Threat Actor Profile
High APT
Description

FIN13 is a financially motivated cyber threat group that has targeted the financial, retail, and hospitality industries in Mexico and Latin America, as early as 2016. FIN13 achieves its objectives by stealing intellectual property, financial data, mergers and acquisition information, or PII.(Citation: Mandiant FIN13 Aug 2022)(Citation: Sygnia Elephant Beetle Jan 2022)

Confidence Score
90%
Known Aliases
FIN13 Elephant Beetle
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (53)
T1005 - Data from Local System
Collection
T1056.001 - Keylogging
Collection
T1074.001 - Local Data Staging
Collection
T1560.001 - Archive via Utility
Collection
T1071.001 - Web Protocols
Command and Control
T1090.001 - Internal Proxy
Command and Control
T1105 - Ingress Tool Transfer
Command and Control
T1572 - Protocol Tunneling
Command and Control
T1003.001 - LSASS Memory
Credential Access
T1003.002 - Security Account Manager
Credential Access
T1003.003 - NTDS
Credential Access
T1552.001 - Credentials In Files
Credential Access
T1556 - Modify Authentication Process
Credential Access
T1036 - Masquerading
Defense Evasion
T1036.004 - Masquerade Task or Service
Defense Evasion
T1036.005 - Match Legitimate Resource Name or Locat…
Defense Evasion
T1078.001 - Default Accounts
Defense Evasion
T1134.003 - Make and Impersonate Token
Defense Evasion
T1140 - Deobfuscate/Decode Files or Information
Defense Evasion
T1550.002 - Pass the Hash
Defense Evasion
T1564.001 - Hidden Files and Directories
Defense Evasion
T1016 - System Network Configuration Discovery
Discovery
T1016.001 - Internet Connection Discovery
Discovery
T1046 - Network Service Discovery
Discovery
T1049 - System Network Connections Discovery
Discovery
T1069 - Permission Groups Discovery
Discovery
T1082 - System Information Discovery
Discovery
T1083 - File and Directory Discovery
Discovery
T1087 - Account Discovery
Discovery
T1087.002 - Domain Account
Discovery
T1135 - Network Share Discovery
Discovery
T1047 - Windows Management Instrumentation
Execution
T1053.005 - Scheduled Task
Execution
T1059.001 - PowerShell
Execution
T1059.003 - Windows Command Shell
Execution
T1059.005 - Visual Basic
Execution
T1565 - Data Manipulation
Impact
T1657 - Financial Theft
Impact
T1190 - Exploit Public-Facing Application
Initial Access
T1021.001 - Remote Desktop Protocol
Lateral Movement
T1021.002 - SMB/Windows Admin Shares
Lateral Movement
T1021.004 - SSH
Lateral Movement
T1021.006 - Windows Remote Management
Lateral Movement
T1098.007 - Additional Local or Domain Groups
Persistence
T1133 - External Remote Services
Persistence
T1136.001 - Local Account
Persistence
T1505.003 - Web Shell
Persistence
T1547.001 - Registry Run Keys / Startup Folder
Persistence
T1574.001 - DLL
Persistence
T1589 - Gather Victim Identity Information
Reconnaissance
T1590.004 - Network Topology
Reconnaissance
T1587.001 - Malware
Resource Development
T1588.002 - Tool
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['FIN13', 'Elephant Beetle'],
 'created': '2023-07-27T15:24:02.162Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[FIN13](https://attack.mitre.org/groups/G1016) is a '
                'financially motivated cyber threat group that has targeted '
                'the financial, retail, and hospitality industries in Mexico '
                'and Latin America, as early as 2016. '
                '[FIN13](https://attack.mitre.org/groups/G1016) achieves its '
                'objectives by stealing intellectual property, financial data, '
                'mergers and acquisition information, or PII.(Citation: '
                'Mandiant FIN13 Aug 2022)(Citation: Sygnia Elephant Beetle Jan '
                '2022)',
 'external_references': [{'external_id': 'G1016',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G1016'},
                         {'description': '(Citation: Sygnia Elephant Beetle '
                                         'Jan 2022)',
                          'source_name': 'Elephant Beetle'},
                         {'description': 'Sygnia Incident Response Team. '
                                         '(2022, January 5). TG2003: ELEPHANT '
                                         'BEETLE UNCOVERING AN ORGANIZED '
                                         'FINANCIAL-THEFT OPERATION. Retrieved '
                                         'February 9, 2023.',
                          'source_name': 'Sygnia Elephant Beetle Jan 2022',
                          'url': 'https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf?__hstc=147695848.3e8f1a482c8f8d4531507747318e660b.1680005306711.1680005306711.1680005306711.1&__hssc=147695848.1.1680005306711&__hsfp=3000179024&hsCtaTracking=189ec409-ae2d-4909-8bf1-62dcdd694372%7Cca91d317-8f10-4a38-9f80-367f551ad64d'},
                         {'description': 'Ta, V., et al. (2022, August 8). '
                                         'FIN13: A Cybercriminal Threat Actor '
                                         'Focused on Mexico. Retrieved '
                                         'February 9, 2023.',
                          'source_name': 'Mandiant FIN13 Aug 2022',
                          'url': 'https://www.mandiant.com/resources/blog/fin13-cybercriminal-mexico'}],
 'id': 'intrusion-set--fd66436e-4d33-450e-ac4c-f7810f1c85f4',
 'modified': '2023-09-29T19:08:47.861Z',
 'name': 'FIN13',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Oren Biderman, Sygnia', 'Noam Lifshitz, Sygnia'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.0'}
Quick Actions
Related TTPs (53)
Data from Local System
Collection
Keylogging
Collection
Local Data Staging
Collection
Archive via Utility
Collection
Web Protocols
Command and Control
View All 53 TTPs
Back to Threat Actors
Dashboard Home