Skip to content

G0046 FIN7

FIN7 is a financially-motivated threat group that has been active since 2013. FIN7 has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, pharmaceutical, and utilities industries in the United States. A portion of FIN7 was operated out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, FIN7 shifted operations to big game hunting (BGH), including use of REvil ransomware and their own Ransomware-as-a-Service (RaaS), Darkside. FIN7 may be linked to the Carbanak Group, but multiple threat groups have been observed using Carbanak, leading these groups to be tracked separately.12425913

Item Value
ID G0046
Associated Names GOLD NIAGARA, ITG14, Carbon Spider, ELBRUS, Sangria Tempest
Version 4.1
Created 31 May 2017
Last Modified 24 October 2025
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
GOLD NIAGARA 6
ITG14 ITG14 shares campaign overlap with FIN7.13
Carbon Spider 9
ELBRUS 11
Sangria Tempest 10

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.002 Domain Account FIN7 has used the PowerShell script 3CF9.ps1 and the executable WsTaskLoad to enumerate domain administrations by executing net group “Domain Admins” /domain.15 FIN7 has also used csvde.exe, which is a built-in Windows command line tool, to export Active Directory information.
enterprise T1583 Acquire Infrastructure -
enterprise T1583.001 Domains FIN7 has registered look-alike domains for use in phishing campaigns.17 Additionally, FIN7 has registered a malicious domain as advanced-ip-sccanner[.]com that redirected to an adversary-controlled Dropbox which contained the malicious executable.15
enterprise T1583.006 Web Services FIN7 has set up Amazon S3 buckets to host trojanized digital products.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.004 DNS FIN7 has performed C2 using DNS via A, OPT, and TXT records.5
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder FIN7 malware has created Registry Run and RunOnce keys to establish persistence, and has also added items to the Startup folder.45
enterprise T1059 Command and Scripting Interpreter FIN7 used SQL scripts to help perform tasks on the victim’s machine.5145
enterprise T1059.001 PowerShell FIN7 used a PowerShell script to launch shellcode that retrieved an additional payload.4818116 Additionally, FIN7 has executed a custom obfuscation of the shellcode invoker in PowerSploit called POWERTRASH.15
enterprise T1059.003 Windows Command Shell FIN7 used the command prompt to launch commands on the victim’s machine.5141 Additionally, FIN7 has used cmd.exe to open the Run dialog by sending the “Windows + R” keys through malicious USBs acting as virtual keyboards.16
enterprise T1059.005 Visual Basic FIN7 used VBS scripts to help perform tasks on the victim’s machine.5149
enterprise T1059.007 JavaScript FIN7 used JavaScript scripts to help perform tasks on the victim’s machine.514
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service FIN7 created new Windows services and added them to the startup directories for persistence.5
enterprise T1486 Data Encrypted for Impact FIN7 has encrypted virtual disk volumes on ESXi servers using a version of Darkside ransomware.91 Additionally, FIN7 has deployed ransomware as the end payload during big game hunting.15
enterprise T1005 Data from Local System FIN7 has collected files and other sensitive information from a compromised network.9
enterprise T1140 Deobfuscate/Decode Files or Information FIN7 has decoded a malicious PowerShell script using certutil -decode hex and has decoded an XOR-obfuscated block of data with the key qawsed1q2w3e, which led to the installation of Lizar.16
enterprise T1587 Develop Capabilities -
enterprise T1587.001 Malware FIN7 has developed malware for use in operations, including the creation of infected removable media.1825
enterprise T1546 Event Triggered Execution -
enterprise T1546.011 Application Shimming FIN7 has used application shim databases for persistence.7
enterprise T1567 Exfiltration Over Web Service -
enterprise T1567.002 Exfiltration to Cloud Storage FIN7 has exfiltrated stolen data to the MEGA file sharing site.9
enterprise T1190 Exploit Public-Facing Application FIN7 has compromised targeted organizations through exploitation of CVE-2021-31207 in Exchange.11
enterprise T1210 Exploitation of Remote Services FIN7 has exploited ZeroLogon (CVE-2020-1472) against vulnerable domain controllers.9
enterprise T1008 Fallback Channels FIN7’s Harpy backdoor malware can use DNS as a backup channel for C2 if HTTP fails.24
enterprise T1591 Gather Victim Org Information FIN7 has compiled a list of victims by filtering companies by revenue using Zoominfo, which is a service that provides business information.3
enterprise T1591.004 Identify Roles FIN7 has identified IT staff and employees who had higher levels of administrative rights.15
enterprise T1564 Hide Artifacts -
enterprise T1564.001 Hidden Files and Directories FIN7 has used attrib +h “C:\ProgramData\ssh” to make the SSH folder hidden.15
enterprise T1564.003 Hidden Window FIN7 has used .txt files to conceal PowerShell commands.16
enterprise T1562 Impair Defenses -
enterprise T1562.004 Disable or Modify System Firewall FIN7 has added a firewall rule to allow TCP port 59999 inbound and a rule to allow sshd.exe on TCP port 9898.15
enterprise T1105 Ingress Tool Transfer FIN7 has downloaded additional malware to execute on the victim’s machine, including by using a PowerShell script to launch shellcode that retrieves an additional payload.420116
enterprise T1674 Input Injection FIN7 has used malicious USBs to emulate keystrokes to launch PowerShell to download and execute malware from the adversary’s server.1816
enterprise T1559 Inter-Process Communication -
enterprise T1559.002 Dynamic Data Exchange FIN7 spear phishing campaigns have included malicious Word documents with DDE execution.19
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service FIN7 has created a scheduled task named “AdobeFlashSync” to establish persistence.8
enterprise T1036.005 Match Legitimate Resource Name or Location FIN7 has attempted to run Darkside ransomware with the filename sleep.exe.9 Additionally, FIN7 has mimicked WsTaskLoad.exe, which is associated with the Wondershare software suite, by using a malicious executable under the same name.15
enterprise T1571 Non-Standard Port FIN7 has used port-protocol mismatches on ports such as 53, 80, 443, and 8080 during C2.5 FIN7 has used TCP ports 59999 and 9898 for firewall rules.15
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.010 Command Obfuscation FIN7 has used fragmented strings, environment variables, standard input (stdin), and native character-replacement functionalities to obfuscate commands.2159
enterprise T1027.016 Junk Code Insertion FIN7 has used random junk code to obfuscate malware code.1
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool FIN7 has utilized a variety of tools such as Cobalt Strike, PowerSploit, and the remote management tool, Atera for targeting efforts.1
enterprise T1069 Permission Groups Discovery -
enterprise T1069.002 Domain Groups FIN7 has used the command net group "domain admins" /domain to enumerate domain groups.115  
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment FIN7 sent spearphishing emails with either malicious Microsoft Documents or RTF files attached.42014179
enterprise T1566.002 Spearphishing Link FIN7 has conducted broad phishing campaigns using malicious links.9 Additionally, FIN7 has sent spearphishing emails containing a typosquatted link to “ip-sccanner[.]com.”15
enterprise T1057 Process Discovery FIN7 has used the PowerShell script 3CF9.ps1 to perform process discovery by executing tasklist /v. Additionally, WsTaskLoad.exe executes tasklist /v to perform process discovery.15
enterprise T1572 Protocol Tunneling FIN7 has tunneled C2 traffic via OpenSSH.15
enterprise T1620 Reflective Code Loading FIN7 has loaded a .NET assembly into the currect execution context via Reflection.Assembly::Load.16
enterprise T1219 Remote Access Tools FIN7 has utilized the remote management tool Atera to download malware to a compromised system.1
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol FIN7 has used RDP to move laterally in victim environments.9
enterprise T1021.004 SSH FIN7 has used SSH to move laterally through victim environments.9
enterprise T1021.005 VNC FIN7 has used TightVNC to control compromised hosts.9
enterprise T1091 Replication Through Removable Media FIN7 actors have mailed USB drives to potential victims containing malware that downloads and installs various backdoors, including in some cases for ransomware operations.18 Additionally, FIN7 has used malicious USBs that acted as virtual keyboards to install malware and txt files that decode to PowerShell commands.16
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task FIN7 malware has created scheduled tasks to establish persistence.48514 Specifically, FIN7 has used OpenSSH to establish persistence.15
enterprise T1113 Screen Capture FIN7 captured screenshots and desktop video recordings.20
enterprise T1608 Stage Capabilities -
enterprise T1608.001 Upload Malware FIN7 has staged legitimate software, that was trojanized to contain an Atera agent installer, on Amazon S3.1 FIN7 has also used an open directory web server as a staging server for payloads and other tools, such as OpenSSH and 7zip.23
enterprise T1608.004 Drive-by Target FIN7 has compromised a digital product website and modified multiple download links to point to trojanized versions of offered digital products.1
enterprise T1608.005 Link Target FIN7 has created a fake link that redirected to an adversary-controlled Dropbox that downloaded the malicious executable.15
enterprise T1558 Steal or Forge Kerberos Tickets -
enterprise T1558.003 Kerberoasting FIN7 has used Kerberoasting PowerShell commands such as, Invoke-Kerberoast for credential access and to enable lateral movement.91
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing FIN7 has signed Carbanak payloads with legally purchased code signing certificates. FIN7 has also digitally signed their phishing documents, backdoors and other staging tools to bypass security controls.25
enterprise T1195 Supply Chain Compromise -
enterprise T1195.002 Compromise Software Supply Chain FIN7 has gained initial access by compromising a victim’s software supply chain.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.005 Mshta FIN7 has used mshta.exe to execute VBScript to execute malicious code on victim systems.4
enterprise T1218.011 Rundll32 FIN7 has used rundll32.exe to execute malware on a compromised network.1
enterprise T1082 System Information Discovery FIN7 has used csvde.exe, which is a built-in Windows command line tool, to export system information. Additionally, WsTaskLoad has gathered system information, such as operating system and hostname.15
enterprise T1033 System Owner/User Discovery FIN7 has used the command cmd.exe /C quser to collect user session information.1
enterprise T1569 System Services -
enterprise T1569.002 Service Execution FIN7 has started the SSH service by executing sc start sshd.15
enterprise T1124 System Time Discovery FIN7 has used the PowerShell script 3CF9.ps1 to execute net time.15
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link FIN7 has used malicious links to lure victims into downloading malware.9
enterprise T1204.002 Malicious File FIN7 lured victims to double-click on images in the attachments they sent which would then execute the hidden LNK file.4179 Additionally, FIN7 has used malicious Microsoft Word and Excel files and Leo VBS to distribute an updated version of JSS Loader and to distribute the Harpy backdoor.22
enterprise T1078 Valid Accounts FIN7 has harvested valid administrative credentials for lateral movement.9
enterprise T1078.003 Local Accounts FIN7 has used compromised credentials for access as SYSTEM on Exchange servers.11
enterprise T1125 Video Capture FIN7 created a custom video recording capability that could be used to monitor operations in the victim’s environment.520
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.002 User Activity Based Checks FIN7 used images embedded into document lures that only activate the payload when a user double clicks to avoid sandboxes.4
enterprise T1102 Web Service -
enterprise T1102.002 Bidirectional Communication FIN7 used legitimate services like Google Docs, Google Scripts, and Pastebin for C2.5
enterprise T1047 Windows Management Instrumentation FIN7 has used WMI to install malware on targeted systems.17

Software

ID Name References Techniques
S0552 AdFind 9 Domain Account:Account Discovery Domain Trust Discovery Domain Groups:Permission Groups Discovery Remote System Discovery System Network Configuration Discovery
S0415 BOOSTWRITE 25 Deobfuscate/Decode Files or Information DLL:Hijack Execution Flow Encrypted/Encoded File:Obfuscated Files or Information Shared Modules Code Signing:Subvert Trust Controls
S0030 Carbanak 1252013918115 Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Local Account:Create Account Standard Encoding:Data Encoding Data Transfer Size Limits Local Email Collection:Email Collection Symmetric Cryptography:Encrypted Channel File Deletion:Indicator Removal Keylogging:Input Capture Obfuscated Files or Information OS Credential Dumping Process Discovery Portable Executable Injection:Process Injection Query Registry Remote Access Tools Remote Desktop Protocol:Remote Services Screen Capture
S0154 Cobalt Strike 9181 Sudo and Sudo Caching:Abuse Elevation Control Mechanism Bypass User Account Control:Abuse Elevation Control Mechanism Parent PID Spoofing:Access Token Manipulation Token Impersonation/Theft:Access Token Manipulation Make and Impersonate Token:Access Token Manipulation Domain Account:Account Discovery DNS:Application Layer Protocol Web Protocols:Application Layer Protocol File Transfer Protocols:Application Layer Protocol BITS Jobs Browser Session Hijacking JavaScript:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Python:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Data from Local System Protocol or Service Impersonation:Data Obfuscation Data Transfer Size Limits Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Symmetric Cryptography:Encrypted Channel Exploitation for Client Execution Exploitation for Privilege Escalation File and Directory Discovery Process Argument Spoofing:Hide Artifacts Disable or Modify Tools:Impair Defenses Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Network Service Discovery Network Share Discovery Non-Application Layer Protocol Indicator Removal from Tools:Obfuscated Files or Information Obfuscated Files or Information Office Template Macros:Office Application Startup LSASS Memory:OS Credential Dumping Security Account Manager:OS Credential Dumping Domain Groups:Permission Groups Discovery Local Groups:Permission Groups Discovery Process Discovery Dynamic-link Library Injection:Process Injection Process Hollowing:Process Injection Process Injection Protocol Tunneling Domain Fronting:Proxy Internal Proxy:Proxy Query Registry Reflective Code Loading Remote Desktop Protocol:Remote Services SSH:Remote Services Windows Remote Management:Remote Services SMB/Windows Admin Shares:Remote Services Distributed Component Object Model:Remote Services Remote System Discovery Scheduled Transfer Screen Capture Software Discovery Code Signing:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Network Configuration Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services Pass the Hash:Use Alternate Authentication Material Domain Accounts:Valid Accounts Local Accounts:Valid Accounts Windows Management Instrumentation
S0488 CrackMapExec
9 Domain Account:Account Discovery Password Spraying:Brute Force Password Guessing:Brute Force Brute Force PowerShell:Command and Scripting Interpreter File and Directory Discovery Local Storage Discovery Modify Registry Network Share Discovery Security Account Manager:OS Credential Dumping NTDS:OS Credential Dumping LSA Secrets:OS Credential Dumping Password Policy Discovery Domain Groups:Permission Groups Discovery Remote System Discovery At:Scheduled Task/Job System Network Configuration Discovery System Network Connections Discovery Pass the Hash:Use Alternate Authentication Material Windows Management Instrumentation
S0417 GRIFFON 2691811 Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution JavaScript:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Domain Groups:Permission Groups Discovery Scheduled Task:Scheduled Task/Job Screen Capture System Information Discovery System Time Discovery
S0151 HALFBAKED 45 PowerShell:Command and Scripting Interpreter File Deletion:Indicator Removal Process Discovery Screen Capture System Information Discovery Windows Management Instrumentation
S0648 JSS Loader 911 Visual Basic:Command and Scripting Interpreter JavaScript:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Ingress Tool Transfer Spearphishing Attachment:Phishing Scheduled Task:Scheduled Task/Job Malicious File:User Execution
S0681 Lizar 2928 Email Account:Account Discovery Archive Collected Data Browser Information Discovery Windows Command Shell:Command and Scripting Interpreter Python:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Non-Standard Encoding:Data Encoding Deobfuscate/Decode Files or Information Encrypted Channel Ingress Tool Transfer Native API Non-Application Layer Protocol Obfuscated Files or Information Tool:Obtain Capabilities LSASS Memory:OS Credential Dumping Process Discovery Process Injection Dynamic-link Library Injection:Process Injection Portable Executable Injection:Process Injection Reflective Code Loading Screen Capture Security Software Discovery:Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery
S0449 Maze 11 Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Data Encrypted for Impact Dynamic Resolution Run Virtual Instance:Hide Artifacts Disable or Modify Tools:Impair Defenses Indicator Removal Inhibit System Recovery Masquerade Task or Service:Masquerading Native API Junk Code Insertion:Obfuscated Files or Information Obfuscated Files or Information Process Discovery Dynamic-link Library Injection:Process Injection Scheduled Task:Scheduled Task/Job Service Stop Msiexec:System Binary Proxy Execution System Information Discovery System Language Discovery:System Location Discovery System Network Connections Discovery System Shutdown/Reboot Windows Management Instrumentation
S0002 Mimikatz 9 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Golden Ticket:Steal or Forge Kerberos Tickets Silver Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Pass the Ticket:Use Alternate Authentication Material
S0517 Pillowmint 279 Archive Collected Data PowerShell:Command and Scripting Interpreter Data from Local System Deobfuscate/Decode Files or Information Application Shimming:Event Triggered Execution Clear Persistence:Indicator Removal File Deletion:Indicator Removal Modify Registry Native API Obfuscated Files or Information Compression:Obfuscated Files or Information Fileless Storage:Obfuscated Files or Information Process Discovery Asynchronous Procedure Call:Process Injection Query Registry
S0145 POWERSOURCE 12 DNS:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution PowerShell:Command and Scripting Interpreter NTFS File Attributes:Hide Artifacts Ingress Tool Transfer Query Registry
S0194 PowerSploit 91 Access Token Manipulation Local Account:Account Discovery Audio Capture Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Security Support Provider:Boot or Logon Autostart Execution PowerShell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Windows Credential Manager:Credentials from Password Stores Data from Local System Domain Trust Discovery Path Interception by PATH Environment Variable:Hijack Execution Flow Path Interception by Unquoted Path:Hijack Execution Flow DLL:Hijack Execution Flow Path Interception by Search Order Hijacking:Hijack Execution Flow Keylogging:Input Capture Indicator Removal from Tools:Obfuscated Files or Information Command Obfuscation:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Process Discovery Dynamic-link Library Injection:Process Injection Query Registry Reflective Code Loading Scheduled Task:Scheduled Task/Job Screen Capture Kerberoasting:Steal or Forge Kerberos Tickets Credentials in Registry:Unsecured Credentials Group Policy Preferences:Unsecured Credentials Windows Management Instrumentation
S0416 RDFSNIFFER 25 File Deletion:Indicator Removal Credential API Hooking:Input Capture Native API
S0496 REvil 1391811 Create Process with Token:Access Token Manipulation Token Impersonation/Theft:Access Token Manipulation Web Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter Data Destruction Data Encrypted for Impact Deobfuscate/Decode Files or Information Drive-by Compromise Asymmetric Cryptography:Encrypted Channel Mutual Exclusion:Execution Guardrails Exfiltration Over C2 Channel File and Directory Discovery Safe Mode Boot:Impair Defenses Disable or Modify Tools:Impair Defenses File Deletion:Indicator Removal Ingress Tool Transfer Inhibit System Recovery Local Storage Discovery Loss of Productivity and Revenue Match Legitimate Resource Name or Location:Masquerading Masquerading Modify Registry Native API Encrypted/Encoded File:Obfuscated Files or Information Fileless Storage:Obfuscated Files or Information Domain Groups:Permission Groups Discovery Spearphishing Attachment:Phishing Process Injection Query Registry Remote Services Scripting Service Stop Service Stop Standard Application Layer Protocol System Information Discovery System Language Discovery:System Location Discovery System Service Discovery Theft of Operational Information Malicious File:User Execution User Execution Windows Management Instrumentation
S0390 SQLRat 14 Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Deobfuscate/Decode Files or Information File Deletion:Indicator Removal Ingress Tool Transfer Command Obfuscation:Obfuscated Files or Information Scheduled Task:Scheduled Task/Job Malicious File:User Execution
S0146 TEXTMATE 12 DNS:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter

References

  1. Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022. 

  2. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018. 

  3. BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022. 

  4. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017. 

  5. Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018. 

  6. CTU. (n.d.). GOLD NIAGARA. Retrieved September 21, 2021. 

  7. Erickson, J., McWhirt, M., Palombo, D. (2017, May 3). To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence. Retrieved July 18, 2017. 

  8. Gorelik, M.. (2017, June 9). FIN7 Takes Another Bite at the Restaurant Industry. Retrieved July 13, 2017. 

  9. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021. 

  10. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023. 

  11. Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023. 

  12. Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017. 

  13. Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019. 

  14. The BlackBerry Research and Intelligence Team. (2024, April 17). Threat Group FIN7 Targets the U.S. Automotive Industry. Retrieved May 1, 2025. 

  15. Gemini Advisory. (2022, January 13). FIN7 Uses Flash Drives to Spread Remote Access Trojan. Retrieved May 14, 2025. 

  16. eSentire. (2021, July 21). Notorious Cybercrime Gang, FIN7, Lands Malware in Law Firm Using Fake Legal Complaint Against Jack Daniels’ Owner, Brown-Forman Inc.. Retrieved September 20, 2021. 

  17. The Record. (2022, January 7). FBI: FIN7 hackers target US companies with BadUSB devices to install ransomware. Retrieved January 14, 2022. 

  18. Waterman, S. (2017, October 16). Fin7 weaponization of DDE is just their latest slick move, say researchers. Retrieved November 21, 2017. 

  19. Department of Justice. (2018, August 01). HOW FIN7 ATTACKED AND STOLE DATA. Retrieved August 24, 2018. 

  20. Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018. 

  21. Loui, E., Reynolds, J. (2021, November 4). CARBON SPIDER Embraces Big Game Hunting, Part 2. Retrieved May 7, 2025. 

  22. Cocomazzi, Antonio. (2024, July 17). FIN7 Reboot | Cybercrime Gang Enhances Ops with New EDR Bypasses and Automated Attacks. Retrieved September 24, 2025. 

  23. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. 

  24. Carr, N, et all. (2019, October 10). Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques. Retrieved October 11, 2019. 

  25. Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig “FIN7” continues its activities. Retrieved October 11, 2019. 

  26. Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020. 

  27. Gemini Advisory. (2021, October 21). FIN7 Recruits Talent For Push Into Ransomware. Retrieved February 2, 2022. 

  28. Seals, T. (2021, May 14). FIN7 Backdoor Masquerades as Ethical Hacking Tool. Retrieved February 2, 2022.