Home/ Threat Actors/ FIN13

🌐FIN13

🌐 FIN13 is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 53 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G1016) ↗

14Use cases

0Articles

53Techniques

0IOCs

About this actor (MITRE)

[FIN13](https://attack.mitre.org/groups/G1016) is a financially motivated cyber threat group that has targeted the financial, retail, and hospitality industries in Mexico and Latin America, as early as 2016. [FIN13](https://attack.mitre.org/groups/G1016) achieves its objectives by stealing intellectual property, financial data, mergers and acquisition information, or PII.(Citation: Mandiant FIN13 Aug 2022)(Citation: Sygnia Elephant Beetle Jan 2022)

Known aliases

FIN13Elephant Beetle

Top techniques

T1003.001 · LSASS Memory T1003.002 · Security Account Manager T1003.003 · NTDS

All other tracked techniques

T1005 · Data from Local System T1016 · System Network Configuration Discovery T1016.001 · Internet Connection Discovery T1021.001 · Remote Desktop Protocol T1021.002 · SMB/Windows Admin Shares T1021.004 · SSH T1021.006 · Windows Remote Management T1036 · Masquerading T1036.004 · Masquerade Task or Service T1036.005 · Match Legitimate Resource Name or Location T1046 · Network Service Discovery T1047 · Windows Management Instrumentation T1049 · System Network Connections Discovery T1053.005 · Scheduled Task T1056.001 · Keylogging T1059.001 · PowerShell T1059.003 · Windows Command Shell T1059.005 · Visual Basic T1069 · Permission Groups Discovery T1071.001 · Web Protocols T1074.001 · Local Data Staging T1078.001 · Default Accounts T1082 · System Information Discovery T1083 · File and Directory Discovery T1087 · Account Discovery T1087.002 · Domain Account T1090.001 · Internal Proxy T1098.007 · Additional Local or Domain Groups T1105 · Ingress Tool Transfer T1133 · External Remote Services T1134.003 · Make and Impersonate Token T1135 · Network Share Discovery T1136.001 · Local Account T1140 · Deobfuscate/Decode Files or Information T1190 · Exploit Public-Facing Application T1505.003 · Web Shell T1547.001 · Registry Run Keys / Startup Folder T1550.002 · Pass the Hash T1552.001 · Credentials In Files T1556 · Modify Authentication Process T1560.001 · Archive via Utility T1564.001 · Hidden Files and Directories T1565 · Data Manipulation T1572 · Protocol Tunneling T1574.001 · DLL T1587.001 · Malware T1588.002 · Tool T1589 · Gather Victim Identity Information T1590.004 · Network Topology T1657 · Financial Theft

Detection use cases (14)

FIN13 / Elephant Beetle: Java app-server (WebSphere/WebLogic/JBoss/Tomcat) or IIS spawning OS recon/admin binaries — web-shell command execu AI · profile SΣ FIN13 long-dwell SSH reverse-tunnel / port-forwarding via plink, ssh.exe or PuTTY (T1572) AI · profile SΣ Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Edge-service post-exploitation chain: internet-facing daemon → child shell or token redemption within 10 min of external request MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match