Threat Actor Profile
High APT
Description

FIN4 is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013.(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye FIN4 Stealing Insider NOV 2014) FIN4 is unique in that they do not infect victims with typical persistent malware, but rather they focus on capturing credentials authorized to access email and other non-public correspondence.(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye Hacking FIN4 Video Dec 2014)

Confidence Score
90%
Known Aliases
FIN4
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (12)
T1056.001 - Keylogging
Collection
T1056.002 - GUI Input Capture
Collection
T1114.002 - Remote Email Collection
Collection
T1071.001 - Web Protocols
Command and Control
T1090.003 - Multi-hop Proxy
Command and Control
T1078 - Valid Accounts
Defense Evasion
T1564.008 - Email Hiding Rules
Defense Evasion
T1059.005 - Visual Basic
Execution
T1204.001 - Malicious Link
Execution
T1204.002 - Malicious File
Execution
T1566.001 - Spearphishing Attachment
Initial Access
T1566.002 - Spearphishing Link
Initial Access
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['FIN4'],
 'created': '2019-01-31T02:01:45.129Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[FIN4](https://attack.mitre.org/groups/G0085) is a '
                'financially-motivated threat group that has targeted '
                'confidential information related to the public financial '
                'market, particularly regarding healthcare and pharmaceutical '
                'companies, since at least 2013.(Citation: FireEye Hacking '
                'FIN4 Dec 2014)(Citation: FireEye FIN4 Stealing Insider NOV '
                '2014) [FIN4](https://attack.mitre.org/groups/G0085) is unique '
                'in that they do not infect victims with typical persistent '
                'malware, but rather they focus on capturing credentials '
                'authorized to access email and other non-public '
                'correspondence.(Citation: FireEye Hacking FIN4 Dec '
                '2014)(Citation: FireEye Hacking FIN4 Video Dec 2014)',
 'external_references': [{'external_id': 'G0085',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0085'},
                         {'description': '(Citation: FireEye Hacking FIN4 Dec '
                                         '2014)(Citation: FireEye FIN4 '
                                         'Stealing Insider NOV 2014)(Citation: '
                                         'FireEye Hacking FIN4 Video Dec 2014)',
                          'source_name': 'FIN4'},
                         {'description': 'Dennesen, K. et al.. (2014, November '
                                         '30). FIN4: Stealing Insider '
                                         'Information for an Advantage in '
                                         'Stock Trading?. Retrieved November '
                                         '17, 2024.',
                          'source_name': 'FireEye FIN4 Stealing Insider NOV '
                                         '2014',
                          'url': 'https://web.archive.org/web/20190508171649/https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html'},
                         {'description': 'Vengerik, B. & Dennesen, K.. (2014, '
                                         'December 5). Hacking the Street?  '
                                         'FIN4 Likely Playing the Market. '
                                         'Retrieved January 15, 2019.',
                          'source_name': 'FireEye Hacking FIN4 Video Dec 2014',
                          'url': 'https://www2.fireeye.com/WBNR-14Q4NAMFIN4.html'},
                         {'description': 'Vengerik, B. et al.. (2014, December '
                                         '5). Hacking the Street? FIN4 Likely '
                                         'Playing the Market. Retrieved '
                                         'December 17, 2018.',
                          'source_name': 'FireEye Hacking FIN4 Dec 2014',
                          'url': 'https://www.mandiant.com/sites/default/files/2021-09/rpt-fin4.pdf'}],
 'id': 'intrusion-set--d0b3393b-3bec-4ba3-bda9-199d30db47b6',
 'modified': '2024-11-17T15:57:47.485Z',
 'name': 'FIN4',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.2'}
Quick Actions
Related TTPs (12)
Keylogging
Collection
GUI Input Capture
Collection
Remote Email Collection
Collection
Web Protocols
Command and Control
Multi-hop Proxy
Command and Control
View All 12 TTPs
Back to Threat Actors
Dashboard Home