{
	"id": "abeee377-3874-4ee1-a882-c432945c1855",
	"created_at": "2026-04-06T03:36:31.032487Z",
	"updated_at": "2026-04-10T03:34:24.115081Z",
	"deleted_at": null,
	"sha1_hash": "12c201a5e521d93f6ca022c310a3b169fef24928",
	"title": "FIN8 Reemerges with New PoS Malware Badhatch",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 107200,
	"plain_text": "FIN8 Reemerges with New PoS Malware Badhatch\r\nArchived: 2026-04-06 02:57:31 UTC\r\nSecurity researchers found threat group FIN8 reappearing\r\nafter two years with a new point-of-sale (PoS) malware named Badhatch, which is designed to steal credit card\r\ninformation. Researchers from Gigamon analyzed the sample and found similarities with PowerSniff, but\r\nBadhatch features new capabilities that allow it to scan for victim networks, provide attackers with remote access,\r\ninstall a backdoor, and deliver other modified malware payloads such as PoSlurp and ShellTea, among other\r\nfeatures.\r\nBadhatch begins infection much like its predecessor PowerSniff, by sending a customized phishing email via a\r\nweaponized Word document. Once the victim enables the macros, it executes PowerShells and shellcode scripts\r\nfor PowerSniff, installing a backdoor in the process. Its network scan capability makes it different from\r\nPowerSniff; it is unable to check if the systems infected is in the education or healthcare sector. The researchers\r\nalso noted that it lacks the sandbox detection and anti-virus analysis evasion features, as well as the long-term\r\npersistence tools that its predecessor had. However, they note that this also serves as an advantage as the attackers\r\ncan execute the routine after infection and have greater control on how the malware can be used, thereby avoiding\r\nautomated sandboxing features.\r\n[Read: RawPOS: New behavior risks identity theft]\r\nCapable of using an alternate command and control (C\u0026C) server communication protocol, it continuously\r\ncommunicates every five minutes with the C\u0026C for command instructions and tracks the completed operations.\r\nShellTea serves as an implant for multiple downloads and additional code execution, allowing the malware a\r\nstealthy foothold in the victim network for more payloads the attackers may decide to deploy. It also enables the\r\nmalware to adapt to target environments via other HTTPS or DNS traffic.\r\nPoSlurp scrapes credit card data processed by the PoS devices, including stored and encrypted card data prior to\r\nmalware infection. Once the information is extracted from the infected system, the attackers can check and verify\r\nthe validity of the data offline. PoSlurp also allows the attackers to inject other commands, access files, copy log\r\nfiles back to the server, and delete log files, among others.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/fin8-reemerges-with-new-pos-malware-badhatch\r\nPage 1 of 2\n\n[Read: MajikPOS combines PoS malware and RATs to pull off its malicious tricks]\r\nAs most PoS devices and systems run on embedded versions of Windows 7 and may not have applicable patches\r\nnor anti-virus products, simple malware attacks like these may still prove profitable for FIN8. Businesses and\r\nusers can protect themselves from these threats with the following best practices:\r\nRegularly monitor financial and bank statements for fraudulent purchases. If users suspect their accounts\r\nbeing used for fraudulent transactions, they should contact their banks immediately.\r\nBe cautious of opening email attachments or clicking embedded URLs from known and unknown senders\r\nwith suspicious requests. If the sender is a known contact, confirm the request via previously used\r\ncommunication channels.\r\nFor legacy system users, check for virtual patches available from security vendors.\r\nLimit only specific software to run in the system.\r\nInstall a multilayered protection systemproducts – especially network defense solutionsproducts – to\r\nprotect all connected devices.\r\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your\r\npage (Ctrl+V).\r\nImage will appear the same size as you see above.\r\nWe Recommend\r\nThe Industrialization of Botnets: Automation and Scale as a New Threat Infrastructurenews article\r\nComplexity and Visibility Gaps in Power Automatenews article\r\nCracking the Isolation: Novel Docker Desktop VM Escape Techniques Under WSL2news article\r\nAzure Control Plane Threat Detection With TrendAI Vision One™news article\r\nThe AI-fication of Cyberthreats: Trend Micro Security Predictions for 2026predictions\r\nRansomware Spotlight: DragonForcenews article\r\nStay Ahead of AI Threats: Secure LLM Applications With Trend Vision Onenews article\r\nThe Road to Agentic AI: Navigating Architecture, Threats, and Solutionsnews article\r\nSource: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/fin8-reemerges-with-new-pos-malware-badhatch\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/fin8-reemerges-with-new-pos-malware-badhatch\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/fin8-reemerges-with-new-pos-malware-badhatch"
	],
	"report_names": [
		"fin8-reemerges-with-new-pos-malware-badhatch"
	],
	"threat_actors": [
		{
			"id": "3150bf4f-288a-44b8-ab48-0ced9b052a0c",
			"created_at": "2025-08-07T02:03:24.910023Z",
			"updated_at": "2026-04-10T02:00:03.713077Z",
			"deleted_at": null,
			"main_name": "GOLD HUXLEY",
			"aliases": [
				"CTG-6969 ",
				"FIN8 "
			],
			"source_name": "Secureworks:GOLD HUXLEY",
			"tools": [
				"Gozi ISFB",
				"Powersniff"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "5bdde906-0416-42ee-9100-5ebd95dda77a",
			"created_at": "2023-01-06T13:46:38.601977Z",
			"updated_at": "2026-04-10T02:00:03.035842Z",
			"deleted_at": null,
			"main_name": "FIN8",
			"aliases": [
				"ATK113",
				"G0061"
			],
			"source_name": "MISPGALAXY:FIN8",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "72d09c17-e33e-4c2f-95db-f204848cc797",
			"created_at": "2022-10-25T15:50:23.832551Z",
			"updated_at": "2026-04-10T02:00:05.336787Z",
			"deleted_at": null,
			"main_name": "FIN8",
			"aliases": [
				"FIN8",
				"Syssphinx"
			],
			"source_name": "MITRE:FIN8",
			"tools": [
				"BADHATCH",
				"PUNCHBUGGY",
				"Ragnar Locker",
				"PUNCHTRACK",
				"dsquery",
				"Nltest",
				"Sardonic",
				"PsExec",
				"Impacket"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "fc80a724-e567-457c-82bb-70147435e129",
			"created_at": "2022-10-25T16:07:23.624289Z",
			"updated_at": "2026-04-10T02:00:04.691643Z",
			"deleted_at": null,
			"main_name": "FIN8",
			"aliases": [
				"ATK 113",
				"G0061",
				"Storm-0288",
				"Syssphinx"
			],
			"source_name": "ETDA:FIN8",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BadHatch",
				"BlackCat",
				"Noberus",
				"PSVC",
				"PUNCHTRACK",
				"PoSlurp",
				"Powersniff",
				"PunchBuggy",
				"Ragnar Loader",
				"Ragnar Locker",
				"RagnarLocker",
				"Sardonic",
				"ShellTea"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775446591,
	"ts_updated_at": 1775792064,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/12c201a5e521d93f6ca022c310a3b169fef24928.pdf",
		"text": "https://archive.orkl.eu/12c201a5e521d93f6ca022c310a3b169fef24928.txt",
		"img": "https://archive.orkl.eu/12c201a5e521d93f6ca022c310a3b169fef24928.jpg"
	}
}