Home/ Threat Actors/ FIN6

🌐FIN6

🌐 FIN6 is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Criminal. We map 14 detection use cases to this actor across 40 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0037) ↗

14Use cases

0Articles

40Techniques

0IOCs

About this actor (MITRE)

[FIN6](https://attack.mitre.org/groups/G0037) is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)

Known aliases

FIN6Magecart Group 6ITG08Skeleton SpiderTAALCamouflage Tempest

Top techniques

T1003.001 · LSASS Memory T1003.003 · NTDS T1005 · Data from Local System

All other tracked techniques

T1018 · Remote System Discovery T1021.001 · Remote Desktop Protocol T1027.010 · Command Obfuscation T1036.004 · Masquerade Task or Service T1046 · Network Service Discovery T1047 · Windows Management Instrumentation T1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol T1053.005 · Scheduled Task T1059 · Command and Scripting Interpreter T1059.001 · PowerShell T1059.003 · Windows Command Shell T1059.007 · JavaScript T1068 · Exploitation for Privilege Escalation T1070.004 · File Deletion T1074.002 · Remote Data Staging T1078 · Valid Accounts T1087.002 · Domain Account T1095 · Non-Application Layer Protocol T1102 · Web Service T1110.002 · Password Cracking T1119 · Automated Collection T1134 · Access Token Manipulation T1204.002 · Malicious File T1213.006 · Databases T1547.001 · Registry Run Keys / Startup Folder T1553.002 · Code Signing T1555 · Credentials from Password Stores T1555.003 · Credentials from Web Browsers T1560 · Archive Collected Data T1560.003 · Archive via Custom Method T1566.001 · Spearphishing Attachment T1566.003 · Spearphishing via Service T1569.002 · Service Execution T1572 · Protocol Tunneling T1573.002 · Asymmetric Cryptography T1588.002 · Tool T1685 · Disable or Modify Tools

Detection use cases (14)

FIN6 'more_eggs' loader: squiblytwo (wmic XSL) and squiblydoo (regsvr32 scrobj) execution from fake-resume lures AI · profile SΣ FIN6 NTDS.dit theft via ntdsutil IFM and follow-on credential exfil prep on domain controllers AI · profile SΣ 1Password impossible-travel sign-in MITRE match 1Password item exfiltration attempt MITRE match 1Password vault export attempted MITRE match Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Language-runtime server (node/python/java) spawns OS shell shortly after inbound request — eval / sandbox-escape exploitation chain MITRE match