Home/ Threat Actors/ FIN5

🌐FIN5

🌐 FIN5 is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 11 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0053) ↗

14Use cases

0Articles

11Techniques

0IOCs

About this actor (MITRE)

[FIN5](https://attack.mitre.org/groups/G0053) is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian. (Citation: FireEye Respond Webinar July 2017) (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: DarkReading FireEye FIN5 Oct 2015)

Known aliases

FIN5

Top techniques

T1018 · Remote System Discovery T1059 · Command and Scripting Interpreter T1070.004 · File Deletion

All other tracked techniques

T1074.001 · Local Data Staging T1078 · Valid Accounts T1090.002 · External Proxy T1110 · Brute Force T1119 · Automated Collection T1133 · External Remote Services T1588.002 · Tool T1685.005 · Clear Windows Event Logs

Detection use cases (14)

FIN5 anti-forensic wipe via Sysinternals SDelete after payment-card staging AI · profile SΣ FIN5 stolen-VPN-credential logon followed by net.exe / nltest discovery burst AI · profile S 1Password failed sign-in burst MITRE match 1Password impossible-travel sign-in MITRE match Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) MITRE match Edge-service post-exploitation chain: internet-facing daemon → child shell or token redemption within 10 min of external request MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Self-hosted application service spawns shell or SSH within seconds of inbound unauthenticated API write MITRE match Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain MITRE match Abnormal Security: brute-force attack detected MITRE match Atlassian administrator impersonating user MITRE match Auth0 anomalous attack-protection event spike MITRE match Auth0 brute-force attack on user MITRE match AWS brute-force ConsoleLogin then AssumeRole MITRE match