G0037: FIN6
Analyst context for executives and security teams
FIN6 matters because ATT&CK describes it as a financially motivated group focused on stealing payment card data, with aggressive compromise of point-of-sale systems in hospitality and retail. The relationship data also links the group to credential theft, remote administration/execution tooling, discovery, exfiltration, backdoors, POS malware, and ransomware families, so leaders should treat this as more than a malware-name problem: it is a test of payment environment segmentation, Windows identity hygiene, incident response readiness, and evidence needed for payment-card and business-continuity assurance.
Executive priority
Prioritize FIN6-relevant coverage where payment processing, retail operations, hospitality operations, Active Directory, and Windows administration paths intersect. Useful leadership questions include: can we prove PoS systems are isolated from general corporate Windows access, can we detect credential dumping and remote movement before data theft or ransomware impact, and do we have audit-ready logs showing access to payment systems and sensitive local data? The ATT&CK relationships to Ryuk, LockerGoga, and Maze also make recovery readiness and ransomware decision-making relevant, especially for organizations where Windows enterprise disruption could affect physical operations.
Technical view
ATT&CK does not provide a FIN6-specific detection section, so defenders should build validation from the linked techniques and software. Focus on Windows credential access involving LSASS and NTDS, remote execution via PsExec/WMI/RDP, Active Directory reconnaissance with tools such as AdFind, command obfuscation, suspicious task/service naming, remote system and service discovery, local data collection, and unencrypted exfiltration paths. For PoS environments, validate monitoring for FrameworkPOS-like behavior and any unauthorized access to systems that process payment-card data. Treat dual-use tools such as PsExec, Cobalt Strike, Mimikatz, Windows Credential Editor, and AdFind as context-dependent signals requiring user, host role, command-line, and authentication correlation.
Likely telemetry
- Endpoint process creation, command-line, parent-child process, module, and script execution telemetry from Windows systems
- Authentication, RDP logon, privileged account use, and lateral movement records
- Domain controller and Active Directory telemetry, including access patterns relevant to NTDS and directory enumeration
- Service creation, scheduled task, WMI, and remote execution logs
- EDR or host telemetry for credential dumping indicators involving LSASS and password dumping tools
Detection direction
- Validate correlation across credential access, discovery, and lateral movement rather than relying on single tool-name alerts.
- Tune detections for dual-use administration tools by comparing activity against approved admin hosts, expected operators, maintenance windows, and normal command patterns.
- Look for chains such as directory discovery followed by credential access, RDP/PsExec/WMI use, local data access, or outbound transfer from unusual hosts.
- Ensure PoS and payment-segment telemetry is actually centralized; many programs have strong corporate endpoint visibility but weak coverage on payment systems.
- Review false positives around legitimate remote support, system administration, vulnerability scanning, and directory queries, but require strong justification for privileged activity touching payment or domain-control assets.
Mitigation priorities
- Start with segmentation and access control around PoS/payment systems, including strict administrative paths from corporate Windows environments.
- Reduce credential theft risk by hardening privileged access, limiting credential exposure on endpoints, and monitoring domain controller access.
- Constrain and govern remote administration channels such as RDP, WMI, and PsExec-style execution with logging, approval, and least privilege.
- Maintain tested incident response and recovery plans for ransomware scenarios reflected in the related software relationships.
- Improve egress monitoring and control for unencrypted exfiltration paths, especially from sensitive business and payment environments.
Analyst notes and limits
The strongest business reading is payment-card theft risk in retail and hospitality, expanded by ATT&CK relationships showing credential access, remote movement, backdoors, PoS malware, and ransomware tooling. This should drive a practical control review across payment segmentation, Active Directory, Windows endpoint monitoring, and recovery readiness rather than a narrow IOC exercise.
The FIN6 intrusion-set record does not specify platforms, tactics, labels, or official detection guidance. Platform and behavior direction above is derived from supplied relationships to ATT&CK software and techniques. Local exposure, current activity, vendor coverage, and whether FIN6-relevant behaviors are present in a specific environment require organization-specific evidence.
FIN6
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1560.003 | Archive via Custom Method Sub-technique | FIN6 has encoded data gathered from the victim with a simple substitution cipher and single-byte XOR using the 0xAA key, and Base64 with character permutation.CitationFireEye FIN6 April 2016CitationTrend Micro FIN6 October 2019 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | FIN6 has targeted victims with e-mails containing malicious attachments.CitationVisa FIN6 Feb 2019 |
| Enterprise | T1685 | Disable or Modify Tools | FIN6 has deployed a utility script named |
| Enterprise | T1087.002 | Domain Account Sub-technique | |
| Enterprise | T1059 | Command and Scripting Interpreter | FIN6 has used scripting to iterate through a list of compromised PoS systems, copy data to a log file, and remove the original data files.CitationFireEye FIN6 April 2016CitationFireEye FIN6 Apr 2019 |
| Enterprise | T1572 | Protocol Tunneling | FIN6 used the Plink command-line utility to create SSH tunnels to C2 servers.CitationFireEye FIN6 April 2016 |
| Enterprise | T1213.006 | Databases Sub-technique | FIN6 has collected schemas and user accounts from systems running SQL Server.CitationVisa FIN6 Feb 2019 |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | FIN6 has used encoded PowerShell commands.CitationVisa FIN6 Feb 2019 |
| Enterprise | T1059.007 | JavaScript Sub-technique | FIN6 has used malicious JavaScript to steal payment card data from e-commerce sites.CitationTrend Micro FIN6 October 2019 |
| Enterprise | T1102 | Web Service | FIN6 has used Pastebin and Google Storage to host content for their operations.CitationFireEye FIN6 Apr 2019 |
| Enterprise | T1005 | Data from Local System | FIN6 has collected and exfiltrated payment card data from compromised systems.CitationTrend Micro FIN6 October 2019CitationRiskIQ British Airways September 2018CitationRiskIQ Newegg September 2018 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | FIN6 has used Registry Run keys to establish persistence for its downloader tools known as HARDTACK and SHIPBREAD.CitationFireEye FIN6 April 2016 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | FIN6 has used |
| Enterprise | T1588.002 | Tool Sub-technique | FIN6 has obtained and used tools such as Mimikatz, Cobalt Strike, and AdFind.CitationSecurity Intelligence More Eggs Aug 2019CitationFireEye FIN6 Apr 2019 |
| Enterprise | T1070.004 | File Deletion Sub-technique | FIN6 has removed files from victim machines.CitationFireEye FIN6 April 2016 |
| Enterprise | T1003.003 | NTDS Sub-technique | |
| Enterprise | T1134 | Access Token Manipulation | FIN6 has used has used Metasploit’s named-pipe impersonation technique to escalate privileges.CitationFireEye FIN6 Apr 2019 |
| Enterprise | T1068 | Exploitation for Privilege Escalation | FIN6 has used tools to exploit Windows vulnerabilities in order to escalate privileges. The tools targeted CVE-2013-3660, CVE-2011-2005, and CVE-2010-4398, all of which could allow local users to access kernel-level privileges.CitationFireEye FIN6 April 2016 |
| Enterprise | T1204.002 | Malicious File Sub-technique | FIN6 has used malicious documents to lure victims into allowing execution of PowerShell scripts.CitationVisa FIN6 Feb 2019 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | FIN6 has renamed the "psexec" service name to "mstdc" to masquerade as a legitimate Windows service.CitationFireEye FIN6 Apr 2019 |
| Enterprise | T1566.003 | Spearphishing via Service Sub-technique | FIN6 has used fake job advertisements sent via LinkedIn to spearphish targets.CitationSecurity Intelligence More Eggs Aug 2019 |
| Enterprise | T1059.001 | PowerShell Sub-technique | FIN6 has used PowerShell to gain access to merchant's networks, and a Metasploit PowerShell module to download and execute shellcode and to set up a local listener.CitationFireEye FIN6 April 2016CitationFireEye FIN6 Apr 2019CitationVisa FIN6 Feb 2019 |
| Enterprise | T1560 | Archive Collected Data | Following data collection, FIN6 has compressed log files into a ZIP archive prior to staging and exfiltration.CitationFireEye FIN6 April 2016 |
| Enterprise | T1553.002 | Code Signing Sub-technique | FIN6 has used Comodo code-signing certificates.CitationSecurity Intelligence More Eggs Aug 2019 |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | FIN6 used RDP to move laterally in victim networks.CitationFireEye FIN6 April 2016CitationFireEye FIN6 Apr 2019 |
| Enterprise | T1119 | Automated Collection | FIN6 has used a script to iterate through a list of compromised PoS systems, copy and remove data to a log file, and to bind to events from the submit payment button.CitationFireEye FIN6 April 2016CitationTrend Micro FIN6 October 2019 |
| Enterprise | T1018 | Remote System Discovery | FIN6 used publicly available tools (including Microsoft's built-in SQL querying tool, osql.exe) to map the internal network and conduct reconnaissance against Active Directory, Structured Query Language (SQL) servers, and NetBIOS.CitationFireEye FIN6 April 2016 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | FIN6 has used scheduled tasks to establish persistence for various malware it uses, including downloaders known as HARDTACK and SHIPBREAD and FrameworkPOS.CitationFireEye FIN6 April 2016 |
| Enterprise | T1569.002 | Service Execution Sub-technique | FIN6 has created Windows services to execute encoded PowerShell commands.CitationFireEye FIN6 Apr 2019 |
| Enterprise | T1046 | Network Service Discovery | FIN6 used publicly available tools (including Microsoft's built-in SQL querying tool, osql.exe) to map the internal network and conduct reconnaissance against Active Directory, Structured Query Language (SQL) servers, and NetBIOS.CitationFireEye FIN6 April 2016 |
| Enterprise | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol Sub-technique | FIN6 has sent stolen payment card data to remote servers via HTTP POSTs.CitationTrend Micro FIN6 October 2019 |
| Enterprise | T1047 | Windows Management Instrumentation | FIN6 has used WMI to automate the remote execution of PowerShell scripts.CitationSecurity Intelligence More Eggs Aug 2019 |
| Enterprise | T1110.002 | Password Cracking Sub-technique | FIN6 has extracted password hashes from ntds.dit to crack offline.CitationFireEye FIN6 April 2016 |
| Enterprise | T1555 | Credentials from Password Stores | FIN6 has used the Stealer One credential stealer to target e-mail and file transfer utilities including FTP.CitationVisa FIN6 Feb 2019 |
| Enterprise | T1095 | Non-Application Layer Protocol | FIN6 has used Metasploit Bind and Reverse TCP stagers.CitationTrend Micro FIN6 October 2019 |
| Enterprise | T1078 | Valid Accounts | To move laterally on a victim network, FIN6 has used credentials stolen from various systems on which it gathered usernames and password hashes.CitationFireEye FIN6 April 2016CitationFireEye FIN6 Apr 2019CitationVisa FIN6 Feb 2019 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | FIN6 used the Plink command-line utility to create SSH tunnels to C2 servers.CitationFireEye FIN6 April 2016 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | FIN6 has used Windows Credential Editor for credential dumping.CitationFireEye FIN6 April 2016CitationFireEye FIN6 Apr 2019 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | FIN6 has used the Stealer One credential stealer to target web browsers.CitationVisa FIN6 Feb 2019 |
| Enterprise | T1074.002 | Remote Data Staging Sub-technique | FIN6 actors have compressed data from remote systems and moved it to another staging system before exfiltration.CitationFireEye FIN6 April 2016 |
Groups, software, and campaigns
S0381: FlawedAmmyy
FlawedAmmyy is a remote access tool (RAT) that was first seen in early 2016. The code for FlawedAmmyy was based on leaked source code for a version of Ammyy Admin, a remote access software.[1]
S0632: GrimAgent
GrimAgent is a backdoor that has been used before the deployment of Ryuk ransomware since at least 2020; it is likely used by FIN6 and Wizard Spider.[1]
S0503: FrameworkPOS
FrameworkPOS is a point of sale (POS) malware used by FIN6 to steal payment card data from sytems that run physical POS devices.[1]
S0284: More_eggs
More_eggs is a JScript backdoor used by Cobalt Group and FIN6. Its name was given based on the variable "More_eggs" being present in its code. There are at least two different versions of the backdoor being used, version 2.0 and version 4.4. [1][2]
S0154: Cobalt Strike
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[1]
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[1]
S0005: Windows Credential Editor
Windows Credential Editor is a password dumping tool. [1]
S0552: AdFind
S0029: PsExec
S0449: Maze
S0372: LockerGoga
LockerGoga is ransomware that was first reported in January 2019, and has been tied to various attacks on European companies, including industrial and manufacturing firms.[1][2]
S0446: Ryuk
S0002: Mimikatz
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 4.0 | Current bundle | 65d27d5cdb3e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye FIN6 April 2016
FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved November 17, 2024.
Open source URL -
[2]
FireEye FIN6 Apr 2019
McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
Open source URL -
[3]
Camouflage Tempest
(Citation: Microsoft Threat Actor Naming July 2023)
-
[4]
Crowdstrike Global Threat Report Feb 2018
CrowdStrike. (2018, February 26). CrowdStrike 2018 Global Threat Report. Retrieved October 10, 2018.
Open source URL -
[5]
FIN6
(Citation: FireEye FIN6 April 2016)
-
[6]
ITG08
(Citation: Security Intelligence More Eggs Aug 2019)
-
[7]
Magecart Group 6
(Citation: Security Intelligence ITG08 April 2020)
-
[8]
Microsoft Threat Actor Naming July 2023
Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Open source URL -
[9]
Security Intelligence ITG08 April 2020
Villadsen, O. (2020, April 7). ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework. Retrieved October 8, 2020.
Open source URL -
[10]
Security Intelligence More Eggs Aug 2019
Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.
Open source URL -
[11]
Skeleton Spider
(Citation: Crowdstrike Global Threat Report Feb 2018)
-
[12]
TAAL
(Citation: Microsoft Threat Actor Naming July 2023)
-
[13]
mitre-attack G0037Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.