Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ FIN10

🌐FIN10

🌐 FIN10 is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 11 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0051) ↗
14Use cases
0Articles
11Techniques
0IOCs

About this actor (MITRE)

[FIN10](https://attack.mitre.org/groups/G0051) is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016. The group uses stolen data exfiltrated from victims to extort organizations. (Citation: FireEye FIN10 June 2017)

Known aliases

FIN10

Top techniques

T1021.001 · Remote Desktop ProtocolT1033 · System Owner/User DiscoveryT1053.005 · Scheduled Task

All other tracked techniques

T1059.001 · PowerShellT1059.003 · Windows Command ShellT1070.004 · File DeletionT1078 · Valid AccountsT1078.003 · Local AccountsT1547.001 · Registry Run Keys / Startup FolderT1570 · Lateral Tool TransferT1588.002 · Tool

Detection use cases (14)

FIN10 PowerShell Empire stager + schtasks persistence chain AI · profile S FIN10 RDP lateral movement to data-staging share with valid stolen accounts AI · profile S 1Password impossible-travel sign-in MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain MITRE match Service-process parent spawns subprocess containing CLI-argument-injection tokens MITRE match Atlassian administrator impersonating user MITRE match Auth0 anomalous attack-protection event spike MITRE match AWS Console login without MFA + impossible travel MITRE match Credential-stuffing attack on application MITRE match Fake CAPTCHA / clipboard-injected PowerShell (ClickFix / FakeCaptcha) MITRE match GitLab password reset from suspicious IP MITRE match