Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ FIN4

🌐FIN4

🌐 FIN4 is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 12 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0085) ↗
14Use cases
0Articles
12Techniques
0IOCs

About this actor (MITRE)

[FIN4](https://attack.mitre.org/groups/G0085) is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013.(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye FIN4 Stealing Insider NOV 2014) [FIN4](https://attack.mitre.org/groups/G0085) is unique in that they do not infect victims with typical persistent malware, but rather they focus on capturing credentials authorized to access email and other non-public correspondence.(Citation: FireEye Ha

Known aliases

FIN4

Top techniques

T1056.001 · KeyloggingT1056.002 · GUI Input CaptureT1059.005 · Visual Basic

All other tracked techniques

T1071.001 · Web ProtocolsT1078 · Valid AccountsT1090.003 · Multi-hop ProxyT1114.002 · Remote Email CollectionT1204.001 · Malicious LinkT1204.002 · Malicious FileT1564.008 · Email Hiding RulesT1566.001 · Spearphishing AttachmentT1566.002 · Spearphishing Link

Detection use cases (14)

FIN4 stealth inbox rule hiding incident-response & M&A correspondence AI · profile SΣ FIN4 OWA/Exchange Online access via Tor/anonymising proxy with legacy mail protocol AI · profile S 1Password activity from Tor exit node MITRE match 1Password impossible-travel sign-in MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match OAuth Device-Code Consent Phish to Cross-IP Cloud Token Replay MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Spawning Outbound Egress to Non-Registry Infrastructure Within 5 Minutes MITRE match Package manager lifecycle hook spawns network-fetching shell or runtime MITRE match Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain MITRE match Abnormal Security: malicious email opened MITRE match