Threat Actor Profile
High APT
Description

FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)

Confidence Score
90%
Known Aliases
FIN6 Magecart Group 6 ITG08 Skeleton Spider TAAL Camouflage Tempest
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (40)
T1005 - Data from Local System
Collection
T1074.002 - Remote Data Staging
Collection
T1119 - Automated Collection
Collection
T1213.006 - Databases
Collection
T1560 - Archive Collected Data
Collection
T1560.003 - Archive via Custom Method
Collection
T1095 - Non-Application Layer Protocol
Command and Control
T1102 - Web Service
Command and Control
T1572 - Protocol Tunneling
Command and Control
T1573.002 - Asymmetric Cryptography
Command and Control
T1003.001 - LSASS Memory
Credential Access
T1003.003 - NTDS
Credential Access
T1110.002 - Password Cracking
Credential Access
T1555 - Credentials from Password Stores
Credential Access
T1555.003 - Credentials from Web Browsers
Credential Access
T1027.010 - Command Obfuscation
Defense Evasion
T1036.004 - Masquerade Task or Service
Defense Evasion
T1070.004 - File Deletion
Defense Evasion
T1078 - Valid Accounts
Defense Evasion
T1134 - Access Token Manipulation
Defense Evasion
T1553.002 - Code Signing
Defense Evasion
T1562.001 - Disable or Modify Tools
Defense Evasion
T1018 - Remote System Discovery
Discovery
T1046 - Network Service Discovery
Discovery
T1087.002 - Domain Account
Discovery
T1047 - Windows Management Instrumentation
Execution
T1053.005 - Scheduled Task
Execution
T1059 - Command and Scripting Interpreter
Execution
T1059.001 - PowerShell
Execution
T1059.003 - Windows Command Shell
Execution
T1059.007 - JavaScript
Execution
T1204.002 - Malicious File
Execution
T1569.002 - Service Execution
Execution
T1048.003 - Exfiltration Over Unencrypted Non-C2 Pr…
Exfiltration
T1566.001 - Spearphishing Attachment
Initial Access
T1566.003 - Spearphishing via Service
Initial Access
T1021.001 - Remote Desktop Protocol
Lateral Movement
T1547.001 - Registry Run Keys / Startup Folder
Persistence
T1068 - Exploitation for Privilege Escalation
Privilege Escalation
T1588.002 - Tool
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['FIN6',
             'Magecart Group 6',
             'ITG08',
             'Skeleton Spider',
             'TAAL',
             'Camouflage Tempest'],
 'created': '2017-05-31T21:32:06.015Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[FIN6](https://attack.mitre.org/groups/G0037) is a cyber '
                'crime group that has stolen payment card data and sold it for '
                'profit on underground marketplaces. This group has '
                'aggressively targeted and compromised point of sale (PoS) '
                'systems in the hospitality and retail sectors.(Citation: '
                'FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)',
 'external_references': [{'external_id': 'G0037',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0037'},
                         {'description': '(Citation: Crowdstrike Global Threat '
                                         'Report Feb 2018)',
                          'source_name': 'Skeleton Spider'},
                         {'description': '(Citation: FireEye FIN6 April 2016)',
                          'source_name': 'FIN6'},
                         {'description': '(Citation: Microsoft Threat Actor '
                                         'Naming July 2023)',
                          'source_name': 'TAAL'},
                         {'description': '(Citation: Microsoft Threat Actor '
                                         'Naming July 2023)',
                          'source_name': 'Camouflage Tempest'},
                         {'description': '(Citation: Security Intelligence '
                                         'ITG08 April 2020)',
                          'source_name': 'Magecart Group 6'},
                         {'description': '(Citation: Security Intelligence '
                                         'More Eggs Aug 2019)',
                          'source_name': 'ITG08'},
                         {'description': 'CrowdStrike. (2018, February 26). '
                                         'CrowdStrike 2018 Global Threat '
                                         'Report. Retrieved October 10, 2018.',
                          'source_name': 'Crowdstrike Global Threat Report Feb '
                                         '2018',
                          'url': 'https://crowdstrike.lookbookhq.com/global-threat-report-2018-web/cs-2018-global-threat-report'},
                         {'description': 'FireEye Threat Intelligence. (2016, '
                                         'April). Follow the Money: Dissecting '
                                         'the Operations of the Cyber Crime '
                                         'Group FIN6. Retrieved November 17, '
                                         '2024.',
                          'source_name': 'FireEye FIN6 April 2016',
                          'url': 'https://web.archive.org/web/20190807112824/https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf'},
                         {'description': 'McKeague, B. et al. (2019, April 5). '
                                         'Pick-Six: Intercepting a FIN6 '
                                         'Intrusion, an Actor Recently Tied to '
                                         'Ryuk and LockerGoga Ransomware. '
                                         'Retrieved April 17, 2019.',
                          'source_name': 'FireEye FIN6 Apr 2019',
                          'url': 'https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html'},
                         {'description': 'Microsoft . (2023, July 12). How '
                                         'Microsoft names threat actors. '
                                         'Retrieved November 17, 2023.',
                          'source_name': 'Microsoft Threat Actor Naming July '
                                         '2023',
                          'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'},
                         {'description': 'Villadsen, O. (2020, April 7). ITG08 '
                                         '(aka FIN6) Partners With TrickBot '
                                         'Gang, Uses Anchor Framework. '
                                         'Retrieved October 8, 2020.',
                          'source_name': 'Security Intelligence ITG08 April '
                                         '2020',
                          'url': 'https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/'},
                         {'description': 'Villadsen, O.. (2019, August 29). '
                                         'More_eggs, Anyone? Threat Actor '
                                         'ITG08 Strikes Again. Retrieved '
                                         'September 16, 2019.',
                          'source_name': 'Security Intelligence More Eggs Aug '
                                         '2019',
                          'url': 'https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/'}],
 'id': 'intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb',
 'modified': '2024-11-17T14:59:25.749Z',
 'name': 'FIN6',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Center for Threat-Informed Defense (CTID)',
                          'Drew Church, Splunk'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack', 'ics-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '4.0'}
Quick Actions
Related TTPs (40)
Data from Local System
Collection
Remote Data Staging
Collection
Automated Collection
Collection
Databases
Collection
Archive Collected Data
Collection
View All 40 TTPs
Back to Threat Actors
Dashboard Home