G0046: FIN7
FIN7 is a financially-motivated threat group that has been active since 2013. FIN7 has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, pharmaceutical, and utilities industries in the United States. A portion of FIN7 was operated out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, FIN7 shifted operations to big game hunting (BGH), including use of REvil ransomware and their own Ransomware-as-a-Service (RaaS), Darkside. FIN7 may be linked to the Carbanak Group, but multiple threat groups have been observed using Carbanak, leading these groups to be tracked separately.[1][2][3][4][5][6][7]
Analyst context for executives and security teams
FIN7 matters because MITRE describes it as a financially motivated group with a long operating history, broad U.S. industry targeting, prior point-of-sale malware use, and a shift since 2020 toward big-game hunting and ransomware activity. For leaders, the decision point is not whether FIN7 is “in the environment,” but whether defenses can withstand the behaviors associated with the group: credential theft, remote access tooling, lateral movement over RDP/SSH, Active Directory discovery, PowerShell backdoors, command-and-control resilience, data collection, and ransomware-stage disruption.
Executive priority
Treat FIN7 as a resilience and readiness benchmark for financially motivated intrusion chains. Organizations in retail, hospitality, financial services, healthcare-related equipment, cloud services, transportation, pharmaceutical, utilities, and other listed sectors should ask whether identity controls, endpoint visibility, POS/system segmentation, ransomware recovery, and incident response evidence are strong enough to support fast decisions during a financially motivated intrusion. Budget priority should favor controls that reduce credential abuse, remote access exposure, uncontrolled scripting, and ransomware blast radius.
Technical view
MITRE provides no group-level detection text and no group-level platforms or tactics, so validation should be driven by the documented relationships. Related software includes Mimikatz, Carbanak, POWERSOURCE, TEXTMATE, HALFBAKED, Cobalt Strike, PowerSploit, SQLRat, BOOSTWRITE, RDFSNIFFER, GRIFFON, Maze, CrackMapExec, REvil, Pillowmint, AdFind, JSS Loader, Lizar, and SystemBC. Related techniques include local data collection, fallback command-and-control channels, RDP lateral movement, and SSH lateral movement. SOC and IR teams should verify visibility across Windows-heavy endpoint activity, PowerShell and script execution, credential access indicators, Active Directory enumeration, remote access sessions, database or SQL-script abuse where relevant, POS environments where present, network C2/proxy behavior, and ransomware precursor activity.
Likely telemetry
- Endpoint process creation, command-line, module load, DLL search-order, and persistence-related events on Windows systems
- PowerShell, script block, VBS, macro-enabled document handling, and memory-resident backdoor indicators where logging is enabled
- Authentication logs for Windows accounts, privileged accounts, RDP sessions, and SSH sessions on Linux, macOS, ESXi, or network-adjacent systems where applicable
- Active Directory query and enumeration evidence, including command-line tooling consistent with directory discovery
- Credential access telemetry relevant to tools such as Mimikatz and post-exploitation frameworks
Detection direction
- Because MITRE does not provide official detection guidance for this group object, map detections to the related software and techniques rather than relying on the group name alone.
- Validate coverage for credential dumping, Active Directory enumeration, remote access tool use, PowerShell-based backdoors, commercial/offensive security frameworks, and ransomware precursor behaviors.
- Tune detections to distinguish authorized administration and penetration testing tools from suspicious use; several related tools have legitimate security or administrative uses, including Cobalt Strike, PowerSploit, CrackMapExec, and AdFind.
- Correlate RDP/SSH logons with account context, source geography/network zone, device role, privilege level, and follow-on execution rather than alerting on protocol use alone.
- Review blind spots in POS networks, database servers, remote IT management paths, unmanaged endpoints, cloud-hosted workloads, and systems where PowerShell or endpoint logging is limited.
Mitigation priorities
- Prioritize identity hardening: privileged account reduction, strong authentication for remote access, credential hygiene, and monitoring for credential dumping and abnormal account use.
- Reduce remote access risk by limiting RDP and SSH exposure, enforcing administrative access paths, and monitoring interactive logons to sensitive systems.
- Harden endpoints against unauthorized scripting, macro/VBS abuse, suspicious PowerShell behavior, DLL search-order abuse, and unapproved post-exploitation tooling.
- Segment and monitor POS, payment, server, backup, and high-value business systems to limit lateral movement and ransomware blast radius.
- Maintain tested incident response and ransomware recovery procedures, including offline or protected backups and evidence collection plans for endpoint, identity, network, and data access telemetry.
Analyst notes and limits
The most useful defensive value of this object is as a threat-informed control validation profile. FIN7 is associated in ATT&CK with financially motivated activity, broad industry targeting, point-of-sale malware, remote access and post-exploitation tooling, credential theft, lateral movement, data collection, and ransomware families including REvil and Maze. The Carbanak linkage is explicitly qualified by MITRE: multiple groups have used Carbanak, so defenders should avoid over-attributing based on that malware alone.
Official group-level detection, tactics, and platforms are not provided in the supplied object. Platform and behavior guidance here is inferred only from the supplied relationship context and related software/technique descriptions. Local relevance depends on the organization’s sector, POS footprint, Windows/Linux/macOS/ESXi exposure, remote access architecture, logging maturity, and whether named dual-use tools are authorized in the environment.
FIN7
FIN7 is a financially-motivated threat group that has been active since 2013. FIN7 has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, pharmaceutical, and utilities industries in the United States. A portion of FIN7 was operated out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, FIN7 shifted operations to big game hunting (BGH), including use of REvil ransomware and their own Ransomware-as-a-Service (RaaS), Darkside. FIN7 may be linked to the Carbanak Group, but multiple threat groups have been observed using Carbanak, leading these groups to be tracked separately.[1][2][3][4][5][6][7]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1204.001 | Malicious Link Sub-technique | |
| Enterprise | T1553.002 | Code Signing Sub-technique | |
| Enterprise | T1078 | Valid Accounts | |
| Enterprise | T1059 | Command and Scripting Interpreter | |
| Enterprise | T1021.004 | SSH Sub-technique | |
| Enterprise | T1190 | Exploit Public-Facing Application | |
| Enterprise | T1027.016 | Junk Code Insertion Sub-technique | |
| Enterprise | T1608.005 | Link Target Sub-technique | FIN7 has created a fake link that redirected to an adversary-controlled Dropbox that downloaded the malicious executable.CitationBlackBerry_FIN7_April2024 |
| Enterprise | T1033 | System Owner/User Discovery | |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | |
| Enterprise | T1021.005 | VNC Sub-technique | |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | |
| Enterprise | T1564.003 | Hidden Window Sub-technique | FIN7 has used .txt files to conceal PowerShell commands.CitationGemini_FIN7_Jan2022 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | |
| Enterprise | T1218.011 | Rundll32 Sub-technique | |
| Enterprise | T1047 | Windows Management Instrumentation | FIN7 has used WMI to install malware on targeted systems.CitationeSentire FIN7 July 2021 |
| Enterprise | T1620 | Reflective Code Loading | FIN7 has loaded a .NET assembly into the currect execution context via `Reflection.Assembly::Load`.CitationGemini_FIN7_Jan2022 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | |
| Enterprise | T1219 | Remote Access Tools | |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | FIN7 has used `attrib +h “C:\ProgramData\ssh”` to make the SSH folder hidden.CitationBlackBerry_FIN7_April2024 |
| Enterprise | T1059.001 | PowerShell Sub-technique | |
| Enterprise | T1572 | Protocol Tunneling | FIN7 has tunneled C2 traffic via OpenSSH.CitationBlackBerry_FIN7_April2024 |
| Enterprise | T1546.011 | Application Shimming Sub-technique | |
| Enterprise | T1559.002 | Dynamic Data Exchange Sub-technique | FIN7 spear phishing campaigns have included malicious Word documents with DDE execution.CitationCyberScoop FIN7 Oct 2017 |
| Enterprise | T1069.002 | Domain Groups Sub-technique | |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | |
| Enterprise | T1674 | Input Injection | FIN7 has used malicious USBs to emulate keystrokes to launch PowerShell to download and execute malware from the adversary's server.CitationFBI Flash FIN7 USBCitationGemini_FIN7_Jan2022 |
| Enterprise | T1486 | Data Encrypted for Impact | |
| Enterprise | T1588.002 | Tool Sub-technique | FIN7 has utilized a variety of tools such as Cobalt Strike, PowerSploit, and the remote management tool, Atera for targeting efforts.[6] |
| Enterprise | T1591 | Gather Victim Org Information | |
| Enterprise | T1569.002 | Service Execution Sub-technique | FIN7 has started the SSH service by executing `sc start sshd`.CitationBlackBerry_FIN7_April2024 |
| Enterprise | T1583.006 | Web Services Sub-technique | |
| Enterprise | T1497.002 | User Activity Based Checks Sub-technique | |
| Enterprise | T1059.007 | JavaScript Sub-technique | |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | |
| Enterprise | T1608.004 | Drive-by Target Sub-technique | |
| Enterprise | T1686 | Disable or Modify System Firewall | FIN7 has added a firewall rule to allow TCP port 59999 inbound and a rule to allow sshd.exe on TCP port 9898.CitationBlackBerry_FIN7_April2024 |
| Enterprise | T1082 | System Information Discovery | FIN7 has used csvde.exe, which is a built-in Windows command line tool, to export system information. Additionally, WsTaskLoad has gathered system information, such as operating system and hostname.CitationBlackBerry_FIN7_April2024 |
| Enterprise | T1125 | Video Capture | |
| Enterprise | T1571 | Non-Standard Port | |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | |
| Enterprise | T1087.002 | Domain Account Sub-technique | FIN7 has used the PowerShell script 3CF9.ps1 and the executable WsTaskLoad to enumerate domain administrations by executing `net group “Domain Admins” /domain`.CitationBlackBerry_FIN7_April2024 FIN7 has also used csvde.exe, which is a built-in Windows command line tool, to export Active Directory information. |
| Enterprise | T1204.002 | Malicious File Sub-technique | FIN7 lured victims to double-click on images in the attachments they sent which would then execute the hidden LNK file.[2]CitationeSentire FIN7 July 2021[5] Additionally, FIN7 has used malicious Microsoft Word and Excel files and Leo VBS to distribute an updated version of JSS Loader and to distribute the Harpy backdoor.CitationCrowdstrike_CarbonSpider_Part2_Nov2024 |
| Enterprise | T1057 | Process Discovery | FIN7 has used the PowerShell script 3CF9.ps1 to perform process discovery by executing `tasklist /v`. Additionally, WsTaskLoad.exe executes `tasklist /v` to perform process discovery.CitationBlackBerry_FIN7_April2024 |
| Enterprise | T1218.005 | Mshta Sub-technique | |
| Enterprise | T1102.002 | Bidirectional Communication Sub-technique | |
| Enterprise | T1105 | Ingress Tool Transfer | |
| Enterprise | T1078.003 | Local Accounts Sub-technique | |
| Enterprise | T1591.004 | Identify Roles Sub-technique | FIN7 has identified IT staff and employees who had higher levels of administrative rights.CitationBlackBerry_FIN7_April2024 |
| Enterprise | T1124 | System Time Discovery | FIN7 has used the PowerShell script 3CF9.ps1 to execute `net time`.CitationBlackBerry_FIN7_April2024 |
| Enterprise | T1583.001 | Domains Sub-technique | FIN7 has registered look-alike domains for use in phishing campaigns.CitationeSentire FIN7 July 2021 Additionally, FIN7 has registered a malicious domain as `advanced-ip-sccanner[.]com` that redirected to an adversary-controlled Dropbox which contained the malicious executable.CitationBlackBerry_FIN7_April2024 |
| Enterprise | T1005 | Data from Local System | |
| Enterprise | T1543.003 | Windows Service Sub-technique | |
| Enterprise | T1091 | Replication Through Removable Media | FIN7 actors have mailed USB drives to potential victims containing malware that downloads and installs various backdoors, including in some cases for ransomware operations.CitationFBI Flash FIN7 USB Additionally, FIN7 has used malicious USBs that acted as virtual keyboards to install malware and txt files that decode to PowerShell commands.CitationGemini_FIN7_Jan2022 |
| Enterprise | T1071.004 | DNS Sub-technique | |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | |
| Enterprise | T1608.001 | Upload Malware Sub-technique | |
| Enterprise | T1008 | Fallback Channels | FIN7's Harpy backdoor malware can use DNS as a backup channel for C2 if HTTP fails.CitationCrowdstrike GTR2020 Mar 2020 |
| Enterprise | T1558.003 | Kerberoasting Sub-technique | |
| Enterprise | T1195.002 | Compromise Software Supply Chain Sub-technique |
Groups, software, and campaigns
S0417: GRIFFON
S0002: Mimikatz
S0552: AdFind
S0648: JSS Loader
JSS Loader is Remote Access Trojan (RAT) with .NET and C++ variants that has been used by FIN7 since at least 2020.[1][2]
S0151: HALFBAKED
S0496: REvil
REvil is a ransomware family that has been linked to the GOLD SOUTHFIELD group and operated as ransomware-as-a-service (RaaS) since at least April 2019. REvil, which as been used against organizations in the manufacturing, transportation, and electric sectors, is highly configurable and shares code similarities with the GandCrab RaaS.[1][2][3]
S0194: PowerSploit
PowerSploit is an open source, offensive security framework comprised of PowerShell modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. [1] [2] [3]
S0488: CrackMapExec
CrackMapExec, or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. CrackMapExec collects Active Directory information to conduct lateral movement through targeted networks.[1]
S0030: Carbanak
S0517: Pillowmint
Pillowmint is a point-of-sale malware used by FIN7 designed to capture credit card information.[1]
S0154: Cobalt Strike
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[1]
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[1]
S0449: Maze
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 4.1 | Current bundle | 9de71303cbad… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye FIN7 March 2017
Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.
Open source URL -
[2]
FireEye FIN7 April 2017
Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
Open source URL -
[3]
FireEye CARBANAK June 2017
Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
Open source URL -
[4]
FireEye FIN7 Aug 2018
Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.
Open source URL -
[5]
CrowdStrike Carbon Spider August 2021
Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
Open source URL -
[6]
Mandiant FIN7 Apr 2022
Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.
Open source URL -
[7]
BiZone Lizar May 2021
BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022.
Open source URL -
[8]
Microsoft Ransomware as a Service
Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
Open source URL -
[9]
Morphisec FIN7 June 2017
Gorelik, M.. (2017, June 9). FIN7 Takes Another Bite at the Restaurant Industry. Retrieved July 13, 2017.
Open source URL -
[10]
FireEye FIN7 Shim Databases
Erickson, J., McWhirt, M., Palombo, D. (2017, May 3). To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence. Retrieved July 18, 2017.
Open source URL -
[11]
IBM Ransomware Trends September 2020
Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021.
Open source URL -
[12]
Carbon Spider
(Citation: CrowdStrike Carbon Spider August 2021)
-
[13]
ELBRUS
(Citation: Microsoft Ransomware as a Service)
-
[14]
FIN7
(Citation: FireEye FIN7 March 2017) (Citation: FireEye FIN7 April 2017) (Citation: Morphisec FIN7 June 2017) (Citation: FireEye FIN7 Shim Databases) (Citation: FireEye FIN7 Aug 2018)
-
[15]
GOLD NIAGARA
(Citation: Secureworks GOLD NIAGARA Threat Profile)
-
[16]
ITG14
ITG14 shares campaign overlap with [FIN7](https://attack.mitre.org/groups/G0046).(Citation: IBM Ransomware Trends September 2020)
-
[17]
Microsoft Threat Actor Naming July 2023
Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Open source URL -
[18]
Sangria Tempest
(Citation: Microsoft Threat Actor Naming July 2023)
-
[19]
Secureworks GOLD NIAGARA Threat Profile
CTU. (n.d.). GOLD NIAGARA. Retrieved September 21, 2021.
Open source URL -
[20]
mitre-attack G0046Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.