{ "id": "644575dd-1d8a-487a-80ff-53277afec0b5", "created_at": "2026-04-06T00:18:45.561259Z", "updated_at": "2026-04-10T13:13:10.283735Z", "deleted_at": null, "sha1_hash": "123faf8678c44ba4d4f6dc3a2d1da8be548c49f8", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 97946, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 18:57:58 UTC\r\n APT group: FIN7\r\nNames\r\nFIN7 (FireEye)\r\nGold Niagara (SecureWorks)\r\nCalcium (Symantec)\r\nNavigator (Fox-IT)\r\nATK 32 (Thales)\r\nAPT-C-11 (Qihoo 360)\r\nITG14 (IBM)\r\nTAG-CR1 (Recorded Future)\r\nGrayAlpha (Recorded Future)\r\nG0046 (MITRE)\r\nCountry Russia\r\nMotivation Financial crime\r\nFirst seen 2013\r\nDescription\r\nFIN7 is a financially-motivated threat group that has primarily targeted the U.S.\r\nretail, restaurant, and hospitality sectors since mid-2015. They often use point-of-sale malware. A portion of FIN7 was run out of a front company called Combi\r\nSecurity. FIN7 is sometimes referred to as Carbanak, Anunak, but these appear to be\r\ntwo groups using the same Carbanak malware and are therefore tracked separately.\r\nThe reports about arrests made of the mastermind of Carbanak instead of FIN7.\r\nHowever, security research teams keep referring to this arrest for all FIN7 activities\r\nsince.\r\nObserved\r\nSectors: Casinos and Gambling, Construction, Education, Energy, Financial,\r\nGovernment, High-Tech, Hospitality, Retail, Technology, Telecommunications,\r\nTransportation.\r\nCountries: Australia, France, Malta, UK, USA.\r\nTools used\r\n7Logger, Anubis Backdoor, Astra, Bateleur, BIOLOAD, BIRDWATCH, Boostwrite,\r\nCarbanak, Cobalt Strike, CROWVIEW, DNSMessenger, Griffon, HALFBAKED,\r\nJSSLoader, Lizar, LOADOUT, Meterpreter, Mimikatz, NetSupport Manager,\r\nPOWERPLANT, POWERSOURCE, RDFSNIFFER, Sardonic, SQLRAT.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=c3f1f1ff-7d79-4385-bb5b-340c252c5a77\r\nPage 1 of 6\n\nOperations performed\nFeb 2017\nIn late February 2017, FireEye as a Service (FaaS) identified a spear\nphishing campaign that appeared to be targeting personnel involved\nwith United States Securities and Exchange Commission (SEC)\nfilings at various organizations.\nAll of the observed intended recipients of the spear phishing campaign\nappeared to be involved with SEC filings for their respective\norganizations.\nMar 2017\nTwo recent fileless malware campaigns targeting financial institutions,\ngovernment agencies and other enterprises have been linked to the\nsame attack group.\nThe campaigns, disclosed by Kaspersky Lab and Cisco’s Talos\nresearch outfit in the last five weeks, made extensive use of fileless\nmalware and known penetration testing tools and utilities to spy on\norganizations and move data and money off of networks.\nApr 2017\nIn a newly-identified campaign, FIN7 modified their phishing\ntechniques to implement unique infection and persistence\nmechanisms. FIN7 has moved away from weaponized Microsoft\nOffice macros in order to evade detection. This round of FIN7\nphishing lures implements hidden shortcut files (LNK files) to initiate\nthe infection and VBScript functionality launched by mshta.exe to\ninfect the victim.\nJul 2017\nProofpoint researchers have uncovered that the threat actor commonly\nreferred to as FIN7 has added a new Jscript backdoor called Bateleur\nand updated macros to its toolkit.\n2017 Leveraging Shim Databases for Persistence\nA unique aspect of the incidents was how the group installed the\nCARBANAK backdoor for persistent access. Mandiant identified that\nthe group leveraged an application shim database to achieve\npersistence on systems in multiple environments. The shim injected a\nmalicious in-memory patch into the Services Control Manager\n(“services.exe”) process, and then spawned a CARBANAK backdoor\nprocess.\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=c3f1f1ff-7d79-4385-bb5b-340c252c5a77\nPage 2 of 6\n\nJun 2017\nHighly sophisticated fileless attack targeting restaurants across the US\nOn June 7, 2017, Morphisec Lab identified a new, highly\nsophisticated fileless attack targeting restaurants across the US. The\nongoing campaign allows hackers to seize system control and install a\nbackdoor to steal financial information at will. It incorporates some\nnever before seen evasive techniques that allow it to bypass most\nsecurity solutions – signature and behavior based.\nOct 2017\nAttack to target banks and the enterprise\nLike clockwork, FIN7 again unleashed a new attack able to bypass\nalmost every security solution. The attack, which took place between\nOctober 8 to 10, 2017, is yet another demonstration of the high-paced\ninnovation by threat actors.\nMay 2018\nNew Attack Panel and Malware Samples\nFlashpoint analysts recently uncovered a new attack panel used by this\ngroup in campaigns they have called Astra. The panel, written in PHP,\nfunctions as a script-management system, pushing attack scripts down\nto compromised computers.\n2018\nHigh-profile breaches including Red Robin, Chili’s, Arby’s,\nBurgerville, Omni Hotels and Saks Fifth Avenue, among many others.\nFifth Avenue, Saks Off 5th, and Lord \u0026 Taylor department stores—all\nowned by The Hudson’s Bay Company—acknowledged a data breach\nimpacting more than five million credit and debit card numbers. The\nculprits? The same group that’s spent the last few years pulling off\ndata heists from Omni Hotels \u0026 Resorts, Trump Hotels, Jason’s Deli,\nWhole Foods, Chipotle: A mysterious group known as Fin7.\nNov 2018\nIn this blog post, we present our findings on two campaigns, which\noccurred in the first and second weeks of November. These campaigns\nfollow patterns similar to those presented by FireEye in August but\nwith just enough variations to bypass many security vendors.\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=c3f1f1ff-7d79-4385-bb5b-340c252c5a77\nPage 3 of 6\n\n2018/2019\nIn 2018-2019, researchers of Kaspersky Lab’s Global Research and\nAnalysis Team analyzed various campaigns that used the same Tactics\nTools and Procedures (TTPs) as the historic FIN7, leading the\nresearchers to believe that this threat actor had remained active despite\nthe 2018 arrests. In addition, during the investigation, we discovered\ncertain similarities to other attacker groups that seemed to share or\ncopy the FIN7 TTPs in their own operations.\nJan 2019\nThe shared codebase with recent tools attributed to FIN7, together\nwith the same techniques and backdoor, allows to attribute this new\nloader to the cybercrime group. The timestamps, together with simpler\nfunctionality, suggest BIOLOAD is a preceding iteration of\nBOOSTWRITE.\nSince the loader is specifically built for each targeted machine and\nrequires administrative permissions to deploy, it suggests the group\ngathers information about its targets’ networks.\nOct 2019\nIn this blog, we reveal two of FIN7’s new tools that we have called\nBOOSTWRITE and RDFSNIFFER.\nMar 2020\nA US hospitality provider has recently been the target of an incredibly\nrare BadUSB attack, ZDNet has learned from cyber-security firm\nTrustwave.\nThe attack happened after the company received an envelope\ncontaining a fake BestBuy gift card, along with a USB thumb drive.\nJul 2020\nCollaboration between FIN7 and the RYUK group\nDec 2020\nThis report presents an attack chain that was intercepted and\nprevented within a customer’s network in December 2020, then will\nfocus on a component from a typical FIN7 attack chain - JSSLoader.\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=c3f1f1ff-7d79-4385-bb5b-340c252c5a77\nPage 4 of 6\n\nJun 2021\nCybercrime Group FIN7 Using Windows 11 Alpha-Themed Docs to\nDrop Javascript Backdoor\nOct 2021\nFIN7 Recruits Talent For Push Into Ransomware\nJan 2022\nFIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7\nMar 2023\nFIN7 tradecraft seen in attacks against Veeam backup servers\nLate 2023\nThreat Group FIN7 Targets the U.S. Automotive Industry\nApr 2024\nFIN7 Uses Trusted Brands and Sponsored Google Ads to Distribute\nMSIX Payloads\nJul 2024\nFIN7: The Truth Doesn't Need to be so STARK\nJul 2024\nFIN7 hosting honeypot domains with malicious AI DeepNude\nGenerators – New Silent Push research\nJul 2024\nFIN7 Deploys Anubis Backdoor to Hijack Windows Systems via\nCompromised SharePoint Sites\nCounter operations\nAug 2018\nThree Members of Notorious International Cybercrime Group “Fin7”\nIn Custody for Role in Attacking Over 100 U.S. companies\nMay 2020\nAnother Alleged FIN7 Cybercrime Gang Member Arrested\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=c3f1f1ff-7d79-4385-bb5b-340c252c5a77\nPage 5 of 6\n\nApr 2021\nFIN7 sysadmin behind “billions in damage” gets 10 years\nJun 2021\nFIN7 manager sentenced to 7 years for role in global hacking scheme\nInformation\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=c3f1f1ff-7d79-4385-bb5b-340c252c5a77\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=c3f1f1ff-7d79-4385-bb5b-340c252c5a77\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=c3f1f1ff-7d79-4385-bb5b-340c252c5a77" ], "report_names": [ "showcard.cgi?u=c3f1f1ff-7d79-4385-bb5b-340c252c5a77" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434725, "ts_updated_at": 1775826790, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/123faf8678c44ba4d4f6dc3a2d1da8be548c49f8.pdf", "text": "https://archive.orkl.eu/123faf8678c44ba4d4f6dc3a2d1da8be548c49f8.txt", "img": "https://archive.orkl.eu/123faf8678c44ba4d4f6dc3a2d1da8be548c49f8.jpg" } }