite several arrest
Shadowsyndicate
2
ShadowSyndicate, a threat actor that emerged in 2019, has been implicated in multiple ransomware operations according to cybersecurity firm Group-IB. The group is known for its affiliations with various ransomware groups and programs, and has been involved in several ransomware projects such as JSWO
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Malware
Cybercrime
Backdoor
Loader
Exploit
Phishing
Lateral Move...
Cobalt Strike
Vulnerability
exploitation
Apt
Payload
Beacon
Trojan
Dropper
Veeam
Reconnaissance
Spearphishing
Blackberry
Windows
Ransom
Extortion
Proxy
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
LizarUnspecified
6
Lizar, also known as Tirion or Diceloader, is a malicious software developed by the threat group ITG14. It's designed to exploit and damage computers or devices, infiltrating systems through suspicious downloads, emails, or websites. Once installed, it can steal personal information, disrupt operati
ContiUnspecified
5
Conti is a malware program known for its disruptive capabilities, including stealing personal information and holding data hostage for ransom. It gained notoriety as part of the arsenal of ITG23, a cybercrime group that used it in conjunction with other malicious software like Trickbot, BazarLoader,
DominoUnspecified
5
Domino is a potent malware that has caused significant disruptions and damage to various systems. The first known attack was on Romania's Pitesi Pediatric Hospital on February 10, with subsequent attacks on other hospitals on February 11 and February 12. The malware infiltrates systems via suspiciou
ClopUnspecified
4
Clop is a malicious software (malware) designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or hold data hostage for ransom. T
REvilUnspecified
3
REvil, also known as Sodinokibi, is a notorious malware that gained prominence due to its harmful impact on computer systems and data. It operates under the Ransomware as a Service (RaaS) model, which saw a significant rise in popularity throughout 2020. The malware typically infects systems via sus
Domino Backdooris related to
3
The Domino Backdoor is a type of malware that has been linked to multiple threat groups, highlighting the complexity of tracking these actors and their operations. This malicious software, designed to exploit and damage computers or devices, can steal personal information, disrupt operations, or hol
Carbanak BackdoorUnspecified
3
The Carbanak Backdoor is a notorious malware, designed to exploit and damage computer systems. It is associated with the FIN7 threat group, also known as the "Carbanak Group", although not all usage of the Carbanak Backdoor can be directly linked to FIN7. This malicious software infiltrates systems
LockbitUnspecified
2
LockBit is a malicious software, or malware, that has been significantly active in recent years. It is designed to infiltrate systems and cause significant damage by stealing sensitive information, disrupting operations, and holding data hostage for ransom. In 2023, security firm Rapid7 named LockBi
RyukUnspecified
2
Ryuk is a type of malware, specifically ransomware, that has been used extensively by the group ITG23. The group has been encrypting their malware for several years, using crypters with malware such as Trickbot, Emotet, Cobalt Strike, and Ryuk. In 2019, most ransomware investigations were linked to
Project NemesisUnspecified
2
Project Nemesis is a malicious software, or malware, that was first advertised on the dark web in December 2021. It is designed to exploit and damage computer systems by infiltrating them through suspicious downloads, emails, or websites. Once inside, Project Nemesis can steal personal information,
Cobalt Strike BeaconUnspecified
2
Cobalt Strike Beacon is a type of malware, malicious software designed to exploit and damage computer systems. It has recently been linked to ransomware activity, being loaded by HUI Loader under various names such as mpc.tmp, dlp.ini, vmtools.ini, and an encrypted version under vm.cfg. This malware
MazeUnspecified
2
Maze is a type of malware, specifically ransomware, that gained notoriety in 2019 for its double extortion tactic. This malicious software infects systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. Maze w
BlackbastaUnspecified
2
BlackBasta is a notorious malware, specifically a ransomware, that has been actively exploiting and damaging computer systems since its first appearance in April 2022. The ransomware primarily used SharpDepositorCrypter as its loader throughout most of 2022, often in conjunction with other malicious
Lockbit BlackUnspecified
2
LockBit Black, also known as LockBit 3.0, is a malware that emerged in early 2022 as the third version of the LockBit group's ransomware. The developer has consistently worked to improve this malicious software, with the previous version, LockBit 2.0 (also known as LockBit Red), being released in mi
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
AlphvUnspecified
4
AlphV, also known as BlackCat, is a significant threat actor within the cybercrime landscape. Throughout 2023, AlphV has been responsible for numerous high-profile ransomware attacks, stealing significant amounts of data from various organizations. The group claimed responsibility for hacking Clario
DarkSideUnspecified
4
DarkSide is a notorious threat actor that has been associated with significant cyber attacks, most notably the ransomware attack on the US Colonial Pipeline in 2021. This group was known for its adoption of the ransomware-as-a-service (RaaS) model and had reportedly netted over $90 million in Bitcoi
BlackmatterUnspecified
3
BlackMatter, a threat actor known for its malicious activities in the cybersecurity landscape, emerged as a variant of the notorious "DarkSide" ransomware. In May 2021, after launching an attack on Colonial Pipeline, the group rebranded itself from DarkSide to BlackMatter. However, due to increased
LockBitSuppUnspecified
2
LockBitSupp, also known as Dmitry Yuryevich Khoroshev, is a notorious threat actor and the mastermind behind the prolific LockBit ransomware attacks. Operating under various aliases including "LockBit" and "putinkrab," Khoroshev has been actively involved in cybercrime for over 14 years, with his ac
LapsusUnspecified
2
Lapsus is a significant threat actor that has been active since its inception in early 2022. The group gained notoriety for its cyberattacks, including a high-profile breach of Nvidia, an American multinational technology company, in the same year. This attack led to the leak of thousands of passwor
APT28Unspecified
2
APT28, also known as "Forest Blizzard," "Fancybear," or "Strontium," is a threat actor linked to the Russian GRU. This group has been involved in various cyber espionage activities targeting multiple countries and organizations. In October 2023, the French National Agency for the Security of Informa
TA505Unspecified
2
TA505, also known as Cl0p Ransomware Gang and Lace Tempest, is a highly active and sophisticated cybercriminal group. The group has been associated with various high-profile cyber-attacks, demonstrating adaptability through a multi-vector approach to their operations. In June 2023, the U.S. Cybersec
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the FIN7 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
FIN7 Recruits Talent For Push Into Ransomware
MITRE
6 months ago
FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7
MITRE
a year ago
Notorious Cybercrime Gang, FIN7, Lands Malware in Law Firm
MITRE
a year ago
FIN7.5: the infamous cybercrime rig “FIN7” continues its activities
MITRE
a year ago
FIN7 Evolution and the Phishing LNK | Mandiant
MITRE
a year ago
Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques | Mandiant
DARKReading
a year ago
FIN7, Former Conti Gang Members Collaborate on 'Domino' Malware
MITRE
a year ago
Behind the CARBANAK Backdoor | Mandiant
CERT-EU
a year ago
FIN7 Hackers Caught Exploiting Recent Veeam Vulnerability
CERT-EU
a year ago
Researchers tie FIN7 cybercrime family to Clop ransomware
Securityaffairs
a year ago
The intricate relationships between the FIN7 group and members of the Conti gang
CERT-EU
a year ago
FIN7 не сдается: хакеры вернулись с новым рансомваром Clop
CSO Online
a year ago
Cybercrime group FIN7 targets Veeam backup servers
MITRE
a year ago
FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings « FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings
MITRE
a year ago
FIN7 Revisited: Inside Astra Panel and SQLRat Malware
CERT-EU
a year ago
Ransomware gang exploiting unpatched Veeam backup products | #ransomware | #cybercrime – National Cyber Security Consulting
SecurityIntelligence.com
a year ago
Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor
SecurityIntelligence.com
a year ago
Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor
CERT-EU
a year ago
Le groupe d'attaquants FIN7 cible les serveurs de sauvegarde Veeam - Le Monde Informatique
MITRE
a year ago
FIN7 Backdoor Masquerades as Ethical Hacking Tool