S0182: FinFisher
FinFisher is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including Wingbird. [1] [2] [3] [4] [5]
Analyst context for executives and security teams
FinFisher matters because ATT&CK describes it as heavily obfuscated commercial surveillance spyware with Windows and Android relevance, including relationships to credential collection, screen/audio/location capture, discovery, persistence, privilege escalation, and anti-analysis behaviors. For leaders, the practical issue is not just malware blocking; it is whether the organization can prove it has endpoint, mobile, identity, and incident response visibility when a targeted implant is designed to hide and collect sensitive information.
Executive priority
Treat this as a coverage validation scenario for targeted surveillance risk: high-value users, sensitive investigations, executive devices, legal/compliance teams, and mobile endpoints may need stronger monitoring and response playbooks than standard commodity-malware assumptions. Budget and risk discussions should focus on whether Windows persistence and privilege-escalation controls, Android permission governance, vulnerability prioritization, and forensic readiness can support decisions when official ATT&CK detection guidance is not provided.
Technical view
ATT&CK provides no official detection text for FinFisher, so SOC and IR teams should build coverage from the mapped relationships: Windows registry querying and run keys, Windows service creation/modification, DLL injection, token impersonation/theft, UAC bypass, bootkit persistence, process/system/file/security-software discovery, screen capture, credential API hooking, packed or junk-code-obfuscated files, deobfuscation behavior, and system checks for analysis environments. For Android, validate visibility into privilege-escalation exploitation indicators and application access to microphone and location capabilities. Dark Caracal is listed as using this object in enterprise and mobile ATT&CK context, but local detections should remain behavior-based rather than assuming attribution.
Likely telemetry
- Windows process creation and command-line telemetry for discovery activity against registry, processes, files, system information, and security software
- Windows Registry auditing for Run keys, startup locations, service configuration, and suspicious resource naming or placement
- Windows service creation/modification events and associated executable paths
- Endpoint memory/module telemetry that can support investigation of DLL injection, API hooking, token impersonation, and packed or unpacking code behavior
- File metadata and binary analysis results for packed, obfuscated, junk-code-heavy, or masqueraded executables
Detection direction
- Do not rely on a single signature or sandbox verdict; ATT&CK notes heavy obfuscation and multiple anti-analysis techniques, and relationships include software packing, junk code insertion, deobfuscation, and system checks.
- Correlate weak signals: discovery of security tools plus process/system/file enumeration, followed by persistence changes, injection-like behavior, or collection events is more meaningful than any one event alone.
- Tune Windows detections for false positives from administrators, inventory tools, software installers, endpoint agents, and legitimate services that query the registry or system state.
- Validate mobile controls separately from desktop controls; Android microphone, location, and privilege-escalation signals require mobile telemetry that many SOC programs do not collect by default.
- Use the mapped Dark Caracal relationship as threat-intelligence context only; do not label incidents with attribution without independent evidence.
Mitigation priorities
- Prioritize vulnerability management for exposed user endpoints and document patch timelines, especially because cited references include research on zero-day-based FinSpy distribution.
- Harden Windows privilege pathways: restrict local admin rights, monitor elevation, review UAC exposure, and control service creation and registry persistence locations.
- Use application control and endpoint protection policies that reduce execution of unknown, packed, or suspiciously placed binaries, while recognizing obfuscation may limit static detection.
- Strengthen mobile device governance for Android: manage application sources, review high-risk permissions such as microphone and location, and ensure mobile telemetry is available for high-risk users.
- Prepare IR procedures for stealthy persistence, including escalation paths for suspected boot-level compromise where normal OS-level remediation may be insufficient.
Analyst notes and limits
This take is derived from the ATT&CK FinFisher malware object S0182, its official description, external references, platforms, and supplied relationship context. The most decision-useful content comes from the technique relationships because the object itself has no tactic list and no official detection section. The supplied relationships show a blend of surveillance collection, credential access, discovery, stealth, persistence, and privilege-escalation behaviors across Windows and Android-relevant contexts.
ATT&CK does not provide official detection guidance for this object, aliases are not supplied, and the malware object lists tactics as not specified. The relationship set supports defensive validation themes but does not prove current exploitation, customer exposure, or detection coverage in any environment. Local telemetry, asset criticality, mobile management scope, and forensic evidence are required to turn this into an operational assessment.
FinFisher
FinFisher is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including Wingbird. [1] [2] [3] [4] [5]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1134.001 | Token Impersonation/Theft Sub-technique | FinFisher uses token manipulation with NtFilterToken as part of UAC bypass.CitationFinFisher CitationCitationMicrosoft FinFisher March 2018 |
| Enterprise | T1113 | Screen Capture | FinFisher takes a screenshot of the screen and displays it on top of all other windows for few seconds in an apparent attempt to hide some messages showed by the system during the setup process.CitationFinFisher CitationCitationMicrosoft FinFisher March 2018 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | FinFisher establishes persistence by creating the Registry key |
| Enterprise | T1685.005 | Clear Windows Event Logs Sub-technique | FinFisher clears the system event logs using |
| Enterprise | T1497.001 | System Checks Sub-technique | FinFisher obtains the hardware device list and checks if the MD5 of the vendor ID is equal to a predefined list in order to check for sandbox/virtualized environments.CitationMicrosoft FinFisher March 2018 |
| Enterprise | T1574.001 | DLL Sub-technique | |
| Enterprise | T1056.004 | Credential API Hooking Sub-technique | FinFisher hooks processes by modifying IAT pointers to CreateWindowEx.CitationFinFisher CitationCitationElastic Process Injection July 2017 |
| Enterprise | T1027.002 | Software Packing Sub-technique | A FinFisher variant uses a custom packer.CitationFinFisher CitationCitationSecurelist BlackOasis Oct 2017 |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | FinFisher injects itself into various processes depending on whether it is low integrity or high integrity.CitationFinFisher CitationCitationMicrosoft FinFisher March 2018 |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | FinFisher performs UAC bypass.CitationFinFisher CitationCitationMicrosoft FinFisher March 2018 |
| Enterprise | T1083 | File and Directory Discovery | FinFisher enumerates directories and scans for certain files.CitationFinFisher CitationCitationMicrosoft FinFisher March 2018 |
| Enterprise | T1542.003 | Bootkit Sub-technique | Some FinFisher variants incorporate an MBR rootkit.CitationFinFisher CitationCitationMicrosoft FinFisher March 2018 |
| Enterprise | T1012 | Query Registry | FinFisher queries Registry values as part of its anti-sandbox checks.CitationFinFisher CitationCitationMicrosoft FinFisher March 2018 |
| Enterprise | T1543.003 | Windows Service Sub-technique | FinFisher creates a new Windows service with the malicious executable for persistence.CitationFinFisher CitationCitationMicrosoft FinFisher March 2018 |
| Enterprise | T1027.016 | Junk Code Insertion Sub-technique | FinFisher contains junk code in its functions in an effort to confuse disassembly programs.CitationFinFisher CitationCitationMicrosoft FinFisher March 2018 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | FinFisher renames one of its .dll files to uxtheme.dll in an apparent attempt to masquerade as a legitimate file.CitationFinFisher CitationCitationMicrosoft FinFisher March 2018 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | FinFisher extracts and decrypts stage 3 malware, which is stored in encrypted resources.CitationFinFisher CitationCitationMicrosoft FinFisher March 2018 |
| Enterprise | T1057 | Process Discovery | FinFisher checks its parent process for indications that it is running in a sandbox setup.CitationFinFisher CitationCitationMicrosoft FinFisher March 2018 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | FinFisher probes the system to check for antimalware processes.CitationFinFisher CitationCitationSecurelist BlackOasis Oct 2017 |
| Enterprise | T1082 | System Information Discovery | FinFisher checks if the victim OS is 32 or 64-bit.CitationFinFisher CitationCitationMicrosoft FinFisher March 2018 |
| Enterprise | T1027 | Obfuscated Files or Information | FinFisher is heavily obfuscated in many ways, including through the use of spaghetti code in its functions in an effort to confuse disassembly programs. It also uses a custom XOR algorithm to obfuscate code.CitationFinFisher CitationCitationMicrosoft FinFisher March 2018 |
| Enterprise | T1574.013 | KernelCallbackTable Sub-technique | FinFisher has used the |
Groups, software, and campaigns
G0070: Dark Caracal
Dark Caracal is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. [1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.4 | Current bundle | b34bead4ed82… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FinFisher Citation
FinFisher. (n.d.). Retrieved September 12, 2024.
Open source URL -
[2]
Microsoft SIR Vol 21
Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.
Open source URL -
[3]
FireEye FinSpy Sept 2017
Jiang, G., et al. (2017, September 12). FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY. Retrieved February 15, 2018.
Open source URL -
[4]
Securelist BlackOasis Oct 2017
Kaspersky Lab's Global Research & Analysis Team. (2017, October 16). BlackOasis APT and new targeted attacks leveraging zero-day exploit. Retrieved February 15, 2018.
Open source URL -
[5]
Microsoft FinFisher March 2018
Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
Open source URL -
[6]
FinFisher
(Citation: FinFisher Citation) (Citation: Microsoft SIR Vol 21) (Citation: FireEye FinSpy Sept 2017) (Citation: Securelist BlackOasis Oct 2017)
-
[7]
FinSpy
(Citation: FireEye FinSpy Sept 2017) (Citation: Securelist BlackOasis Oct 2017)
-
[8]
mitre-attack S0182Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.