FIN7

Also known as: Carbanak, Carbon Spider, ELBRUS, Sangria Tempest, ITG14, Navigator Group, GrayAlpha, Savage Ladybug, Storm-0324, Storm-1674, Storm-1811, STAC5143, WaterSeed, UNC3319, Gold Niagara

ActiveExpertEastern EuropeMITRE G0046

0Campaigns

45Techniques

9IOCs

38Tools

0Matches

6Infrastructure

Overview

FIN7 (Sangria Tempest) is a sophisticated financially-motivated threat actor active since at least 2013, known for targeting point-of-sale systems, payment card data, and deploying ransomware. The group has significantly evolved operations in 2023-2025, shifting to automated attack platforms, enhanced EDR bypasses, and sophisticated phishing infrastructure. FIN7 operates through sub-clusters including GrayAlpha, which deployed custom PowerNet and MaskBat loaders via fake 7-Zip downloads and undocumented TAG-124 TDS network. The group deployed Clop ransomware in April 2023 (first ransomware campaign since late 2021), targeted U.S. automotive industry in late 2023-2024, and expanded to over 4000 typosquatting domains mimicking brands like Google, Microsoft 365, American Express. FIN7 continues developing AvNeutralizer EDR bypass tool and employs Checkmarks platform for automated SQL injection against public-facing servers. The group also utilizes the OpenDir network for malware distribution and maintains operational resilience through compartmentalized teams despite 2018 arrests of key members. Recent campaigns involve sophisticated social engineering using fake job offers, IT support impersonation, and supply chain compromises.

Motivations

Financial GainCybercrime

Target Sectors

Financial ServicesHospitalityRestaurantRetailTechnologyGamingHealthcareAutomotiveDefenseInsuranceTransportationCloud ServicesMediaFood and BeveragePharmaceuticalUtilitiesMedical EquipmentSoftwareConsultingTelecommunicationsRestaurantsAerospaceManufacturingLegal

Activity Timeline

First Seen

Jan 2013

Last Seen

Jan 2025

Quick Facts

OriginEastern Europe

Sophisticationexpert

StatusActive

MITRE GroupG0046

MITRE ATT&CK Techniques

(45)

Initial Access

T1566.001

Spearphishing Attachment

Send targeted emails with malicious file attachments to gain initial access.

T1190

Exploit Public-Facing Application

Exploit vulnerabilities in internet-facing applications to gain access.

T1078

Valid Accounts

Use legitimate credentials to authenticate and gain access.

T1189

Drive-by Compromise

Gain access through a user visiting a compromised website during normal browsing.

T1566.002

Spearphishing Link

Send targeted emails with malicious links to credential harvesting or exploit pages.

Other

Execution

T1059.001

PowerShell

Use PowerShell commands and scripts for execution and automation.

T1059.003

Windows Command Shell

Use cmd.exe to execute commands and batch scripts.

T1047

Windows Management Instrumentation

Use WMI to execute commands and manage systems remotely.

Defense Evasion

T1055

Process Injection

Inject code into running processes to evade defenses and elevate privileges.

T1036

Masquerading

Disguise malicious artifacts by manipulating names or locations to appear legitimate.

Credential Access

T1003.001

LSASS Memory

Access LSASS process memory to extract credential material.

Collection

T1005

Data from Local System

Collect sensitive data stored on the local file system.

Exfiltration

T1041

Exfiltration Over C2 Channel

Exfiltrate stolen data over the existing command and control channel.

Persistence

T1547

Boot or Logon Autostart Execution

Configure code to run automatically during system boot or user logon.

Lateral Movement

T1570

Lateral Tool Transfer

Transfer tools and files between compromised systems within the network.

T1021.001

Remote Desktop Protocol

Use RDP to connect to and control remote systems.

Impact

T1486

Data Encrypted for Impact

Encrypt victim data to disrupt availability, typically for ransom.

Command and Control

T1090

Proxy

Route C2 traffic through intermediary proxies to obscure the source.

Tools & Malware

(38)

Carbanak

malwareMalicious

Signature backdoor used in billion-dollar bank heists. Provides full remote access to compromised banking systems including screen recording, keylogging, and ability to manipulate ATM/SWIFT transactions.

GRIFFON

malwareMalicious

JavaScript-based backdoor delivered via spear-phishing. Lightweight initial access tool that profiles victims before deploying heavier Carbanak or Cobalt Strike payloads.

HALFBAKED

malwareMalicious

Multi-purpose backdoor with screenshot, keylogging, and file exfiltration capabilities. Used as primary implant in hospitality and restaurant sector attacks.

PILLOWMINT

malwareMalicious

Point-of-sale (POS) RAM scraper that extracts credit card data from memory of payment processing applications. Deployed on POS terminals in restaurant chains.

BOATLAUNCH

malwareMalicious

Utility module that patches PowerShell processes in memory to bypass AMSI (Antimalware Scan Interface), allowing execution of malicious PowerShell scripts undetected.

POWERPLANT

malwareMalicious

PowerShell-based backdoor framework used for persistent access. Supports dynamic module loading and uses multiple layers of obfuscation to evade detection.

BIRDWATCH

malwareMalicious

.NET-based downloader that retrieves and executes secondary payloads. Used as intermediary between initial spear-phishing access and deployment of main backdoors.

Cobalt Strike

frameworkLegitimate

Primary post-exploitation framework. FIN7 uses heavily customized Cobalt Strike with unique malleable C2 profiles to evade network detection signatures.

Metasploit

frameworkLegitimate

Open-source penetration testing framework used alongside Cobalt Strike for exploitation, privilege escalation, and payload delivery.

BadUSB

exploit kitMalicious

Weaponized USB devices mailed to targets disguised as Best Buy gift cards or COVID-19 guidance. Emulate a keyboard to execute PowerShell commands on insertion.

Mimikatz

frameworkLegitimate

Credential harvesting tool used to extract POS terminal credentials, domain admin hashes, and Kerberos tickets for lateral movement within retail networks.

AnyDesk

legitimate toolLegitimate

Legitimate remote desktop software deployed for persistent access to compromised systems. Used as a fallback if primary C2 channels are disrupted.

TeamViewer

legitimate toolLegitimate

Remote access tool deployed on compromised POS management servers. Provides hands-on-keyboard access for manual operations during heist execution.

Advanced IP Scanner

legitimate toolLegitimate

Network discovery tool used to map internal networks after initial compromise, identifying POS terminals, domain controllers, and payment processing servers.

PowerShell

os utilityLegitimate

Central to FIN7 operations — used for fileless execution, AMSI bypass, payload staging, and lateral movement throughout compromised retail/restaurant networks.

Combi Security / Bastion Secure

legitimate toolMalicious

Front companies established by FIN7 to recruit penetration testers who unknowingly developed offensive tools and conducted attacks on real targets.

PowerNet

LoaderMalicious

Custom PowerShell-based loader deployed by GrayAlpha sub-cluster via fake software downloads

MaskBat

LoaderMalicious

Batch file-based loader used by GrayAlpha for initial compromise via trojanized downloads

Checkmarks

ExploitMalicious

Automated platform for SQL injection attacks against public-facing web servers

AvNeutralizer

OtherMalicious

EDR bypass tool designed to disable and evade endpoint detection and response solutions

Termite

BackdoorMalicious

Tunneling tool used for establishing persistent network access and lateral movement

DICELOADER

LoaderMalicious

Malware loader used to deploy additional payloads and maintain persistence

BIRDDOG

BackdoorMalicious

JavaScript-based backdoor providing remote access capabilities

SQLRat

BackdoorMalicious

Backdoor that uses SQL Server for command and control communications

Astra

StealerMalicious

Information stealer targeting credentials and sensitive data

Lizar

BackdoorMalicious

Modular backdoor also known as Tirion, used for reconnaissance and data theft

Bateleur

BackdoorMalicious

JScript-based backdoor deployed via malicious LNK files in phishing campaigns

Meterpreter

RATLegitimate

Legitimate Metasploit payload used by FIN7 for post-exploitation

DNSMessenger

BackdoorMalicious

Fileless backdoor that uses DNS queries for command and control communications

BOOSTWRITE

LoaderMalicious

Custom loader used to execute shellcode and deploy additional malware

POWERSOURCE

BackdoorMalicious

PowerShell-based backdoor for persistent access and command execution

BABYMETAL

BackdoorMalicious

Lightweight reconnaissance and execution backdoor deployed in initial compromise stages

POWERTRASH

BackdoorMalicious

PowerShell backdoor used for establishing persistence and executing commands

DNSBot

BackdoorMalicious

DNS tunneling backdoor used by FIN7 for covert command and control communications

Black Basta

OtherMalicious

Ransomware deployed by FIN7 in campaigns starting 2022

NetSupport RAT

RATLegitimate

Legitimate remote administration tool abused for unauthorized access

AuroraStealer

StealerMalicious

Information stealer targeting credentials and sensitive data

Loadout

LoaderMalicious

Multi-stage loader used to deploy final payloads while evading detection

Indicators of Compromise

(9)

IOC values are defanged for safety

Type	Value	Notes
domain	`comfrede[.]com`	C2 domain used in hospitality sector targeting
domain	`julopos[.]com`	C2 infrastructure for GRIFFON malware
ip	`185[.]180[.]197[.]36`	Carbanak C2 server infrastructure
ip	`91[.]219[.]236[.]166`	C2 node linked to POS malware operations
hash	`fcc2e3e2a9a2a2bdd5a5e5c6c0e34f13`	Carbanak backdoor variant (MD5)
domain	`advanced-ip-sccanner[.]com`	Typosquatting domain used in U.S. automotive campaign 2023-2024
domain	`myipscanner[.]com`	Redirect domain in automotive campaign 2023-2024
hash	`2fc8b38d3f40d8151ec717c8a8813cf06df90c10`	AvNeutralizer EDR bypass tool, detected in Black Basta intrusions
ip	`38[.]180[.]138[.]251`	C2 server for Post-Connect.jar malware observed in 2024 VEILDrive campaign

Infrastructure

(6)

Domain values are defanged for safety

Domain / Host	Type	Status	Last Checked
`comfrede[.]com` C2 domain used in hospitality sector targeting	c2	offline	Apr 2, 2026
`julopos[.]com` C2 infrastructure for GRIFFON malware	c2	offline	Apr 2, 2026
`185[.]180[.]197[.]36` Carbanak C2 server infrastructure	ip	offline	Apr 2, 2026
`91[.]219[.]236[.]166` C2 node linked to POS malware operations	ip	offline	Apr 2, 2026
`advanced-ip-sccanner[.]com`	domain	offline	Apr 2, 2026
`myipscanner[.]com`	domain	active	Apr 2, 2026

Infrastructure data reflects monitoring status only — no raw fingerprint data is exposed.

References

(38)

MITRE ATT&CK - FIN7

https://attack.mitre.org/groups/G0046/

U.S. DOJ - Three Members of Notorious Cybercrime Group FIN7 Charged

https://www.justice.gov/opa/pr/three-members-notorious-international-cybercrime-group-fin7-custody-role-attacking-over-100

Mandiant - FIN7 Evolution and Ransomware

https://www.mandiant.com/resources/evolution-of-fin7

FIN7 Reboot - Cybercrime Gang Enhances Ops with New EDR Bypasses and Automated Attacks

https://www.sentinelone.com/labs/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks/

GrayAlpha Unmasked: New FIN7-Linked Infrastructure, PowerNet Loader, and Fake Update Attacks

https://www.recordedfuture.com/research/grayalpha-uses-diverse-infection-vectors-deploy-powernet-loader-netsupport-rat

Threat Group FIN7 Targets the U.S. Automotive Industry

https://blogs.blackberry.com/en/2024/04/fin7-targets-the-united-states-automotive-industry

Microsoft: Notorious FIN7 hackers return in Clop ransomware attacks

https://www.bleepingcomputer.com/news/security/microsoft-notorious-fin7-hackers-return-in-clop-ransomware-attacks/

FIN7: Silent Push unearths 4000+ phishing and shell domains

https://www.silentpush.com/blog/fin7/

Threat hunting case study: Uncovering FIN7

https://www.intel471.com/blog/threat-hunting-case-study-uncovering-fin7

Financially motivated threat actors misusing App Installer

https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/

FIN7 Group Attributed to TAG-124 TDS and GrayAlpha Cluster Operations

https://www.sentinelone.com/labs/grayalpha-fin7-deploys-powernet-maskbat/

Microsoft Threat Intelligence: Sangria Tempest Shifts to Automated Attacks

https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/

FIN7 Deploys Clop Ransomware in 2023 Campaign

https://www.bleepingcomputer.com/news/security/fin7-hackers-launch-darkside-ransomware-attacks/

FIN7 Evolution and Phishing Campaigns

https://www.mandiant.com/resources/blog/fin7-spear-phishing-campaign-targets-personnel

CISA Alert on FIN7 Tactics

https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-266a

FIN7 Evolution and Phishing Campaigns - Mandiant

https://www.mandiant.com/resources/blog/fin7-power-automate-api

FIN7 Backdoor Malware Analysis - Morphisec

https://blog.morphisec.com/fin7-attacks-restaurant-industry

Carbanak Group Uses Signed Binaries - ESET Research

https://www.welivesecurity.com/2019/05/29/carbanak-group-false-flag-attack/

FIN7 Evolution and Phishing Campaigns (Recorded Future)

https://www.recordedfuture.com/fin7-revisited-detecting-new-tactics-and-tools

Sangria Tempest Targets Automotive Industry (Microsoft)

https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/

FIN7 Evolution and Phishing Campaigns - Recorded Future

https://www.recordedfuture.com/fin7-threat-analysis

FIN7 Group Uses Updated Techniques - CISA Alert

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a

FIN7 Deploys Anubis Backdoor to Hijack Windows Systems via Compromised SharePoint Sites

https://thehackernews.com/2025/04/fin7-deploys-anubis-backdoor-to-hijack.html

PRODAFT - Anubis Backdoor IOCs

https://github.com/prodaft/malware-ioc/blob/master/SavageLadybug/AnubisBackdoor.md

FIN7 Cybercrime Group Targeting U.S. Auto Industry with Carbanak Backdoor

https://thehackernews.com/2024/04/fin7-cybercrime-group-targeting-us-auto.html

Emulating the Criminal Adversary FIN7 - Part 2

https://www.attackiq.com/2025/02/14/emulating-fin7-part-2/

FIN7, FIN8, and Others Use Ragnar Loader for Persistent Access and Ransomware Operations

https://thehackernews.com/2025/03/fin7-fin8-and-others-use-ragnar-loader.html

Sophos MDR tracks two ransomware campaigns using email bombing, Microsoft Teams vishing

https://news.sophos.com/en-us/2025/01/21/sophos-mdr-tracks-two-ransomware-campaigns-using-email-bombing-microsoft-teams-vishing/

Malware distributor Storm-0324 facilitates ransomware access

https://www.microsoft.com/en-us/security/blog/2023/09/12/malware-distributor-storm-0324-facilitates-ransomware-access/

FIN7 Evolution and Phishing Campaigns 2021-2024

https://www.mandiant.com/resources/blog/fin7-pursuing-software-supply-chain

Microsoft Threat Intelligence on Sangria Tempest (FIN7)

https://www.microsoft.com/en-us/security/blog/2023/09/14/financially-motivated-threat-actors-misusing-app-installer

FIN7 Group Unveiled: A Deep Dive into a Notorious Cybercrime Syndicate

https://www.sentinelone.com/labs/fin7-returns-with-new-tricks/

Microsoft Threat Intelligence - Sangria Tempest

https://learn.microsoft.com/en-us/security/operations/threat-actors/fin7

CISA Alert: FIN7 Continues Targeting Multiple Sectors

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-278a

FIN7 Evolution and the Phishing LNK

https://www.mandiant.com/resources/blog/fin7-evolution-and-phishing-lnk

FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7

https://www.mandiant.com/resources/blog/fin7-power-hour-adversary-archaeology

FIN7 Malware Delivery and the BlackBasta Ransomware Emerged

https://www.sentinelone.com/labs/from-fin7-to-clop-understanding-the-evolution-of-carbanak/

Microsoft Threat Intelligence: Sangria Tempest

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming