G0046: FIN7
FIN7 is a financially-motivated threat group that has been active since 2013. FIN7 has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, pharmaceutical, and utilities industries in the United States. A portion of FIN7 was operated out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, FIN7 shifted operations to big game hunting (BGH), including use of REvil ransomware and their own Ransomware-as-a-Service (RaaS), Darkside. FIN7 may be linked to the Carbanak Group, but multiple threat groups have been observed using Carbanak, leading these groups to be tracked separately.[1][2][3][4][5][6][7]
Analyst context for executives and security teams
FIN7 matters because MITRE describes it as a financially motivated group with a long operating history, broad U.S. industry targeting, prior point-of-sale malware use, and a shift since 2020 toward big-game hunting and ransomware activity. For leaders, the decision point is not whether FIN7 is “in the environment,” but whether defenses can withstand the behaviors associated with the group: credential theft, remote access tooling, lateral movement over RDP/SSH, Active Directory discovery, PowerShell backdoors, command-and-control resilience, data collection, and ransomware-stage disruption.
Executive priority
Treat FIN7 as a resilience and readiness benchmark for financially motivated intrusion chains. Organizations in retail, hospitality, financial services, healthcare-related equipment, cloud services, transportation, pharmaceutical, utilities, and other listed sectors should ask whether identity controls, endpoint visibility, POS/system segmentation, ransomware recovery, and incident response evidence are strong enough to support fast decisions during a financially motivated intrusion. Budget priority should favor controls that reduce credential abuse, remote access exposure, uncontrolled scripting, and ransomware blast radius.
Technical view
MITRE provides no group-level detection text and no group-level platforms or tactics, so validation should be driven by the documented relationships. Related software includes Mimikatz, Carbanak, POWERSOURCE, TEXTMATE, HALFBAKED, Cobalt Strike, PowerSploit, SQLRat, BOOSTWRITE, RDFSNIFFER, GRIFFON, Maze, CrackMapExec, REvil, Pillowmint, AdFind, JSS Loader, Lizar, and SystemBC. Related techniques include local data collection, fallback command-and-control channels, RDP lateral movement, and SSH lateral movement. SOC and IR teams should verify visibility across Windows-heavy endpoint activity, PowerShell and script execution, credential access indicators, Active Directory enumeration, remote access sessions, database or SQL-script abuse where relevant, POS environments where present, network C2/proxy behavior, and ransomware precursor activity.
Likely telemetry
- Endpoint process creation, command-line, module load, DLL search-order, and persistence-related events on Windows systems
- PowerShell, script block, VBS, macro-enabled document handling, and memory-resident backdoor indicators where logging is enabled
- Authentication logs for Windows accounts, privileged accounts, RDP sessions, and SSH sessions on Linux, macOS, ESXi, or network-adjacent systems where applicable
- Active Directory query and enumeration evidence, including command-line tooling consistent with directory discovery
- Credential access telemetry relevant to tools such as Mimikatz and post-exploitation frameworks
Detection direction
- Because MITRE does not provide official detection guidance for this group object, map detections to the related software and techniques rather than relying on the group name alone.
- Validate coverage for credential dumping, Active Directory enumeration, remote access tool use, PowerShell-based backdoors, commercial/offensive security frameworks, and ransomware precursor behaviors.
- Tune detections to distinguish authorized administration and penetration testing tools from suspicious use; several related tools have legitimate security or administrative uses, including Cobalt Strike, PowerSploit, CrackMapExec, and AdFind.
- Correlate RDP/SSH logons with account context, source geography/network zone, device role, privilege level, and follow-on execution rather than alerting on protocol use alone.
- Review blind spots in POS networks, database servers, remote IT management paths, unmanaged endpoints, cloud-hosted workloads, and systems where PowerShell or endpoint logging is limited.
Mitigation priorities
- Prioritize identity hardening: privileged account reduction, strong authentication for remote access, credential hygiene, and monitoring for credential dumping and abnormal account use.
- Reduce remote access risk by limiting RDP and SSH exposure, enforcing administrative access paths, and monitoring interactive logons to sensitive systems.
- Harden endpoints against unauthorized scripting, macro/VBS abuse, suspicious PowerShell behavior, DLL search-order abuse, and unapproved post-exploitation tooling.
- Segment and monitor POS, payment, server, backup, and high-value business systems to limit lateral movement and ransomware blast radius.
- Maintain tested incident response and ransomware recovery procedures, including offline or protected backups and evidence collection plans for endpoint, identity, network, and data access telemetry.
Analyst notes and limits
The most useful defensive value of this object is as a threat-informed control validation profile. FIN7 is associated in ATT&CK with financially motivated activity, broad industry targeting, point-of-sale malware, remote access and post-exploitation tooling, credential theft, lateral movement, data collection, and ransomware families including REvil and Maze. The Carbanak linkage is explicitly qualified by MITRE: multiple groups have used Carbanak, so defenders should avoid over-attributing based on that malware alone.
Official group-level detection, tactics, and platforms are not provided in the supplied object. Platform and behavior guidance here is inferred only from the supplied relationship context and related software/technique descriptions. Local relevance depends on the organization’s sector, POS footprint, Windows/Linux/macOS/ESXi exposure, remote access architecture, logging maturity, and whether named dual-use tools are authorized in the environment.
FIN7
FIN7 is a financially-motivated threat group that has been active since 2013. FIN7 has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, pharmaceutical, and utilities industries in the United States. A portion of FIN7 was operated out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, FIN7 shifted operations to big game hunting (BGH), including use of REvil ransomware and their own Ransomware-as-a-Service (RaaS), Darkside. FIN7 may be linked to the Carbanak Group, but multiple threat groups have been observed using Carbanak, leading these groups to be tracked separately.[1][2][3][4][5][6][7]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1204.001 | Malicious Link Sub-technique | FIN7 has used malicious links to lure victims into downloading malware.CitationCrowdStrike Carbon Spider August 2021 |
| Enterprise | T1553.002 | Code Signing Sub-technique | |
| Enterprise | T1078 | Valid Accounts | FIN7 has harvested valid administrative credentials for lateral movement.CitationCrowdStrike Carbon Spider August 2021 |
| Enterprise | T1059 | Command and Scripting Interpreter | FIN7 used SQL scripts to help perform tasks on the victim's machine.CitationFireEye FIN7 Aug 2018CitationFlashpoint FIN 7 March 2019CitationFireEye FIN7 Aug 2018 |
| Enterprise | T1021.004 | SSH Sub-technique | FIN7 has used SSH to move laterally through victim environments.CitationCrowdStrike Carbon Spider August 2021 |
| Enterprise | T1190 | Exploit Public-Facing Application | FIN7 has compromised targeted organizations through exploitation of CVE-2021-31207 in Exchange.CitationMicrosoft Ransomware as a Service |
| Enterprise | T1027.016 | Junk Code Insertion Sub-technique | FIN7 has used random junk code to obfuscate malware code.CitationMandiant FIN7 Apr 2022 |
| Enterprise | T1608.005 | Link Target Sub-technique | FIN7 has created a fake link that redirected to an adversary-controlled Dropbox that downloaded the malicious executable.CitationBlackBerry_FIN7_April2024 |
| Enterprise | T1033 | System Owner/User Discovery | FIN7 has used the command `cmd.exe /C quser` to collect user session information.CitationMandiant FIN7 Apr 2022 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | |
| Enterprise | T1021.005 | VNC Sub-technique | FIN7 has used TightVNC to control compromised hosts.CitationCrowdStrike Carbon Spider August 2021 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | FIN7 has attempted to run Darkside ransomware with the filename sleep.exe.CitationCrowdStrike Carbon Spider August 2021 Additionally, FIN7 has mimicked WsTaskLoad.exe, which is associated with the Wondershare software suite, by using a malicious executable under the same name.CitationBlackBerry_FIN7_April2024 |
| Enterprise | T1564.003 | Hidden Window Sub-technique | FIN7 has used .txt files to conceal PowerShell commands.CitationGemini_FIN7_Jan2022 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | FIN7 has created a scheduled task named “AdobeFlashSync” to establish persistence.CitationMorphisec FIN7 June 2017 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | FIN7 has used `rundll32.exe` to execute malware on a compromised network.CitationMandiant FIN7 Apr 2022 |
| Enterprise | T1047 | Windows Management Instrumentation | FIN7 has used WMI to install malware on targeted systems.CitationeSentire FIN7 July 2021 |
| Enterprise | T1620 | Reflective Code Loading | FIN7 has loaded a .NET assembly into the currect execution context via `Reflection.Assembly::Load`.CitationGemini_FIN7_Jan2022 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | FIN7 used VBS scripts to help perform tasks on the victim's machine.CitationFireEye FIN7 Aug 2018CitationFlashpoint FIN 7 March 2019CitationCrowdStrike Carbon Spider August 2021 |
| Enterprise | T1219 | Remote Access Tools | FIN7 has utilized the remote management tool Atera to download malware to a compromised system.CitationMandiant FIN7 Apr 2022 |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | FIN7 has used `attrib +h “C:\ProgramData\ssh”` to make the SSH folder hidden.CitationBlackBerry_FIN7_April2024 |
| Enterprise | T1059.001 | PowerShell Sub-technique | FIN7 used a PowerShell script to launch shellcode that retrieved an additional payload.CitationFireEye FIN7 April 2017CitationMorphisec FIN7 June 2017CitationFBI Flash FIN7 USBCitationMandiant FIN7 Apr 2022CitationGemini_FIN7_Jan2022 Additionally, FIN7 has executed a custom obfuscation of the shellcode invoker in PowerSploit called POWERTRASH.CitationBlackBerry_FIN7_April2024 |
| Enterprise | T1572 | Protocol Tunneling | FIN7 has tunneled C2 traffic via OpenSSH.CitationBlackBerry_FIN7_April2024 |
| Enterprise | T1546.011 | Application Shimming Sub-technique | FIN7 has used application shim databases for persistence.CitationFireEye FIN7 Shim Databases |
| Enterprise | T1559.002 | Dynamic Data Exchange Sub-technique | FIN7 spear phishing campaigns have included malicious Word documents with DDE execution.CitationCyberScoop FIN7 Oct 2017 |
| Enterprise | T1069.002 | Domain Groups Sub-technique | FIN7 has used the command `net group "domain admins" /domain` to enumerate domain groups.CitationMandiant FIN7 Apr 2022CitationBlackBerry_FIN7_April2024 |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | FIN7 has used RDP to move laterally in victim environments.CitationCrowdStrike Carbon Spider August 2021 |
| Enterprise | T1674 | Input Injection | FIN7 has used malicious USBs to emulate keystrokes to launch PowerShell to download and execute malware from the adversary's server.CitationFBI Flash FIN7 USBCitationGemini_FIN7_Jan2022 |
| Enterprise | T1486 | Data Encrypted for Impact | |
| Enterprise | T1588.002 | Tool Sub-technique | FIN7 has utilized a variety of tools such as Cobalt Strike, PowerSploit, and the remote management tool, Atera for targeting efforts.CitationMandiant FIN7 Apr 2022 |
| Enterprise | T1591 | Gather Victim Org Information | FIN7 has compiled a list of victims by filtering companies by revenue using Zoominfo, which is a service that provides business information.CitationBiZone Lizar May 2021 |
| Enterprise | T1569.002 | Service Execution Sub-technique | FIN7 has started the SSH service by executing `sc start sshd`.CitationBlackBerry_FIN7_April2024 |
| Enterprise | T1583.006 | Web Services Sub-technique | FIN7 has set up Amazon S3 buckets to host trojanized digital products.CitationMandiant FIN7 Apr 2022 |
| Enterprise | T1497.002 | User Activity Based Checks Sub-technique | FIN7 used images embedded into document lures that only activate the payload when a user double clicks to avoid sandboxes.CitationFireEye FIN7 April 2017 |
| Enterprise | T1059.007 | JavaScript Sub-technique | FIN7 used JavaScript scripts to help perform tasks on the victim's machine.CitationFireEye FIN7 Aug 2018CitationFlashpoint FIN 7 March 2019 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | FIN7 malware has created Registry Run and RunOnce keys to establish persistence, and has also added items to the Startup folder.CitationFireEye FIN7 April 2017CitationFireEye FIN7 Aug 2018 |
| Enterprise | T1608.004 | Drive-by Target Sub-technique | FIN7 has compromised a digital product website and modified multiple download links to point to trojanized versions of offered digital products.CitationMandiant FIN7 Apr 2022 |
| Enterprise | T1686 | Disable or Modify System Firewall | FIN7 has added a firewall rule to allow TCP port 59999 inbound and a rule to allow sshd.exe on TCP port 9898.CitationBlackBerry_FIN7_April2024 |
| Enterprise | T1082 | System Information Discovery | FIN7 has used csvde.exe, which is a built-in Windows command line tool, to export system information. Additionally, WsTaskLoad has gathered system information, such as operating system and hostname.CitationBlackBerry_FIN7_April2024 |
| Enterprise | T1125 | Video Capture | FIN7 created a custom video recording capability that could be used to monitor operations in the victim's environment.CitationFireEye FIN7 Aug 2018CitationDOJ FIN7 Aug 2018 |
| Enterprise | T1571 | Non-Standard Port | |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | FIN7 has used fragmented strings, environment variables, standard input (stdin), and native character-replacement functionalities to obfuscate commands.CitationFireEye Obfuscation June 2017CitationFireEye FIN7 Aug 2018CitationCrowdStrike Carbon Spider August 2021 |
| Enterprise | T1087.002 | Domain Account Sub-technique | FIN7 has used the PowerShell script 3CF9.ps1 and the executable WsTaskLoad to enumerate domain administrations by executing `net group “Domain Admins” /domain`.CitationBlackBerry_FIN7_April2024 FIN7 has also used csvde.exe, which is a built-in Windows command line tool, to export Active Directory information. |
| Enterprise | T1204.002 | Malicious File Sub-technique | FIN7 lured victims to double-click on images in the attachments they sent which would then execute the hidden LNK file.CitationFireEye FIN7 April 2017CitationeSentire FIN7 July 2021CitationCrowdStrike Carbon Spider August 2021 Additionally, FIN7 has used malicious Microsoft Word and Excel files and Leo VBS to distribute an updated version of JSS Loader and to distribute the Harpy backdoor.CitationCrowdstrike_CarbonSpider_Part2_Nov2024 |
| Enterprise | T1057 | Process Discovery | FIN7 has used the PowerShell script 3CF9.ps1 to perform process discovery by executing `tasklist /v`. Additionally, WsTaskLoad.exe executes `tasklist /v` to perform process discovery.CitationBlackBerry_FIN7_April2024 |
| Enterprise | T1218.005 | Mshta Sub-technique | FIN7 has used mshta.exe to execute VBScript to execute malicious code on victim systems.CitationFireEye FIN7 April 2017 |
| Enterprise | T1102.002 | Bidirectional Communication Sub-technique | FIN7 used legitimate services like Google Docs, Google Scripts, and Pastebin for C2.CitationFireEye FIN7 Aug 2018 |
| Enterprise | T1105 | Ingress Tool Transfer | FIN7 has downloaded additional malware to execute on the victim's machine, including by using a PowerShell script to launch shellcode that retrieves an additional payload.CitationFireEye FIN7 April 2017CitationDOJ FIN7 Aug 2018CitationMandiant FIN7 Apr 2022CitationGemini_FIN7_Jan2022 |
| Enterprise | T1078.003 | Local Accounts Sub-technique | FIN7 has used compromised credentials for access as SYSTEM on Exchange servers.CitationMicrosoft Ransomware as a Service |
| Enterprise | T1591.004 | Identify Roles Sub-technique | FIN7 has identified IT staff and employees who had higher levels of administrative rights.CitationBlackBerry_FIN7_April2024 |
| Enterprise | T1124 | System Time Discovery | FIN7 has used the PowerShell script 3CF9.ps1 to execute `net time`.CitationBlackBerry_FIN7_April2024 |
| Enterprise | T1583.001 | Domains Sub-technique | FIN7 has registered look-alike domains for use in phishing campaigns.CitationeSentire FIN7 July 2021 Additionally, FIN7 has registered a malicious domain as `advanced-ip-sccanner[.]com` that redirected to an adversary-controlled Dropbox which contained the malicious executable.CitationBlackBerry_FIN7_April2024 |
| Enterprise | T1005 | Data from Local System | FIN7 has collected files and other sensitive information from a compromised network.CitationCrowdStrike Carbon Spider August 2021 |
| Enterprise | T1543.003 | Windows Service Sub-technique | FIN7 created new Windows services and added them to the startup directories for persistence.CitationFireEye FIN7 Aug 2018 |
| Enterprise | T1091 | Replication Through Removable Media | FIN7 actors have mailed USB drives to potential victims containing malware that downloads and installs various backdoors, including in some cases for ransomware operations.CitationFBI Flash FIN7 USB Additionally, FIN7 has used malicious USBs that acted as virtual keyboards to install malware and txt files that decode to PowerShell commands.CitationGemini_FIN7_Jan2022 |
| Enterprise | T1071.004 | DNS Sub-technique | FIN7 has performed C2 using DNS via A, OPT, and TXT records.CitationFireEye FIN7 Aug 2018 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | FIN7 used the command prompt to launch commands on the victim’s machine.CitationFireEye FIN7 Aug 2018CitationFlashpoint FIN 7 March 2019CitationMandiant FIN7 Apr 2022 Additionally, FIN7 has used cmd.exe to open the Run dialog by sending the “Windows + R” keys through malicious USBs acting as virtual keyboards.CitationGemini_FIN7_Jan2022 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | FIN7 sent spearphishing emails with either malicious Microsoft Documents or RTF files attached.CitationFireEye FIN7 April 2017CitationDOJ FIN7 Aug 2018CitationFlashpoint FIN 7 March 2019CitationeSentire FIN7 July 2021CitationCrowdStrike Carbon Spider August 2021 |
| Enterprise | T1608.001 | Upload Malware Sub-technique | |
| Enterprise | T1008 | Fallback Channels | FIN7's Harpy backdoor malware can use DNS as a backup channel for C2 if HTTP fails.CitationCrowdstrike GTR2020 Mar 2020 |
| Enterprise | T1558.003 | Kerberoasting Sub-technique | FIN7 has used Kerberoasting PowerShell commands such as, `Invoke-Kerberoast` for credential access and to enable lateral movement.CitationCrowdStrike Carbon Spider August 2021CitationMandiant FIN7 Apr 2022 |
| Enterprise | T1195.002 | Compromise Software Supply Chain Sub-technique | FIN7 has gained initial access by compromising a victim's software supply chain.CitationMandiant FIN7 Apr 2022 |
Groups, software, and campaigns
S0417: GRIFFON
S0002: Mimikatz
S0552: AdFind
S0648: JSS Loader
JSS Loader is Remote Access Trojan (RAT) with .NET and C++ variants that has been used by FIN7 since at least 2020.[1][2]
S0151: HALFBAKED
S0496: REvil
REvil is a ransomware family that has been linked to the GOLD SOUTHFIELD group and operated as ransomware-as-a-service (RaaS) since at least April 2019. REvil, which as been used against organizations in the manufacturing, transportation, and electric sectors, is highly configurable and shares code similarities with the GandCrab RaaS.[1][2][3]
S0194: PowerSploit
PowerSploit is an open source, offensive security framework comprised of PowerShell modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. [1] [2] [3]
S0488: CrackMapExec
CrackMapExec, or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. CrackMapExec collects Active Directory information to conduct lateral movement through targeted networks.[1]
S0030: Carbanak
S0517: Pillowmint
Pillowmint is a point-of-sale malware used by FIN7 designed to capture credit card information.[1]
S0154: Cobalt Strike
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[1]
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[1]
S0449: Maze
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 4.1 | Current bundle | 9de71303cbad… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye FIN7 March 2017
Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.
Open source URL -
[2]
FireEye FIN7 April 2017
Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
Open source URL -
[3]
FireEye CARBANAK June 2017
Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
Open source URL -
[4]
FireEye FIN7 Aug 2018
Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.
Open source URL -
[5]
CrowdStrike Carbon Spider August 2021
Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
Open source URL -
[6]
Mandiant FIN7 Apr 2022
Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.
Open source URL -
[7]
BiZone Lizar May 2021
BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022.
Open source URL -
[8]
Carbon Spider
(Citation: CrowdStrike Carbon Spider August 2021)
-
[9]
ELBRUS
(Citation: Microsoft Ransomware as a Service)
-
[10]
FIN7
(Citation: FireEye FIN7 March 2017) (Citation: FireEye FIN7 April 2017) (Citation: Morphisec FIN7 June 2017) (Citation: FireEye FIN7 Shim Databases) (Citation: FireEye FIN7 Aug 2018)
-
[11]
FireEye FIN7 Shim Databases
Erickson, J., McWhirt, M., Palombo, D. (2017, May 3). To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence. Retrieved July 18, 2017.
Open source URL -
[12]
GOLD NIAGARA
(Citation: Secureworks GOLD NIAGARA Threat Profile)
-
[13]
IBM Ransomware Trends September 2020
Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021.
Open source URL -
[14]
ITG14
ITG14 shares campaign overlap with [FIN7](https://attack.mitre.org/groups/G0046).(Citation: IBM Ransomware Trends September 2020)
-
[15]
Microsoft Ransomware as a Service
Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
Open source URL -
[16]
Microsoft Threat Actor Naming July 2023
Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Open source URL -
[17]
Morphisec FIN7 June 2017
Gorelik, M.. (2017, June 9). FIN7 Takes Another Bite at the Restaurant Industry. Retrieved July 13, 2017.
Open source URL -
[18]
Sangria Tempest
(Citation: Microsoft Threat Actor Naming July 2023)
-
[19]
Secureworks GOLD NIAGARA Threat Profile
CTU. (n.d.). GOLD NIAGARA. Retrieved September 21, 2021.
Open source URL -
[20]
mitre-attack G0046Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.