{ "id": "43b4b574-4a9a-40d3-b210-c6a1e9f9b186", "created_at": "2026-04-06T00:14:46.514121Z", "updated_at": "2026-04-10T03:35:52.831603Z", "deleted_at": null, "sha1_hash": "2b047cba8ddfac68189a1eb1f52886a630c80ead", "title": "FIN7: The Truth Doesn't Need to be so STARK", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1257422, "plain_text": "FIN7: The Truth Doesn't Need to be so STARK\r\nBy Team Cymru\r\nPublished: 2025-04-08 · Archived: 2026-04-05 16:03:41 UTC\r\nFirst and foremost, our thanks go to the threat research team at Silent Push and the security team at Stark\r\nIndustries Solutions (referred to as “Stark” from this point forwards) for their enthusiastic cooperation in\r\nthe ‘behind the scenes’ efforts of this blog post.\r\nIntroduction\r\nIn our opening statement, we also introduce the subject of this post: the cross-team and cross-organization\r\ncollaborative efforts of Silent Push, Stark, and Team Cymru in taking action against a common and well-known\r\nadversary, FIN7.\r\nhttps://www.team-cymru.com/post/fin7-the-truth-doesn-t-need-to-be-so-stark\r\nPage 1 of 6\n\nFIN7 is a financially motivated threat group that has been active for more than a decade, targeting a wide variety\r\nof sectors during that time. Although disruptive actions have previously been taken against the group, current\r\nreports within the CTI community indicate that it remains active today.\r\nRecent research by Silent Push has identified upwards of 4,000 domains that they believe are attributable to either\r\nFIN7 or other threat actors mimicking the group’s established TTPs (Tactics, Techniques, and Procedures). One\r\nnotable subsection of their research highlighted the apparent use of infrastructure assigned to Stark for hosting a\r\nsignificant proportion of these domains. This particular finding was picked up by cybersecurity media outlets,\r\nnotably including KrebsonSecurity, whose post inspired this blog's title.\r\nAt this juncture, it is important to note that we have been working directly with Stark for several months to assist\r\nin their objective of identifying and reducing abuse activity on their networks.\r\nTo ensure appropriate action can be taken, activity that breaches the terms of service outlined by Stark\r\nshould be reported via email to abuse@stark-industries[.]solutions. We can confirm that there is a human\r\nreviewing this mailbox! If direct contact with Stark is not feasible, Team Cymru is happy to act as an\r\nintermediary to ensure the requests reach the right people.\r\nThe following is an expanded analysis of the findings shared by Silent Push, undertaken in tandem with the\r\nsecurity team at Stark.\r\nKey Findings\r\nIdentification of two clusters of potential FIN7 activity, derived from collaborative analysis of indicators\r\noriginally shared by Silent Push.\r\nThe two clusters indicate communications inbound to FIN7 infrastructure from IP addresses assigned to\r\nPost Ltd (Russia) and Smart Ape (Estonia), respectively.\r\nIdentification of 25 Stark-assigned IP addresses used to host domains associated with FIN7 activities.\r\n\"Seed\" Infrastructure\r\nIn support of their research, Silent Push provided 70 indicators (67 domains and 3 IP addresses) of FIN7-related\r\nactivity. Passive DNS data for the domains showed them resolving to 116 distinct IPs in the 30 days prior to the\r\nresearch’s publication. Notably, the majority of the IPs (74%) were assigned to Cloudflare, US, indicating the\r\n“true” hosting IPs were likely obscured behind Cloudflare services.\r\nFrom the overall list, we extracted nine Stark-assigned IPs as follows:\r\n103.113.70.142\r\n103.35.189.39 - 2024sharepoint[.]lat, sharepoint2024[.]one\r\n103.35.189.46 - ariba[.]business, ariba[.]one\r\n103.35.189.90 - dr1v3[.]one, dr1v3[.]top, dr1ve[.]xyz\r\n103.35.191.112 - multyimap[.]com\r\n103.35.191.28\r\n103.35.191.87 - netepadtee[.]com\r\nhttps://www.team-cymru.com/post/fin7-the-truth-doesn-t-need-to-be-so-stark\r\nPage 2 of 6\n\n141.98.168.183 - hotnotepad[.]com\r\n86.104.72.16 - thomsonreuter[.]info, thomsonreuter[.]pro, westlaw[.]top\r\nOur first step was to share this information with the security team at Stark, who were able to take prompt action to\r\nsuspend any services that were still active. Some were no longer being operated by the threat actors at the time of\r\npublication.\r\nThe initial feedback we received from Stark indicated that the hosts identified by Silent Push were likely procured\r\nby the threat actors from one of Stark’s resellers. \"Stark Industries Solutions\" acts as a white label brand under\r\nwhich services are sold, including by distinct entities acting as resellers.\r\nReseller programs are common in the hosting industry; many of the largest VPS (virtual private server) providers\r\noffer such services. Customers procuring infrastructure via resellers generally must follow the terms of service\r\noutlined by the \"parent\" entity.\r\nThe nine IPs shared with Stark served as the \"seeds\" for our investigation to identify and disrupt further FIN7\r\ninfrastructure. Using these initial seeds, we expanded our efforts to trace and mitigate additional malicious\r\nactivities associated with these threat actors.\r\nInfrastructure Discovery\r\nBased on a combination of insights shared by the Stark security team and our own network telemetry data, we\r\nwere able to identify two clusters of potential upstream activity. This led to the discovery of further FIN7\r\ninfrastructure, similar in nature to that shared by Silent Push.\r\nPost Ltd (AS12494)\r\nThe first cluster involved four IP addresses assigned to Post Ltd, a broadband provider operating in the Northern\r\nCaucasus region in Southern Russia.\r\nOver the past 30 days, we observed these IP addresses communicating with at least 15 Stark-assigned hosts, which\r\nwe associate with the TTPs referenced in the research by Silent Push. These hosts included 86.104.72.16, which\r\nwas in the original list of indicators from Silent Push.\r\nFigure 1 below shows the Stark-assigned IPs identified within this cluster, including resolving domains which we\r\nattribute to the same threat actor.\r\nFigure 1 - Post Ltd Cluster\r\nCommunications occurred outbound from the Post Ltd IPs to remote TCP/22 on the Stark-assigned hosts.\r\nReviewing metadata for these communications confirmed them to be established connections. This assessment is\r\nbased on an evaluation of observed TCP flags and sampled data transfer volumes.\r\nOpen port information for all 15 Stark-assigned hosts indicated that they had a version of OpenSSH listening on\r\nTCP/22 during the time of observed communications. This activity is therefore indicative of potential\r\nmanagement activity of the Stark-assigned hosts, initiated via SSH from user(s) of the Post Ltd IPs.\r\nhttps://www.team-cymru.com/post/fin7-the-truth-doesn-t-need-to-be-so-stark\r\nPage 3 of 6\n\nSmartApe (AS62212)\r\nThe second cluster involved three IP addresses assigned to SmartApe, a cloud hosting provider operating from\r\nEstonia.\r\nOver the past 30 days, we observed these IP addresses communicating with at least 16 Stark-assigned hosts, which\r\nwe associate with the TTPs referenced in the research by Silent Push. Again, these hosts included 86.104.72.16.\r\nIn addition, 12 of the hosts identified in the Post Ltd cluster were also observed in the SmartApe cluster.\r\nFigure 2 below shows the Stark-assigned IPs identified within this cluster, including resolving domains that we\r\nattribute to the same threat actor.\r\nFigure 2 - SmartApe Cluster\r\nCommunications occurred outbound from the SmartApe IPs to remote TCP/443 on the Stark-assigned hosts.\r\nAgain, metadata for these communications confirmed them to be established connections.\r\nGiven the nature of the content likely hosted on the Stark-assigned IPs, which in many cases may be some form of\r\nspoofed website, it is possible that this cluster is tied to threat researcher activities, accessing potential FIN7 hosts\r\n(via TCP/443) to collect information. Alternatively, it is also possible that the SmartApe IPs are used in some\r\ncapacity for testing purposes, such as verifying if the correct content is delivered when visiting the target site.\r\nFor the purposes of our investigation, regardless of the case, the SmartApe IPs provided a vantage point from\r\nwhich to identify potential FIN7-linked activity.\r\nNote: In the case of both clusters, the identified hosts were reported to Stark and the customers’ services\r\nwere suspended.\r\nIn addition to the 19 hosts identified in the two clusters described above, insights from Stark’s security team led to\r\nthe discovery of a further six hosts, which we assess to be connected to the same activity.\r\nDetails of all identified hosts are provided in the IOC section at the end of this post.\r\nConclusion\r\nThe purpose of this blog post is not to exhaustively identify FIN7 infrastructure; rather, it represents a snapshot in\r\ntime of activity hosted on the infrastructure of one hosting provider (Stark).\r\nThe purpose is twofold:\r\nTo highlight the value of collaboration in expanding our knowledge and understanding of threat activities.\r\nTo demonstrate that efforts can be made to communicate directly with hosting providers who may\r\npreviously have been considered facilitators of the same threat activities.\r\nMoving forward, we will continue to work closely with Stark to combat FIN7 activities and other threat groups,\r\nwith a shared goal of reducing abuse of their networks. Similarly, we encourage other threat intelligence\r\norganizations to remain proactive in reporting suspicious activities to hosting providers.\r\nhttps://www.team-cymru.com/post/fin7-the-truth-doesn-t-need-to-be-so-stark\r\nPage 4 of 6\n\nAs a final point, in the spirit of this blog post we also reported our findings to the other hosting providers\r\nmentioned in advance of publication.\r\nRecommendations\r\nThe usual advice applies in relation to the IOCs shared in this blog post - block, hunt, mitigate, remediate.\r\nIt goes without saying that malicious activities should be reported to relevant authorities and hosting\r\nproviders. As a specific reminder, abuse complaints can be sent to abuse@stark-industries[.]solutions for\r\nStark-related matters.\r\nIndicators of Compromise (IoCs)\r\nIP Address Domain Name Cluster\r\n103.35.188.245 2bonmai[.]buzz Post Ltd\r\n103.35.189.143 ttlpcs[.]lat Both\r\n103.35.189.38 clio[.]lat None\r\n103.35.189.38 clio2024[.]top None\r\n103.35.189.40 ariba[.]lat Both\r\n103.35.190.215 2024-7zip[.]pw None\r\n103.35.190.215 7zip2024[.]info None\r\n103.35.190.40 gogogononono[.]top Both\r\n103.35.190.40 gogogononono[.]xyz Both\r\n103.35.190.40 lexisnexis[.]lat Both\r\n103.35.190.51 dhlpost[.]lat None\r\n103.35.190.51 dhlpost[.]nl None\r\n103.35.190.51 dhlpost[.]sbs None\r\n103.35.191.137 lexis2024[.]info SmartApe\r\n103.35.191.137 lexis2024[.]pro SmartApe\r\n103.35.191.137 lexisnex[.]pro SmartApe\r\n103.35.191.137 lexisnex[.]team SmartApe\r\n103.35.191.137 lexisnex[.]top SmartApe\r\nhttps://www.team-cymru.com/post/fin7-the-truth-doesn-t-need-to-be-so-stark\r\nPage 5 of 6\n\nIP Address Domain Name Cluster\r\n103.35.191.137 lexisnexis[.]one SmartApe\r\n103.35.191.137 lexisnexis[.]pro SmartApe\r\n103.35.191.137 lexisnexis[.]top SmartApe\r\n176.120.75.99 antispam-ms[.]pro Post Ltd\r\n45.150.65.100 blackrock-alladin[.]pro Both\r\n45.150.65.100 wilandsabim[.]info Both\r\n45.150.65.46 wuriye[.]com Post Ltd\r\n45.150.67.143 - None\r\n45.89.53.175 2024aimp[.]info Both\r\n45.89.53.243 gl-meet2024[.]com None\r\n45.89.53.243 meet-gl[.]com None\r\n45.89.53.243 meet-goo[.]net None\r\n45.89.53.243 meet-goo[.]org None\r\n45.89.53.243 meet[.]com[.]de None\r\n45.89.53.243 meet2024[.]com None\r\n5.180.24.27 gogogogogotests[.]xyz Both\r\n5.252.22.213 edankhk[.]top SmartApe\r\n5.252.22.213 miles-and-mroe[.]com SmartApe\r\n5.252.22.213 otpdank24[.]top SmartApe\r\n5.252.22.213 unicrebitdank[.]top SmartApe\r\n5.252.22.213 unicredibank[.]top SmartApe\r\n86.104.72.125 2024clio[.]one Both\r\n86.104.72.125 2024clio[.]top Both\r\nSource: https://www.team-cymru.com/post/fin7-the-truth-doesn-t-need-to-be-so-stark\r\nhttps://www.team-cymru.com/post/fin7-the-truth-doesn-t-need-to-be-so-stark\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.team-cymru.com/post/fin7-the-truth-doesn-t-need-to-be-so-stark" ], "report_names": [ "fin7-the-truth-doesn-t-need-to-be-so-stark" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434486, "ts_updated_at": 1775792152, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2b047cba8ddfac68189a1eb1f52886a630c80ead.pdf", "text": "https://archive.orkl.eu/2b047cba8ddfac68189a1eb1f52886a630c80ead.txt", "img": "https://archive.orkl.eu/2b047cba8ddfac68189a1eb1f52886a630c80ead.jpg" } }