{ "id": "1f4b208a-19ee-48cd-a90d-871c405fda77", "created_at": "2026-04-06T00:07:24.472096Z", "updated_at": "2026-04-10T03:35:52.772621Z", "deleted_at": null, "sha1_hash": "44528d153681a19a67e9f595deaeaf3dff38e485", "title": "FIN7 tradecraft seen in attacks against Veeam backup servers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1721015, "plain_text": "FIN7 tradecraft seen in attacks against Veeam backup servers\r\nArchived: 2026-04-05 20:19:12 UTC\r\nUpdates:\r\n28-04-2023 1100 UTC - We have reviewed and updated this blogpost to reflect our latest findings:\r\nWe have added information regarding the file “445.ps1”, which was missing at the time of writing.\r\nWe have updated this blogpost to broaden our attribution from FIN7 to FIN7 or a threat actor utilizing\r\nFIN7 tradecraft.\r\nIntroduction\r\nWithSecure Intelligence identified attacks which occurred in late March 2023 against internet-facing servers\r\nrunning Veeam Backup \u0026 Replication software. Our research indicates that the intrusion set used in these attacks\r\nhas overlaps with those attributed to the FIN7 activity group. It is likely that initial access \u0026 execution was\r\nachieved through a recently patched Veeam Backup \u0026 Replication vulnerability, CVE-2023-27532[1].\r\nFIN7 is a financially motivated cybercrime group with roots dating back to mid-2010s. The group has been\r\ninvolved in several high-profile, large-scale attacks over the years. The group’s tradecraft and modus operandi\r\nhave evolved over their multi-year history, developing new tools[2], expanding their operations[3], as well as\r\naffiliating with other threat actors[4].\r\nThis blogpost provides an analysis of intrusions we have observed, along with a timeline of these attacks.\r\nInitial activity\r\nOn 28th March 2023, initial activity was observed across internet-facing servers running Veeam Backup \u0026\r\nReplication software. An SQL server process “sqlservr.exe” related to the Veeam Backup instance executed a shell\r\ncommand, which performed in-memory download and execution of a PowerShell script.\r\nhttps://labs.withsecure.com/publications/fin7-target-veeam-servers\r\nPage 1 of 15\n\nFigure 1. Example of shell command launched via sqlservr.exe\r\nOur analysis found that all instances of these PowerShell scripts were POWERTRASH. POWERTRASH is an\r\nobfuscated loader written in PowerShell that has been attributed to FIN7. The script contains an embedded\r\npayload that is executed through reflective PE injection. The filenames (e.g. icsnd16_64refl.ps1,\r\nicbt11801_64refl.ps1) used for these PowerShell scripts were also (notably) identical to the naming convention\r\nreportedly used by FIN7[7]\r\nhttps://labs.withsecure.com/publications/fin7-target-veeam-servers\r\nPage 2 of 15\n\nFigure 2: POWERTRASH\r\nIn the past[2], POWERTRASH has been used to execute various payloads, including Carbanak, DICELOADER,\r\nand Cobalt Strike. The embedded payload in the incidents we observed in March was DICELOADER, also known\r\nas Lizar. DICELOADER is a backdoor linked to FIN7. The operators made use of DICELOADER to gain a\r\nfoothold in compromised machines to conduct post-exploitation procedures.\r\nThe exact method used by the threat actor to invoke the initial shell commands remains unknown but was likely\r\nachieved through a recently patched Veeam Backup \u0026 Replication vulnerability, CVE-2023-27532, which can\r\nprovide unauthenticated access to a Veeam Backup \u0026 Replication instance. However, as there were no concrete\r\nindicators to confirm these findings, this remains a low-to-medium confidence assessment based on the following:\r\nThe affected servers had TCP open port 9401 exposed to the internet. This port is used for communication\r\nwith the Veeam Backup Service over SSL. Network activity with an external IP address was observed over\r\nthis port right before the shell command invocation by the SQL server instance process.\r\nCVE-2023-27532 was patched a few weeks prior to this campaign. Exploitation of this vulnerability\r\nrequires communication over port 9401.\r\nThe servers were running vulnerable versions of the software at the time of attack.\r\nhttps://labs.withsecure.com/publications/fin7-target-veeam-servers\r\nPage 3 of 15\n\nA proof-of-concept[5] (POC) exploit was made publicly available a few days prior to the campaign, on\r\n23rd March 2023. The POC contains remote command execution functionality. The remote command\r\nexecution, which is achieved through SQL shell commands, yields the same execution chain observed in\r\nthis campaign.\r\nIt is worth noting that a few days prior to the initial attack, additional suspicious activity was observed on the\r\nservers that we investigated. On 24th March 2023, the SQL server process for Veeam backup instances executed\r\nanother shell command to copy the “Web.config” file located within Veeam Backup \u0026 Replication program files\r\nto another file called “system.js”. The exact reason for this shell command remains unknown and no strong\r\nevidence links this earlier activity to the intrusions. However, it is plausible that the earlier activity was performed\r\nby the threat actor to probe and identify internet-facing servers vulnerable to CVE-2023-2753 as part of large-scale vulnerability scanning, something that FIN7 has reportedly done in the past[7].\r\nReconnaissance, Discovery, and Credential theft\r\nThe threat actor used a series of commands as well as custom scripts to gather host and network information from\r\nthe compromised machines. Some of these commands included:\r\nnetstat   : Display all active TCP connections and listening ports\r\ntasklist   : Display all running processes\r\nipconfig : Display all IP configurations\r\nFurthermore, a series of SQL commands were executed to steal information from the Veeam backup database.\r\nhttps://labs.withsecure.com/publications/fin7-target-veeam-servers\r\nPage 4 of 15\n\nThe threat actor also used a PowerShell script to retrieve stored credentials. The script content is identical to a\r\ncode snippet shared online for retrieving passwords from Veeam Backup Servers[6].\r\nA custom PowerShell script was executed through lateral movement to gather operating system information on the\r\ntarget through the usage of WMI. The content of the script and the execution method is identical to activity\r\nassociated with FIN7[4].\r\nhttps://labs.withsecure.com/publications/fin7-target-veeam-servers\r\nPage 5 of 15\n\nTo resolve the list of collected IP addresses to their respective host names, a custom PowerShell script,\r\n“host_ip.ps1”, was executed. The PowerShell script content is nearly identical to a code snippet shared online for\r\nresolving IP to Hostname with PowerShell[8]. ”host_ip.ps1” file name has been reportedly observed in FIN7’s\r\nattack arsenal[7].\r\nhttps://labs.withsecure.com/publications/fin7-target-veeam-servers\r\nPage 6 of 15\n\nAn additional file called “445.ps1” was dropped and executed on the compromised Veeam backup servers. The\r\nretrieved script content functions as a port checker, which tests whether a port is open for a given address by\r\nhttps://labs.withsecure.com/publications/fin7-target-veeam-servers\r\nPage 7 of 15\n\nattempting to establish a socket connection for a set of IP address and port pairs from an input file.\r\nSetting up persistence\r\nA custom PowerShell script, “gup18.ps1”, was executed to set up an active foothold in the compromised machine\r\nby creating a persistence mechanism to execute DICELOADER on device startup. This script was hosted on an\r\nexternal file-hosting service “temp[.]sh”. This unique PowerShell script has not been previously seen in the attack\r\narsenal of FIN7, and we are now tracking it as POWERHOLD.\r\nhttps://labs.withsecure.com/publications/fin7-target-veeam-servers\r\nPage 8 of 15\n\nThe PowerShell script drops 7 files, which are embedded in the script content, into a unique folder in\r\n%APPDATA%, and sets an autorun registry entry to establish persistence. The dropped files are:\r\ngup.exe – Legitimate GUP.exe binary (part of the Notepad++ application)\r\ngup.xml – Configuration file that’s part of the GUP application\r\nlibcurl.dll - .NET DLL file side-loaded by gup.exe\r\nJZ4qWKZW – Encoded DICELOADER payload that’s loaded and executed by libcurl.dll\r\njkBDfXaL.bat – Batch file that executes gup.exe\r\n0JNvHvAz.vbs – VBScript file that executes the batch file\r\nhttps://labs.withsecure.com/publications/fin7-target-veeam-servers\r\nPage 9 of 15\n\nlibcurl.dll, which is side-loaded by gup.exe, is a simple .NET loader that decodes and executes an on-disk payload\r\nthat has been XORed. The on-disk payload filename as well as XOR key are hardcoded within the loader. This\r\nunique loader has not been previously seen in FIN7’s attack arsenal, and we are now tracking it as DUBLOADER.\r\nIt is worth noting that the legitimate libcurl.dll used by GUP.exe is meant to be a native link library file, while the\r\nmalicious variant used by the threat actor is a .NET DLL file. The crafted loader is designed to mimic the\r\nlegitimate libcurl.dll file by including export function names found in the legitimate version and thus imported by\r\nhttps://labs.withsecure.com/publications/fin7-target-veeam-servers\r\nPage 10 of 15\n\nthe GUP executable. Only one of the export functions, namely “curl_easy_init” contains malicious code. All other\r\nexport functions are trivially implemented with “retn 0” instructions. The “curl_easy_init” export function, which\r\nimplements the malicious code, is the first function[9] from the library that is called by the GUP executable.\r\nTherefore, the malicious code is executed immediately when GUP.exe is launched.\r\nLateral Movement\r\nThe threat actor performed a series of remote WMI method invocations as well as ‘net share’ commands to test for\r\nlateral movement on a target host with the exfiltrated credentials. A few hours after issuing these commands, the\r\nthreat actor returned to perform a successful lateral movement.\r\nLateral tool transfer was achieved through the usage of SMB to drop two PowerShell scripts into the remote host’s\r\nADMIN$ share. Execution was achieved through remote service creation.\r\nhttps://labs.withsecure.com/publications/fin7-target-veeam-servers\r\nPage 11 of 15\n\nThe threat actor launched a custom PowerShell script (explained above) to gather information about the target\r\nhost. This was followed by the execution of another PowerShell script, which was another POWERTRASH\r\nsample. This script performed remote injection into the ‘PlugPlay’ service, which made a network connection to a\r\nremote host on port 443. While we were unable to fetch the full contents of the secondary script to determine the\r\nexact payload used, we believe the payload was likely another backdoor/command-and-control agent (i.e., a\r\nCobaltStrike beacon). The command line patterns were previously seen in activity associated with FIN7[4].\r\nhttps://labs.withsecure.com/publications/fin7-target-veeam-servers\r\nPage 12 of 15\n\nOutlook and Implications\r\nWithSecure Intelligence has so far identified two instances of such attacks conducted by FIN7 or a threat actor\r\nutilizing FIN7 tradecraft. As the initial activity across both instances were initiated from the same public IP\r\naddress on the same day, it is likely that these incidents were part of a larger campaign. However, given the\r\nprobable rarity of Veeam backup servers with TCP port 9401 publicly exposed, we believe the scope of this attack\r\nis limited.\r\nNonetheless, we advise affected companies to follow the recommendations and guidelines to patch and configure\r\ntheir backup servers appropriately as outlined in KB4424: CVE-2023-27532[1]. The information in this report as\r\nwell as our IOCs GitHub repository[10]  can also help organizations look for signs of compromise.\r\nThe goal of these attacks were unclear at the time of writing, as they were mitigated before fully materializing.\r\nHowever, the research sheds additional light on FIN7, their tradecraft, and potential affiliations for future research.\r\nWithSecure™ Elements Endpoint Detection and Response as well as WithSecure™ Countercept Detection and\r\nResponse detects multiple stages of the attack lifecycle. These will generate incidents with detailed detections.\r\nWithSecure™ Elements Endpoint protection offers multiple detections that detect the malware and its behavior.\r\nEnsure that real-time protection as well as DeepGuard are enabled. You may run a full scan on your endpoint.\r\nhttps://labs.withsecure.com/publications/fin7-target-veeam-servers\r\nPage 13 of 15\n\nIf you believe your business has been targeted or fallen victim to this or similar attacks and require assistance, you\r\ncan reach out to our 24/7 incident hotline.\r\nIncidents’ timeline breakdown\r\nhttps://labs.withsecure.com/publications/fin7-target-veeam-servers\r\nPage 14 of 15\n\nSource: https://labs.withsecure.com/publications/fin7-target-veeam-servers\r\nhttps://labs.withsecure.com/publications/fin7-target-veeam-servers\r\nPage 15 of 15\n\n https://labs.withsecure.com/publications/fin7-target-veeam-servers \nAn additional file called “445.ps1” was dropped and executed on the compromised Veeam backup servers. The\nretrieved script content functions as a port checker, which tests whether a port is open for a given address by\n Page 7 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://labs.withsecure.com/publications/fin7-target-veeam-servers" ], "report_names": [ "fin7-target-veeam-servers" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434044, "ts_updated_at": 1775792152, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/44528d153681a19a67e9f595deaeaf3dff38e485.pdf", "text": "https://archive.orkl.eu/44528d153681a19a67e9f595deaeaf3dff38e485.txt", "img": "https://archive.orkl.eu/44528d153681a19a67e9f595deaeaf3dff38e485.jpg" } }