Home/ Threat Actors/ FIN8

🇷🇺FIN8

🇷🇺 FIN8 is a tracked threat actor in the Clankerusecase corpus. RU-aligned. Primary motivation: Criminal. We map 14 detection use cases to this actor across 36 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0061) ↗

14Use cases

0Articles

36Techniques

0IOCs

About this actor (MITRE)

[FIN8](https://attack.mitre.org/groups/G0061) is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology, chemical, and financial sectors. In June 2021, security researchers detected [FIN8](https://attack.mitre.org/groups/G0061) switching from targeting point-of-sale (POS) devices to distributing a number of ransomware variants.(Citation: FireEye Obfuscation June 2017)(Citation: FireEye Fin8 May 2016)(Citation: Bitdefender Sardonic Aug 2021)(Citation: Symantec F

Known aliases

FIN8Syssphinx

Top techniques

T1003.001 · LSASS Memory T1016.001 · Internet Connection Discovery T1018 · Remote System Discovery

All other tracked techniques

T1021.001 · Remote Desktop Protocol T1021.002 · SMB/Windows Admin Shares T1027.010 · Command Obfuscation T1033 · System Owner/User Discovery T1047 · Windows Management Instrumentation T1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol T1053.005 · Scheduled Task T1055.004 · Asynchronous Procedure Call T1059.001 · PowerShell T1059.003 · Windows Command Shell T1068 · Exploitation for Privilege Escalation T1070.004 · File Deletion T1071.001 · Web Protocols T1074.002 · Remote Data Staging T1078 · Valid Accounts T1082 · System Information Discovery T1102 · Web Service T1105 · Ingress Tool Transfer T1112 · Modify Registry T1134.001 · Token Impersonation/Theft T1204.001 · Malicious Link T1204.002 · Malicious File T1482 · Domain Trust Discovery T1486 · Data Encrypted for Impact T1518.001 · Security Software Discovery T1546.003 · Windows Management Instrumentation Event Subscription T1560.001 · Archive via Utility T1566.001 · Spearphishing Attachment T1566.002 · Spearphishing Link T1573.002 · Asymmetric Cryptography T1588.002 · Tool T1588.003 · Code Signing Certificates T1685.005 · Clear Windows Event Logs

Detection use cases (14)

FIN8 (Syssphinx) application-shim persistence via sdbinst.exe loading a non-Microsoft .sdb AI · profile SΣ FIN8 Sardonic loader chain — Office macro spawns obfuscated PowerShell that invokes WMI Win32_Process for lateral execution AI · profile S 1Password impossible-travel sign-in MITRE match Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Language-runtime server (node/python/java) spawns OS shell shortly after inbound request — eval / sandbox-escape exploitation chain MITRE match Linux LPE chain — anomalous algif_aead/esp4/esp6/rxrpc kernel-module load followed by same-user root transition MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match