S0681: Lizar
Analyst context for executives and security teams
Lizar matters because it is a Windows, .NET-based modular remote access tool with capabilities that map to credential theft, discovery, command execution, encrypted/raw TCP command-and-control, plugin download, screenshot collection, and in-memory execution. For leaders, the practical issue is not just “malware on an endpoint”; it is whether a compromised Windows host could become a control point for credential harvesting and follow-on activity before the SOC has enough telemetry to reconstruct what happened.
Executive priority
Prioritize Lizar-relevant readiness around Windows endpoint visibility, credential protection, and incident response evidence. The ATT&CK relationships show behaviors that can affect business continuity and incident scope decisions: LSASS and browser/Credential Manager credential access, command shell/PowerShell/Python execution, process and DLL/PE injection, security software discovery, and tool/plugin transfer. Executives should ask whether endpoint logging, EDR, network monitoring, and identity controls can support rapid containment when credentials may have been exposed, not merely whether malware was blocked.
Technical view
SOC and IR teams should validate coverage for Windows execution and post-compromise behaviors associated with Lizar relationships: cmd.exe, PowerShell, Python/Impacket-style remote execution, Windows API use, reflective DLL loading, process injection, LSASS access, vaultcmd.exe/CredEnumerateW credential enumeration, browser database access, Outlook/Thunderbird account collection, screenshot activity, plugin/file download, encrypted C2, and raw TCP communications. Because official detection guidance is not provided, detection should be built from behavior chains rather than a single signature: unusual script execution followed by process injection, credential store access, discovery, and outbound encrypted or non-application-layer traffic.
Likely telemetry
- Windows process creation and command-line logs
- PowerShell script block/module/operational logging where available
- Endpoint detection telemetry for process injection, reflective loading, DLL/PE injection, and suspicious memory access
- Security events and EDR telemetry for LSASS access or dump-like behavior
- File and registry activity around browser profile databases, Windows Credential Manager vault paths, and credential enumeration utilities such as vaultcmd.exe
Detection direction
- Treat Lizar as a behavior-based detection problem because the official object does not provide detection text.
- Correlate execution telemetry with credential access: cmd.exe, PowerShell, Python scripts, or .NET activity followed by LSASS access, vaultcmd.exe use, CredEnumerateW-like behavior, or browser credential database reads.
- Tune process injection analytics for Windows API patterns and memory-only execution, including reflective DLL loading and PE execution inside another process; expect false positives from legitimate security, administration, and software-management tools.
- Watch for security software discovery followed by evasive execution or plugin download, as this sequence can indicate adversary adaptation to local defenses.
- Monitor raw TCP and encrypted outbound connections from unusual processes, especially when paired with host discovery, username/computer-name collection, or C2 configuration decryption indicators.
Mitigation priorities
- Strengthen Windows endpoint hardening and EDR coverage for memory injection, suspicious script execution, and credential-store access.
- Reduce credential exposure by limiting local administrative privileges, protecting LSASS where feasible, and discouraging storage of privileged credentials in browsers or Windows Credential Manager.
- Constrain PowerShell and scripting abuse through logging, execution policy governance, application control, and least-privilege administration rather than relying on script blocking alone.
- Control outbound traffic with egress filtering, proxy visibility, and alerting for unusual raw TCP or encrypted connections from endpoints.
- Limit tool and plugin transfer opportunities through application allowlisting, download controls, and monitoring of uncommon administrative utilities used outside approved workflows.
Analyst notes and limits
The supplied ATT&CK data identifies Lizar as a modular .NET remote access tool for Windows and notes likely FIN7 use since at least February 2021, with structural similarities to Carbanak. The relationship set is especially useful for defensive planning because it links Lizar to execution, credential access, discovery, collection, command-and-control, obfuscation, and stealth behaviors. The most defensible detection strategy is to validate telemetry across these behavior chains instead of depending on malware naming or static indicators.
Official detection is not provided, tactics are not specified on the malware object itself, and the object does not include environment-specific indicators, hashes, C2 infrastructure, or guaranteed detection logic. Local validation is required to determine whether telemetry exists, whether controls see memory-resident behavior, and whether alerts can distinguish malicious activity from legitimate administration or security tooling.
Lizar
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1055 | Process Injection | Lizar can migrate the loader into another process.CitationBiZone Lizar May 2021 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Lizar has a command to open the command-line on the infected system.CitationThreatpost Lizar May 2021CitationBiZone Lizar May 2021 |
| Enterprise | T1217 | Browser Information Discovery | Lizar can retrieve browser history and database files.CitationThreatpost Lizar May 2021CitationBiZone Lizar May 2021 |
| Enterprise | T1059.006 | Python Sub-technique | |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | Lizar has used the PowerKatz plugin that can be loaded into the address space of a PowerShell process through reflective DLL loading.CitationBiZone Lizar May 2021 |
| Enterprise | T1095 | Non-Application Layer Protocol | Lizar has used a raw TCP connection to communicate with the C2 server.CitationSekoiaBourhis_DiceLoader_Feb2024 |
| Enterprise | T1106 | Native API | Lizar has used various Windows API functions on a victim's machine.CitationBiZone Lizar May 2021 |
| Enterprise | T1027 | Obfuscated Files or Information | Lizar has obfuscated the fingerprint of the victim system, the local IP address, and the Fowler-Noll-V 1 (FNV-1) hash of the local IP address using an XOR operation. The data is then sent to the C2 server.CitationSekoiaBourhis_DiceLoader_Feb2024 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | |
| Enterprise | T1555.004 | Windows Credential Manager Sub-technique | Lizar has a plugin that can retrieve credentials from Internet Explorer and Microsoft Edge using `vaultcmd.exe` and another that can collect RDP access credentials using the `CredEnumerateW` function.CitationBiZone Lizar May 2021 |
| Enterprise | T1113 | Screen Capture | |
| Enterprise | T1033 | System Owner/User Discovery | Lizar can collect the username from the system.CitationBiZone Lizar May 2021CitationSekoiaBourhis_DiceLoader_Feb2024 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Lizar has decrypted its configuration data, such as the C2 IP address, ports and other network communication.CitationBiZone Lizar May 2021CitationSekoiaBourhis_DiceLoader_Feb2024 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Lizar has used PowerShell scripts.CitationBiZone Lizar May 2021 |
| Enterprise | T1055.002 | Portable Executable Injection Sub-technique | Lizar can execute PE files in the address space of the specified process.CitationBiZone Lizar May 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | Lizar can download additional plugins, files, and tools.CitationBiZone Lizar May 2021CitationSekoiaBourhis_DiceLoader_Feb2024CitationCocomazzi FIN7 Reboot |
| Enterprise | T1087.003 | Email Account Sub-technique | Lizar can collect email accounts from Microsoft Outlook and Mozilla Thunderbird.CitationBiZone Lizar May 2021 |
| Enterprise | T1082 | System Information Discovery | Lizar can collect the computer name from the machine.CitationBiZone Lizar May 2021CitationSekoiaBourhis_DiceLoader_Feb2024 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | Lizar can search for processes associated with an anti-virus product from list.CitationBiZone Lizar May 2021 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | Lizar has a module to collect usernames and passwords stored in browsers.CitationBiZone Lizar May 2021 |
| Enterprise | T1573 | Encrypted Channel | Lizar can support encrypted communications between the client and server.CitationThreatpost Lizar May 2021CitationBiZone Lizar May 2021CitationCocomazzi FIN7 Reboot |
| Enterprise | T1620 | Reflective Code Loading | Lizar has used the Reflective DLL injection module from Github to inject itself into a process’s memory.CitationSekoiaBourhis_DiceLoader_Feb2024 |
| Enterprise | T1588.002 | Tool Sub-technique | |
| Enterprise | T1016 | System Network Configuration Discovery | Lizar has retrieved network information from a compromised host, such as the MAC address.CitationBiZone Lizar May 2021CitationSekoiaBourhis_DiceLoader_Feb2024 |
| Enterprise | T1057 | Process Discovery | Lizar has a plugin designed to obtain a list of processes.CitationThreatpost Lizar May 2021CitationBiZone Lizar May 2021 |
| Enterprise | T1132.002 | Non-Standard Encoding Sub-technique | Lizar has used a complex XOR operation to obfuscate C2 communications.CitationSekoiaBourhis_DiceLoader_Feb2024 |
| Enterprise | T1560 | Archive Collected Data | Lizar has encrypted data before sending it to the server.CitationBiZone Lizar May 2021 |
| Enterprise | T1049 | System Network Connections Discovery | Lizar has a plugin to retrieve information about all active network sessions on the infected server.CitationBiZone Lizar May 2021 |
Groups, software, and campaigns
G0046: FIN7
FIN7 is a financially-motivated threat group that has been active since 2013. FIN7 has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, pharmaceutical, and utilities industries in the United States. A portion of FIN7 was operated out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, FIN7 shifted operations to big game hunting (BGH), including use of REvil ransomware and their own Ransomware-as-a-Service (RaaS), Darkside. FIN7 may be linked to the Carbanak Group, but multiple threat groups have been observed using Carbanak, leading these groups to be tracked separately.[1][2][3][4][5][6][7]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 856fc8d913bc… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
BiZone Lizar May 2021
BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022.
Open source URL -
[2]
Threatpost Lizar May 2021
Seals, T. (2021, May 14). FIN7 Backdoor Masquerades as Ethical Hacking Tool. Retrieved February 2, 2022.
Open source URL -
[3]
Gemini FIN7 Oct 2021
Gemini Advisory. (2021, October 21). FIN7 Recruits Talent For Push Into Ransomware. Retrieved February 2, 2022.
Open source URL -
[4]
Cocomazzi FIN7 Reboot
Cocomazzi, Antonio. (2024, July 17). FIN7 Reboot | Cybercrime Gang Enhances Ops with New EDR Bypasses and Automated Attacks. Retrieved September 24, 2025.
Open source URL -
[5]
DiceLoader
(Citation: Cocomazzi FIN7 Reboot)
-
[6]
Icebot
(Citation: Cocomazzi FIN7 Reboot)
-
[7]
Lizar
(Citation: BiZone Lizar May 2021)(Citation: Threatpost Lizar May 2021)(Citation: Gemini FIN7 Oct 2021)
-
[8]
Tirion
(Citation: BiZone Lizar May 2021)(Citation: Gemini FIN7 Oct 2021)
-
[9]
mitre-attack S0681Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.