G0061: FIN8
FIN8 is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology, chemical, and financial sectors. In June 2021, security researchers detected FIN8 switching from targeting point-of-sale (POS) devices to distributing a number of ransomware variants.[1][2][3][4]
Analyst context for executives and security teams
FIN8 is a financially motivated ATT&CK group associated with payment-card/POS activity and, per cited research, later distribution of ransomware variants. For leaders, the value of this object is less about a single indicator and more about validating whether the organization can detect and respond to a Windows-heavy intrusion path involving discovery, credential access, lateral movement, remote administration tools, backdoors, possible data theft, and ransomware-related activity.
Executive priority
Prioritize FIN8 as a resilience and payment/data-risk planning scenario for sectors named by ATT&CK: hospitality, retail, entertainment, insurance, technology, chemical, and financial organizations. Useful executive questions include: are POS and business Windows environments segmented; can the SOC see credential theft against LSASS, RDP/SMB lateral movement, WMI, PowerShell, scheduled tasks, and admin-tool abuse; and is incident response prepared for both payment-data theft and ransomware decision points? This object supports budget and audit discussions around identity controls, endpoint visibility, network segmentation, logging retention, and ransomware readiness, but it does not by itself prove exposure or current targeting of any specific organization.
Technical view
ATT&CK provides no group-level detection text and no group-level platform list, so defenders should anchor validation to the related software and techniques. FIN8 is related to Windows-oriented tools and behaviors including PsExec, Net, dsquery, Nltest, WMI, PowerShell, Windows Command Shell, scheduled tasks, RDP, SMB/admin shares, LSASS memory access, command obfuscation, APC injection, and backdoors such as PUNCHBUGGY, BADHATCH, and Sardonic. It is also related to PUNCHTRACK POS malware and Ragnar Locker ransomware. SOC and IR teams should test whether they can reconstruct an intrusion timeline across endpoint process activity, authentication, domain enumeration, lateral movement, persistence, exfiltration, and malware execution without relying on a single signature.
Likely telemetry
- Endpoint process creation and command-line logging for PowerShell, cmd, PsExec, Net, dsquery, Nltest, WMI, scheduled task creation, and unusual administrative execution
- Windows security logs and identity telemetry for logons, privileged account use, RDP sessions, SMB/admin share access, and domain enumeration patterns
- Endpoint detection telemetry for LSASS memory access, process injection/APC-style behavior, suspicious DLL/plugin loading, and backdoor execution indicators
- Network telemetry for internal discovery, ping/network probing, SMB/RDP movement, and outbound transfers over unencrypted non-C2 protocols such as HTTP, FTP, or DNS where applicable
- POS environment telemetry where POS networks exist, including host integrity, process execution, network segmentation evidence, and payment-system access patterns
Detection direction
- Because no official detection guidance is supplied for FIN8, validate detections against the related ATT&CK techniques rather than the group name alone.
- Tune for suspicious combinations: domain discovery with dsquery/Nltest/Net, followed by RDP/SMB or PsExec/WMI activity, followed by credential access or scheduled task creation.
- Treat legitimate administration tools as dual-use. Reduce false positives by baselining approved administrator hosts, service accounts, maintenance windows, and normal command-line patterns.
- Confirm visibility into command obfuscation for PowerShell and Windows Command Shell; simple string matching may miss altered or encoded commands.
- Validate controls for LSASS access and credential dumping attempts, especially where administrative privileges are common or poorly separated.
Mitigation priorities
- Start with identity hardening: least privilege, separation of administrative accounts, strong authentication for remote access, and review of privileged service account use.
- Restrict and monitor lateral movement paths, especially RDP, SMB/admin shares, PsExec-style execution, and WMI remote execution.
- Harden Windows endpoints against credential theft and script abuse, including tighter PowerShell controls, command-line logging, and protection of LSASS where supported by the environment.
- Segment POS and other critical business systems from general user networks, and ensure monitoring spans both sides of segmentation boundaries.
- Control scheduled task creation and remote administration tooling through policy, change control, and alerting rather than assuming all use is benign.
Analyst notes and limits
The ATT&CK object identifies FIN8 aliases as FIN8 and Syssphinx and describes activity since at least January 2016, sectors historically targeted, a shift reported in June 2021 from POS targeting to ransomware variant distribution, and relationships to multiple tools, malware families, and techniques. The practical defensive takeaway is to use FIN8 as an emulation and coverage-review scenario spanning POS risk, Windows enterprise intrusion tradecraft, identity compromise, and ransomware readiness.
ATT&CK supplies no official detection text, no group-level platforms, and no environment-specific indicators in the provided fields. The related techniques and software support defensive validation themes, but local telemetry, asset inventory, sector exposure, POS presence, identity architecture, and incident history are required to determine actual risk and coverage.
FIN8
FIN8 is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology, chemical, and financial sectors. In June 2021, security researchers detected FIN8 switching from targeting point-of-sale (POS) devices to distributing a number of ransomware variants.[1][2][3][4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1078 | Valid Accounts | FIN8 has used valid accounts for persistence and lateral movement.CitationFireEye Know Your Enemy FIN8 Aug 2016 |
| Enterprise | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol Sub-technique | FIN8 has used FTP to exfiltrate collected data.CitationFireEye Know Your Enemy FIN8 Aug 2016 |
| Enterprise | T1033 | System Owner/User Discovery | FIN8 has executed the command `quser` to display the session details of a compromised machine.CitationSymantec FIN8 Jul 2023 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | FIN8 has used Registry keys to detect and avoid executing in potential sandboxes.CitationFireEye Know Your Enemy FIN8 Aug 2016 |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | FIN8 has used RDP for lateral movement.CitationFireEye Know Your Enemy FIN8 Aug 2016 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | FIN8 harvests credentials using Invoke-Mimikatz or Windows Credentials Editor (WCE).CitationFireEye Know Your Enemy FIN8 Aug 2016 |
| Enterprise | T1588.002 | Tool Sub-technique | |
| Enterprise | T1204.002 | Malicious File Sub-technique | FIN8 has used malicious e-mail attachments to lure victims into executing malware.CitationFireEye Obfuscation June 2017CitationFireEye Fin8 May 2016CitationFireEye Know Your Enemy FIN8 Aug 2016 |
| Enterprise | T1588.003 | Code Signing Certificates Sub-technique | FIN8 has used an expired open-source X.509 certificate for testing in the OpenSSL repository, to connect to actor-controlled C2 servers.CitationBitdefender Sardonic Aug 2021 |
| Enterprise | T1068 | Exploitation for Privilege Escalation | FIN8 has exploited the CVE-2016-0167 local vulnerability.CitationFireEye Fin8 May 2016CitationFireEye Know Your Enemy FIN8 Aug 2016 |
| Enterprise | T1546.003 | Windows Management Instrumentation Event Subscription Sub-technique | FIN8 has used WMI event subscriptions for persistence.CitationBitdefender FIN8 July 2021 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | FIN8 has distributed targeted emails containing links to malicious documents with embedded macros.CitationFireEye Know Your Enemy FIN8 Aug 2016 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | FIN8 has used scheduled tasks to maintain RDP backdoors.CitationFireEye Know Your Enemy FIN8 Aug 2016 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | FIN8 has used emails with malicious links to lure victims into installing malware.CitationFireEye Obfuscation June 2017CitationFireEye Fin8 May 2016CitationFireEye Know Your Enemy FIN8 Aug 2016 |
| Enterprise | T1102 | Web Service | FIN8 has used |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | |
| Enterprise | T1070.004 | File Deletion Sub-technique | |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | FIN8 has distributed targeted emails containing Word documents with embedded malicious macros.CitationFireEye Obfuscation June 2017CitationFireEye Fin8 May 2016CitationFireEye Know Your Enemy FIN8 Aug 2016 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | FIN8 has used HTTPS for command and control.CitationBitdefender FIN8 July 2021 |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | |
| Enterprise | T1685.005 | Clear Windows Event Logs Sub-technique | FIN8 has cleared logs during post compromise cleanup activities.CitationFireEye Know Your Enemy FIN8 Aug 2016 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | FIN8 has used RAR to compress collected data before exfiltration.CitationFireEye Know Your Enemy FIN8 Aug 2016 |
| Enterprise | T1074.002 | Remote Data Staging Sub-technique | FIN8 aggregates staged data from a network into a single location.CitationFireEye Know Your Enemy FIN8 Aug 2016 |
| Enterprise | T1105 | Ingress Tool Transfer | FIN8 has used remote code execution to download subsequent payloads.CitationFireEye Fin8 May 2016CitationBitdefender FIN8 July 2021 |
| Enterprise | T1082 | System Information Discovery | FIN8 has used PowerShell Scripts to check the architecture of a compromised machine before the selection of a 32-bit or 64-bit version of a malicious .NET loader.CitationSymantec FIN8 Jul 2023 |
| Enterprise | T1059.001 | PowerShell Sub-technique | FIN8's malicious spearphishing payloads are executed as PowerShell. FIN8 has also used PowerShell for lateral movement and credential access.CitationFireEye Obfuscation June 2017CitationBitdefender FIN8 July 2021CitationFireEye Know Your Enemy FIN8 Aug 2016CitationSymantec FIN8 Jul 2023 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | FIN8 has used the Plink utility to tunnel RDP back to C2 infrastructure.CitationFireEye Know Your Enemy FIN8 Aug 2016 |
| Enterprise | T1055.004 | Asynchronous Procedure Call Sub-technique | FIN8 has injected malicious code into a new svchost.exe process.CitationBitdefender FIN8 July 2021 |
| Enterprise | T1018 | Remote System Discovery | |
| Enterprise | T1486 | Data Encrypted for Impact | FIN8 has deployed ransomware such as Ragnar Locker, White Rabbit, and attempted to execute Noberus on compromised networks.CitationSymantec FIN8 Jul 2023 |
| Enterprise | T1482 | Domain Trust Discovery | FIN8 has retrieved a list of trusted domains by using |
| Enterprise | T1112 | Modify Registry | FIN8 has deleted Registry keys during post compromise cleanup activities.CitationFireEye Know Your Enemy FIN8 Aug 2016 |
| Enterprise | T1134.001 | Token Impersonation/Theft Sub-technique | FIN8 has used a malicious framework designed to impersonate the lsass.exe/vmtoolsd.exe token.CitationBitdefender FIN8 July 2021CitationSymantec FIN8 Jul 2023 |
| Enterprise | T1016.001 | Internet Connection Discovery Sub-technique | |
| Enterprise | T1047 | Windows Management Instrumentation | FIN8's malicious spearphishing payloads use WMI to launch malware and spawn `cmd.exe` execution. FIN8 has also used WMIC and the Impacket suite for lateral movement, as well as during and post compromise cleanup activities.CitationFireEye Obfuscation June 2017CitationBitdefender FIN8 July 2021CitationFireEye Know Your Enemy FIN8 Aug 2016CitationSymantec FIN8 Jul 2023 |
Groups, software, and campaigns
S0097: Ping
S1081: BADHATCH
S0196: PUNCHBUGGY
PUNCHBUGGY is a backdoor malware used by FIN8 that has been observed targeting POS networks in the hospitality industry. [1][2] [3]
S0481: Ragnar Locker
Ragnar Locker is a ransomware that has been in use since at least December 2019.[1][2]
S0197: PUNCHTRACK
PUNCHTRACK is non-persistent point of sale (POS) system malware utilized by FIN8 to scrape payment card data. [1] [2]
S0105: dsquery
dsquery is a command-line utility that can be used to query Active Directory for information from a system within a domain. [1] It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.
S0039: Net
The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. [1]
Net has a great deal of functionality, [2] much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through SMB/Windows Admin Shares using net use commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user.
S0359: Nltest
S1085: Sardonic
S0029: PsExec
S0357: Impacket
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | bb5a34d483ce… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye Obfuscation June 2017
Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.
Open source URL -
[2]
FireEye Fin8 May 2016
Kizhakkinan, D., et al. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.
Open source URL -
[3]
Bitdefender Sardonic Aug 2021
Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023.
Open source URL -
[4]
Symantec FIN8 Jul 2023
Symantec Threat Hunter Team. (2023, July 18). FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware. Retrieved August 9, 2023.
Open source URL -
[5]
FIN8
(Citation: FireEye Obfuscation June 2017)
-
[6]
Syssphinx
(Citation: Symantec FIN8 Jul 2023)
-
[7]
mitre-attack G0061Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.