Threat Actor Profile
High APT
Description

FIN7 is a financially-motivated threat group that has been active since 2013. FIN7 has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, pharmaceutical, and utilities industries in the United States. A portion of FIN7 was operated out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, FIN7 shifted operations to big game hunting (BGH), including use of REvil ransomware and their own Ransomware-as-a-Service (RaaS), Darkside. FIN7 may be linked to the Carbanak Group, but multiple threat groups have been observed using Carbanak, leading these groups to be tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)(Citation: Mandiant FIN7 Apr 2022)(Citation: BiZone Lizar May 2021)

Confidence Score
90%
Known Aliases
FIN7 GOLD NIAGARA ITG14 Carbon Spider ELBRUS Sangria Tempest
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (67)
T1005 - Data from Local System
Collection
T1113 - Screen Capture
Collection
T1125 - Video Capture
Collection
T1008 - Fallback Channels
Command and Control
T1071.004 - DNS
Command and Control
T1102.002 - Bidirectional Communication
Command and Control
T1105 - Ingress Tool Transfer
Command and Control
T1219 - Remote Access Tools
Command and Control
T1571 - Non-Standard Port
Command and Control
T1572 - Protocol Tunneling
Command and Control
T1558.003 - Kerberoasting
Credential Access
T1027.010 - Command Obfuscation
Defense Evasion
T1027.016 - Junk Code Insertion
Defense Evasion
T1036.004 - Masquerade Task or Service
Defense Evasion
T1036.005 - Match Legitimate Resource Name or Locat…
Defense Evasion
T1078 - Valid Accounts
Defense Evasion
T1078.003 - Local Accounts
Defense Evasion
T1140 - Deobfuscate/Decode Files or Information
Defense Evasion
T1218.005 - Mshta
Defense Evasion
T1218.011 - Rundll32
Defense Evasion
T1497.002 - User Activity Based Checks
Defense Evasion
T1553.002 - Code Signing
Defense Evasion
T1562.004 - Disable or Modify System Firewall
Defense Evasion
T1564.001 - Hidden Files and Directories
Defense Evasion
T1564.003 - Hidden Window
Defense Evasion
T1620 - Reflective Code Loading
Defense Evasion
T1033 - System Owner/User Discovery
Discovery
T1057 - Process Discovery
Discovery
T1069.002 - Domain Groups
Discovery
T1082 - System Information Discovery
Discovery
T1087.002 - Domain Account
Discovery
T1124 - System Time Discovery
Discovery
T1047 - Windows Management Instrumentation
Execution
T1053.005 - Scheduled Task
Execution
T1059 - Command and Scripting Interpreter
Execution
T1059.001 - PowerShell
Execution
T1059.003 - Windows Command Shell
Execution
T1059.005 - Visual Basic
Execution
T1059.007 - JavaScript
Execution
T1204.001 - Malicious Link
Execution
T1204.002 - Malicious File
Execution
T1559.002 - Dynamic Data Exchange
Execution
T1569.002 - Service Execution
Execution
T1674 - Input Injection
Execution
T1567.002 - Exfiltration to Cloud Storage
Exfiltration
T1486 - Data Encrypted for Impact
Impact
T1190 - Exploit Public-Facing Application
Initial Access
T1195.002 - Compromise Software Supply Chain
Initial Access
T1566.001 - Spearphishing Attachment
Initial Access
T1566.002 - Spearphishing Link
Initial Access
T1021.001 - Remote Desktop Protocol
Lateral Movement
T1021.004 - SSH
Lateral Movement
T1021.005 - VNC
Lateral Movement
T1091 - Replication Through Removable Media
Lateral Movement
T1210 - Exploitation of Remote Services
Lateral Movement
T1543.003 - Windows Service
Persistence
T1547.001 - Registry Run Keys / Startup Folder
Persistence
T1546.011 - Application Shimming
Privilege Escalation
T1591 - Gather Victim Org Information
Reconnaissance
T1591.004 - Identify Roles
Reconnaissance
T1583.001 - Domains
Resource Development
T1583.006 - Web Services
Resource Development
T1587.001 - Malware
Resource Development
T1588.002 - Tool
Resource Development
T1608.001 - Upload Malware
Resource Development
T1608.004 - Drive-by Target
Resource Development
T1608.005 - Link Target
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['FIN7',
             'GOLD NIAGARA',
             'ITG14',
             'Carbon Spider',
             'ELBRUS',
             'Sangria Tempest'],
 'created': '2017-05-31T21:32:09.460Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[FIN7](https://attack.mitre.org/groups/G0046) is a '
                'financially-motivated threat group that has been active since '
                '2013. [FIN7](https://attack.mitre.org/groups/G0046) has '
                'targeted the retail, restaurant, hospitality, software, '
                'consulting, financial services, medical equipment, cloud '
                'services, media, food and beverage, transportation, '
                'pharmaceutical, and utilities industries in the United '
                'States. A portion of '
                '[FIN7](https://attack.mitre.org/groups/G0046) was operated '
                'out of a front company called Combi Security and often used '
                'point-of-sale malware for targeting efforts. Since 2020, '
                '[FIN7](https://attack.mitre.org/groups/G0046) shifted '
                'operations to big game hunting (BGH), including use of '
                '[REvil](https://attack.mitre.org/software/S0496) ransomware '
                'and their own Ransomware-as-a-Service (RaaS), Darkside. FIN7 '
                'may be linked to the '
                '[Carbanak](https://attack.mitre.org/groups/G0008) Group, but '
                'multiple threat groups have been observed using '
                '[Carbanak](https://attack.mitre.org/software/S0030), leading '
                'these groups to be tracked separately.(Citation: FireEye FIN7 '
                'March 2017)(Citation: FireEye FIN7 April 2017)(Citation: '
                'FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug '
                '2018)(Citation: CrowdStrike Carbon Spider August '
                '2021)(Citation: Mandiant FIN7 Apr 2022)(Citation: BiZone '
                'Lizar May 2021)',
 'external_references': [{'external_id': 'G0046',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0046'},
                         {'description': '(Citation: CrowdStrike Carbon Spider '
                                         'August 2021)',
                          'source_name': 'Carbon Spider'},
                         {'description': '(Citation: FireEye FIN7 March 2017) '
                                         '(Citation: FireEye FIN7 April 2017) '
                                         '(Citation: Morphisec FIN7 June 2017) '
                                         '(Citation: FireEye FIN7 Shim '
                                         'Databases) (Citation: FireEye FIN7 '
                                         'Aug 2018)',
                          'source_name': 'FIN7'},
                         {'description': '(Citation: Microsoft Ransomware as a '
                                         'Service)',
                          'source_name': 'ELBRUS'},
                         {'description': '(Citation: Microsoft Threat Actor '
                                         'Naming July 2023)',
                          'source_name': 'Sangria Tempest'},
                         {'description': '(Citation: Secureworks GOLD NIAGARA '
                                         'Threat Profile)',
                          'source_name': 'GOLD NIAGARA'},
                         {'description': 'Abdo, B., et al. (2022, April 4). '
                                         'FIN7 Power Hour: Adversary '
                                         'Archaeology and the Evolution of '
                                         'FIN7. Retrieved April 5, 2022.',
                          'source_name': 'Mandiant FIN7 Apr 2022',
                          'url': 'https://www.mandiant.com/resources/evolution-of-fin7'},
                         {'description': 'Bennett, J., Vengerik, B. (2017, '
                                         'June 12). Behind the CARBANAK '
                                         'Backdoor. Retrieved June 11, 2018.',
                          'source_name': 'FireEye CARBANAK June 2017',
                          'url': 'https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html'},
                         {'description': 'BI.ZONE Cyber Threats Research Team. '
                                         '(2021, May 13). From pentest to APT '
                                         'attack: cybercriminal group FIN7 '
                                         'disguises its malware as an ethical '
                                         'hacker’s toolkit. Retrieved February '
                                         '2, 2022.',
                          'source_name': 'BiZone Lizar May 2021',
                          'url': 'https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319'},
                         {'description': 'Carr, N., et al. (2017, April 24). '
                                         'FIN7 Evolution and the Phishing LNK. '
                                         'Retrieved April 24, 2017.',
                          'source_name': 'FireEye FIN7 April 2017',
                          'url': 'https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html'},
                         {'description': 'Carr, N., et al. (2018, August 01). '
                                         'On the Hunt for FIN7: Pursuing an '
                                         'Enigmatic and Evasive Global '
                                         'Criminal Operation. Retrieved August '
                                         '23, 2018.',
                          'source_name': 'FireEye FIN7 Aug 2018',
                          'url': 'https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html'},
                         {'description': 'CTU. (n.d.). GOLD NIAGARA. Retrieved '
                                         'September 21, 2021.',
                          'source_name': 'Secureworks GOLD NIAGARA Threat '
                                         'Profile',
                          'url': 'https://www.secureworks.com/research/threat-profiles/gold-niagara'},
                         {'description': 'Erickson, J., McWhirt, M., Palombo, '
                                         'D. (2017, May 3). To SDB, Or Not To '
                                         'SDB: FIN7 Leveraging Shim Databases '
                                         'for Persistence. Retrieved July 18, '
                                         '2017.',
                          'source_name': 'FireEye FIN7 Shim Databases',
                          'url': 'https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html'},
                         {'description': 'Gorelik, M.. (2017, June 9). FIN7 '
                                         'Takes Another Bite at the Restaurant '
                                         'Industry. Retrieved July 13, 2017.',
                          'source_name': 'Morphisec FIN7 June 2017',
                          'url': 'http://blog.morphisec.com/fin7-attacks-restaurant-industry'},
                         {'description': 'ITG14 shares campaign overlap with '
                                         '[FIN7](https://attack.mitre.org/groups/G0046).(Citation: '
                                         'IBM Ransomware Trends September '
                                         '2020)',
                          'source_name': 'ITG14'},
                         {'description': 'Loui, E. and Reynolds, J. (2021, '
                                         'August 30). CARBON SPIDER Embraces '
                                         'Big Game Hunting, Part 1. Retrieved '
                                         'September 20, 2021.',
                          'source_name': 'CrowdStrike Carbon Spider August '
                                         '2021',
                          'url': 'https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/'},
                         {'description': 'Microsoft . (2023, July 12). How '
                                         'Microsoft names threat actors. '
                                         'Retrieved November 17, 2023.',
                          'source_name': 'Microsoft Threat Actor Naming July '
                                         '2023',
                          'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'},
                         {'description': 'Microsoft. (2022, May 9). Ransomware '
                                         'as a service: Understanding the '
                                         'cybercrime gig economy and how to '
                                         'protect yourself. Retrieved March '
                                         '10, 2023.',
                          'source_name': 'Microsoft Ransomware as a Service',
                          'url': 'https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/'},
                         {'description': 'Miller, S., et al. (2017, March 7). '
                                         'FIN7 Spear Phishing Campaign Targets '
                                         'Personnel Involved in SEC Filings. '
                                         'Retrieved March 8, 2017.',
                          'source_name': 'FireEye FIN7 March 2017',
                          'url': 'https://web.archive.org/web/20180808125108/https:/www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html'},
                         {'description': 'Singleton, C. and Kiefer, C. (2020, '
                                         'September 28). Ransomware 2020: '
                                         'Attack Trends Affecting '
                                         'Organizations Worldwide. Retrieved '
                                         'September 20, 2021.',
                          'source_name': 'IBM Ransomware Trends September 2020',
                          'url': 'https://securityintelligence.com/posts/ransomware-2020-attack-trends-new-techniques-affecting-organizations-worldwide/'}],
 'id': 'intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc',
 'modified': '2025-10-24T03:18:58.136Z',
 'name': 'FIN7',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.3.0',
 'x_mitre_contributors': ['Edward Millington',
                          'Eric Loui, CrowdStrike Intelligence',
                          'Serhii Melnyk, Trustwave SpiderLabs'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack', 'ics-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '4.1'}
Quick Actions
Related TTPs (67)
Data from Local System
Collection
Screen Capture
Collection
Video Capture
Collection
Fallback Channels
Command and Control
DNS
Command and Control
View All 67 TTPs
Back to Threat Actors
Dashboard Home