G0053: FIN5
FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian. [1] [2] [3]
Analyst context for executives and security teams
FIN5 matters because ATT&CK describes it as a financially motivated group associated with targeting personally identifiable information and payment card information, especially in restaurant, gaming, and hotel environments. For leaders, the key issue is not just malware: the relationship set points to credential abuse, remote access, lateral movement, collection, log clearing, and POS-focused malware, which can turn weak identity controls and poor endpoint visibility into cardholder-data and privacy risk.
Executive priority
Prioritize validation around environments that store, process, or can reach payment card or PII data. Ask whether remote access, privileged account use, Windows administrative tools, POS systems, and event-log retention are governed well enough to support incident response and audit evidence. Because ATT&CK provides no official detection guidance for this group, coverage should be proven through local telemetry tests and control reviews rather than assumed from tool ownership.
Technical view
The supplied relationships emphasize credential dumping tools such as Windows Credential Editor and pwdump, valid account abuse, brute force, external remote services, PsExec-style remote execution, remote system discovery, command/script execution, local data staging, automated collection, external proxying, file deletion, Windows event-log clearing, and RawPOS/FLIPSIDE usage. SOC and IR teams should validate visibility across authentication, endpoint process execution, remote service access, administrative lateral movement, POS/cardholder-data environments, data staging, and log-tampering signals. Treat PsExec and Sysinternals utilities carefully because they can be legitimate administrative tools as well as attacker-used tools.
Likely telemetry
- Authentication logs for VPN, remote access services, identity providers, privileged accounts, failed login patterns, and anomalous successful logins
- Endpoint process creation and command-line telemetry, especially for scripting interpreters, credential dumping tools, PsExec-like execution, and Sysinternals utilities
- Windows Security, System, and Application event logs, including evidence of log clearing or gaps in expected logging
- Network telemetry for remote service access, internal discovery, lateral movement, and proxy-like outbound connections
- File system telemetry for local staging directories, unusual file creation/copying, deletion activity, and secure-delete utility use
Detection direction
- Start with identity-centric detections: unusual valid-account use, brute-force patterns, remote-service access from unexpected sources, and privileged account activity outside normal administration.
- Tune lateral-movement analytics around PsExec-like behavior and remote execution, but account for legitimate IT administration to reduce false positives.
- Validate endpoint rules for credential dumping tools and suspicious command/script interpreter use; do not rely only on file names because tools can be renamed.
- Monitor for discovery followed by staging, collection, or outbound proxy-like traffic, as the relationships span discovery, collection, and command-and-control behaviors.
- Create high-priority alerts for Windows event-log clearing or unexplained log gaps, especially on systems that access payment card or PII data.
Mitigation priorities
- Harden identity first: enforce strong authentication for external remote services, reduce standing privilege, review service accounts, and monitor privileged access paths.
- Restrict and monitor administrative remote execution tools; allow known-good administration patterns while alerting on unusual hosts, users, or execution contexts.
- Protect credential material on Windows systems and prioritize controls that reduce credential dumping and reuse opportunities.
- Segment POS and cardholder-data environments from general enterprise systems and limit which accounts and hosts can reach them.
- Preserve incident evidence by centralizing logs, protecting log stores from local administrator tampering, and testing retention during IR exercises.
Analyst notes and limits
This take is based on the official FIN5 ATT&CK group description and supplied relationships. The object itself lists no platforms or tactics and provides no official detection text, so the technical framing is derived from related software and techniques rather than a complete ATT&CK procedure narrative.
Local exposure depends on whether the organization operates relevant payment card, PII, POS, hospitality, gaming, or restaurant environments and whether the referenced behaviors are observable in existing telemetry. The supplied data does not establish current activity, victim exposure, guaranteed detection logic, or complete platform scope for the group.
FIN5
FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian. [1] [2] [3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1090.002 | External Proxy Sub-technique | |
| Enterprise | T1070.004 | File Deletion Sub-technique | |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | FIN5 scripts save memory dump data into a specific directory on hosts in the victim environment.CitationMandiant FIN5 GrrCON Oct 2016 |
| Enterprise | T1059 | Command and Scripting Interpreter | FIN5 scans processes on all victim systems in the environment and uses automated scripts to pull back the results.CitationMandiant FIN5 GrrCON Oct 2016 |
| Enterprise | T1018 | Remote System Discovery | FIN5 has used the open source tool Essential NetTools to map the network and build a list of targets.CitationMandiant FIN5 GrrCON Oct 2016 |
| Enterprise | T1119 | Automated Collection | FIN5 scans processes on all victim systems in the environment and uses automated scripts to pull back the results.CitationMandiant FIN5 GrrCON Oct 2016 |
| Enterprise | T1110 | Brute Force | FIN5 has has used the tool GET2 Penetrator to look for remote login and hard-coded credentials.CitationDarkReading FireEye FIN5 Oct 2015CitationMandiant FIN5 GrrCON Oct 2016 |
| Enterprise | T1685.005 | Clear Windows Event Logs Sub-technique | FIN5 has cleared event logs from victims.CitationMandiant FIN5 GrrCON Oct 2016 |
| Enterprise | T1588.002 | Tool Sub-technique | FIN5 has obtained and used a customized version of PsExec, as well as use other tools such as pwdump, SDelete, and Windows Credential Editor.CitationMandiant FIN5 GrrCON Oct 2016 |
| Enterprise | T1133 | External Remote Services | FIN5 has used legitimate VPN, Citrix, or VNC credentials to maintain access to a victim environment.CitationFireEye Respond Webinar July 2017CitationDarkReading FireEye FIN5 Oct 2015CitationMandiant FIN5 GrrCON Oct 2016 |
| Enterprise | T1078 | Valid Accounts | FIN5 has used legitimate VPN, RDP, Citrix, or VNC credentials to maintain access to a victim environment.CitationFireEye Respond Webinar July 2017CitationDarkReading FireEye FIN5 Oct 2015CitationMandiant FIN5 GrrCON Oct 2016 |
Groups, software, and campaigns
S0005: Windows Credential Editor
Windows Credential Editor is a password dumping tool. [1]
S0029: PsExec
S0173: FLIPSIDE
S0006: pwdump
S0195: SDelete
S0169: RawPOS
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 7549f0864252… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye Respond Webinar July 2017
Scavella, T. and Rifki, A. (2017, July 20). Are you Ready to Respond? (Webinar). Retrieved October 4, 2017.
Open source URL -
[2]
Mandiant FIN5 GrrCON Oct 2016
Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
Open source URL -
[3]
DarkReading FireEye FIN5 Oct 2015
Higgins, K. (2015, October 13). Prolific Cybercrime Gang Favors Legit Login Credentials. Retrieved October 4, 2017.
Open source URL -
[4]
FIN5
(Citation: FireEye Respond Webinar July 2017) (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: DarkReading FireEye FIN5 Oct 2015)
-
[5]
mitre-attack G0053Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.