Home/ Threat Actors/ FIN7

🇷🇺FIN7

🇷🇺 FIN7 is a tracked threat actor in the Clankerusecase corpus. RU-aligned. Primary motivation: Criminal. We map 14 detection use cases to this actor across 67 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0046) ↗

14Use cases

0Articles

67Techniques

0IOCs

About this actor (MITRE)

[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, pharmaceutical, and utilities industries in the United States. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was operated out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, [FIN7](https:/

Known aliases

FIN7GOLD NIAGARAITG14Carbon SpiderELBRUSSangria Tempest

Top techniques

T1005 · Data from Local System T1008 · Fallback Channels T1021.001 · Remote Desktop Protocol

All other tracked techniques

T1021.004 · SSH T1021.005 · VNC T1027.010 · Command Obfuscation T1027.016 · Junk Code Insertion T1033 · System Owner/User Discovery T1036.004 · Masquerade Task or Service T1036.005 · Match Legitimate Resource Name or Location T1047 · Windows Management Instrumentation T1053.005 · Scheduled Task T1057 · Process Discovery T1059 · Command and Scripting Interpreter T1059.001 · PowerShell T1059.003 · Windows Command Shell T1059.005 · Visual Basic T1059.007 · JavaScript T1069.002 · Domain Groups T1071.004 · DNS T1078 · Valid Accounts T1078.003 · Local Accounts T1082 · System Information Discovery T1087.002 · Domain Account T1091 · Replication Through Removable Media T1102.002 · Bidirectional Communication T1105 · Ingress Tool Transfer T1113 · Screen Capture T1124 · System Time Discovery T1125 · Video Capture T1140 · Deobfuscate/Decode Files or Information T1190 · Exploit Public-Facing Application T1195.002 · Compromise Software Supply Chain T1204.001 · Malicious Link T1204.002 · Malicious File T1210 · Exploitation of Remote Services T1218.005 · Mshta T1218.011 · Rundll32 T1219 · Remote Access Tools T1486 · Data Encrypted for Impact T1497.002 · User Activity Based Checks T1543.003 · Windows Service T1546.011 · Application Shimming T1547.001 · Registry Run Keys / Startup Folder T1553.002 · Code Signing T1558.003 · Kerberoasting T1559.002 · Dynamic Data Exchange T1564.001 · Hidden Files and Directories T1564.003 · Hidden Window T1566.001 · Spearphishing Attachment T1566.002 · Spearphishing Link T1567.002 · Exfiltration to Cloud Storage T1569.002 · Service Execution T1571 · Non-Standard Port T1572 · Protocol Tunneling T1583.001 · Domains T1583.006 · Web Services T1587.001 · Malware T1588.002 · Tool T1591 · Gather Victim Org Information T1591.004 · Identify Roles T1608.001 · Upload Malware T1608.004 · Drive-by Target T1608.005 · Link Target T1620 · Reflective Code Loading T1674 · Input Injection T1686 · Disable or Modify System Firewall

Detection use cases (14)

FIN7 (Carbon Spider / Sangria Tempest) POWERTRASH loader — obfuscated PowerShell from ISO/LNK lure parents AI · profile SΣ FIN7 RMM staging — silent Atera / Splashtop / ScreenConnect deployment for ransomware affiliate access AI · profile SΣ 1Password impossible-travel sign-in MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer interpreter / package-manager process exfiltrating tokens to public code-hosting / worker domains MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules MITRE match