S0681: Lizar

Lizar matters because it is a Windows, .NET-based modular remote access tool with capabilities that map to credential theft, discovery, command execution, encrypted/raw TCP command-and-control, plugin download, screenshot collection, and in-memory execution. For leaders, the practical issue is not just “malware on an endpoint”; it is whether a compromised Windows host could become a control point for credential harvesting and follow-on activity before the SOC has enough telemetry to reconstruct what happened.

Executive priority

Prioritize Lizar-relevant readiness around Windows endpoint visibility, credential protection, and incident response evidence. The ATT&CK relationships show behaviors that can affect business continuity and incident scope decisions: LSASS and browser/Credential Manager credential access, command shell/PowerShell/Python execution, process and DLL/PE injection, security software discovery, and tool/plugin transfer. Executives should ask whether endpoint logging, EDR, network monitoring, and identity controls can support rapid containment when credentials may have been exposed, not merely whether malware was blocked.

Technical view

SOC and IR teams should validate coverage for Windows execution and post-compromise behaviors associated with Lizar relationships: cmd.exe, PowerShell, Python/Impacket-style remote execution, Windows API use, reflective DLL loading, process injection, LSASS access, vaultcmd.exe/CredEnumerateW credential enumeration, browser database access, Outlook/Thunderbird account collection, screenshot activity, plugin/file download, encrypted C2, and raw TCP communications. Because official detection guidance is not provided, detection should be built from behavior chains rather than a single signature: unusual script execution followed by process injection, credential store access, discovery, and outbound encrypted or non-application-layer traffic.

Likely telemetry

Windows process creation and command-line logs
PowerShell script block/module/operational logging where available
Endpoint detection telemetry for process injection, reflective loading, DLL/PE injection, and suspicious memory access
Security events and EDR telemetry for LSASS access or dump-like behavior
File and registry activity around browser profile databases, Windows Credential Manager vault paths, and credential enumeration utilities such as vaultcmd.exe

Detection direction

Treat Lizar as a behavior-based detection problem because the official object does not provide detection text.
Correlate execution telemetry with credential access: cmd.exe, PowerShell, Python scripts, or .NET activity followed by LSASS access, vaultcmd.exe use, CredEnumerateW-like behavior, or browser credential database reads.
Tune process injection analytics for Windows API patterns and memory-only execution, including reflective DLL loading and PE execution inside another process; expect false positives from legitimate security, administration, and software-management tools.
Watch for security software discovery followed by evasive execution or plugin download, as this sequence can indicate adversary adaptation to local defenses.
Monitor raw TCP and encrypted outbound connections from unusual processes, especially when paired with host discovery, username/computer-name collection, or C2 configuration decryption indicators.

Mitigation priorities

Strengthen Windows endpoint hardening and EDR coverage for memory injection, suspicious script execution, and credential-store access.
Reduce credential exposure by limiting local administrative privileges, protecting LSASS where feasible, and discouraging storage of privileged credentials in browsers or Windows Credential Manager.
Constrain PowerShell and scripting abuse through logging, execution policy governance, application control, and least-privilege administration rather than relying on script blocking alone.
Control outbound traffic with egress filtering, proxy visibility, and alerting for unusual raw TCP or encrypted connections from endpoints.
Limit tool and plugin transfer opportunities through application allowlisting, download controls, and monitoring of uncommon administrative utilities used outside approved workflows.

Analyst notes and limits

The supplied ATT&CK data identifies Lizar as a modular .NET remote access tool for Windows and notes likely FIN7 use since at least February 2021, with structural similarities to Carbanak. The relationship set is especially useful for defensive planning because it links Lizar to execution, credential access, discovery, collection, command-and-control, obfuscation, and stealth behaviors. The most defensible detection strategy is to validate telemetry across these behavior chains instead of depending on malware naming or static indicators.

Official detection is not provided, tactics are not specified on the malware object itself, and the object does not include environment-specific indicators, hashes, C2 infrastructure, or guaranteed detection logic. Local validation is required to determine whether telemetry exists, whether controls see memory-resident behavior, and whether alerts can distinguish malicious activity from legitimate administration or security tooling.

Official MITRE ATT&CK definition

Lizar

Lizar is a modular remote access tool written using the .NET Framework that shares structural similarities to Carbanak. It has likely been used by FIN7 since at least February 2021.[1][2][3]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 28 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1055	Process Injection	Lizar can migrate the loader into another process.[1]
Enterprise	T1059.003	Windows Command Shell Sub-technique	Lizar has a command to open the command-line on the infected system.[2][1]
Enterprise	T1217	Browser Information Discovery	Lizar can retrieve browser history and database files.[2][1]
Enterprise	T1059.006	Python Sub-technique	Lizar has used Python scripts (ps2x.py script and ps2p.py) to execute files on remote hosts using the Impacket library.[1]
Enterprise	T1055.001	Dynamic-link Library Injection Sub-technique	Lizar has used the PowerKatz plugin that can be loaded into the address space of a PowerShell process through reflective DLL loading.[1]
Enterprise	T1095	Non-Application Layer Protocol	Lizar has used a raw TCP connection to communicate with the C2 server.CitationSekoiaBourhis_DiceLoader_Feb2024
Enterprise	T1106	Native API	Lizar has used various Windows API functions on a victim's machine.[1]
Enterprise	T1027	Obfuscated Files or Information	Lizar has obfuscated the fingerprint of the victim system, the local IP address, and the Fowler-Noll-V 1 (FNV-1) hash of the local IP address using an XOR operation. The data is then sent to the C2 server.CitationSekoiaBourhis_DiceLoader_Feb2024
Enterprise	T1003.001	LSASS Memory Sub-technique	Lizar can run Mimikatz to harvest credentials.[2][1]
Enterprise	T1555.004	Windows Credential Manager Sub-technique	Lizar has a plugin that can retrieve credentials from Internet Explorer and Microsoft Edge using `vaultcmd.exe` and another that can collect RDP access credentials using the `CredEnumerateW` function.[1]
Enterprise	T1113	Screen Capture	Lizar can take JPEG screenshots of an infected system.[2][1] Lizar has also used a plugin to take a screenshot of the infected system.[1]
Enterprise	T1033	System Owner/User Discovery	Lizar can collect the username from the system.[1]CitationSekoiaBourhis_DiceLoader_Feb2024
Enterprise	T1140	Deobfuscate/Decode Files or Information	Lizar has decrypted its configuration data, such as the C2 IP address, ports and other network communication.[1]CitationSekoiaBourhis_DiceLoader_Feb2024
Enterprise	T1059.001	PowerShell Sub-technique	Lizar has used PowerShell scripts.[1]
Enterprise	T1055.002	Portable Executable Injection Sub-technique	Lizar can execute PE files in the address space of the specified process.[1]
Enterprise	T1105	Ingress Tool Transfer	Lizar can download additional plugins, files, and tools.[1]CitationSekoiaBourhis_DiceLoader_Feb2024[4]
Enterprise	T1087.003	Email Account Sub-technique	Lizar can collect email accounts from Microsoft Outlook and Mozilla Thunderbird.[1]
Enterprise	T1082	System Information Discovery	Lizar can collect the computer name from the machine.[1]CitationSekoiaBourhis_DiceLoader_Feb2024
Enterprise	T1518.001	Security Software Discovery Sub-technique	Lizar can search for processes associated with an anti-virus product from list.[1]
Enterprise	T1555.003	Credentials from Web Browsers Sub-technique	Lizar has a module to collect usernames and passwords stored in browsers.[1]
Enterprise	T1573	Encrypted Channel	Lizar can support encrypted communications between the client and server.[2][1][4]
Enterprise	T1620	Reflective Code Loading	Lizar has used the Reflective DLL injection module from Github to inject itself into a process’s memory.CitationSekoiaBourhis_DiceLoader_Feb2024
Enterprise	T1588.002	Tool Sub-technique	FIN7 has obtained and used tools such as Impacket, Mimikatz, and PsExec.[1]
Enterprise	T1016	System Network Configuration Discovery	Lizar has retrieved network information from a compromised host, such as the MAC address.[1]CitationSekoiaBourhis_DiceLoader_Feb2024
Enterprise	T1057	Process Discovery	Lizar has a plugin designed to obtain a list of processes.[2][1]
Enterprise	T1132.002	Non-Standard Encoding Sub-technique	Lizar has used a complex XOR operation to obfuscate C2 communications.CitationSekoiaBourhis_DiceLoader_Feb2024
Enterprise	T1560	Archive Collected Data	Lizar has encrypted data before sending it to the server.[1]
Enterprise	T1049	System Network Connections Discovery	Lizar has a plugin to retrieve information about all active network sessions on the infected server.[1]

Associated objects

Groups, software, and campaigns

G0046: FIN7

FIN7 is a financially-motivated threat group that has been active since 2013. FIN7 has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, pharmaceutical, and utilities industries in the United States. A portion of FIN7 was operated out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, FIN7 shifted operations to big game hunting (BGH), including use of REvil ransomware and their own Ransomware-as-a-Service (RaaS), Darkside. FIN7 may be linked to the Carbanak Group, but multiple threat groups have been observed using Carbanak, leading these groups to be tracked separately.[1][2][3][4][5][6][7]

Relationship explorer

All related ATT&CK context

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 2.0
Created: Feb 2, 2022, 21:05 UTC (UTC+00:00)
Modified: Oct 3, 2025, 14:46 UTC (UTC+00:00)
Raw hash: 856fc8d913bc5725...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	Jun 3, 2026, 07:54 UTC (UTC+00:00)	2.0	Oct 3, 2025, 14:46 UTC (UTC+00:00)	Current bundle	`856fc8d913bc…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
BiZone Lizar May 2021

BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022.
Open source URL
[2]
Threatpost Lizar May 2021

Seals, T. (2021, May 14). FIN7 Backdoor Masquerades as Ethical Hacking Tool. Retrieved February 2, 2022.
Open source URL
[3]
Gemini FIN7 Oct 2021

Gemini Advisory. (2021, October 21). FIN7 Recruits Talent For Push Into Ransomware. Retrieved February 2, 2022.
Open source URL
[4]
Cocomazzi FIN7 Reboot

Cocomazzi, Antonio. (2024, July 17). FIN7 Reboot | Cybercrime Gang Enhances Ops with New EDR Bypasses and Automated Attacks. Retrieved September 24, 2025.
Open source URL
[5]
DiceLoader

(Citation: Cocomazzi FIN7 Reboot)
[6]
Icebot

(Citation: Cocomazzi FIN7 Reboot)
[7]
Lizar

(Citation: BiZone Lizar May 2021)(Citation: Threatpost Lizar May 2021)(Citation: Gemini FIN7 Oct 2021)
[8]
Tirion

(Citation: BiZone Lizar May 2021)(Citation: Gemini FIN7 Oct 2021)
[9]
mitre-attack S0681
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams