{
	"id": "49538bcb-6393-49da-8826-e4a8bcf9aba7",
	"created_at": "2026-04-06T00:08:45.039476Z",
	"updated_at": "2026-04-10T03:35:53.025139Z",
	"deleted_at": null,
	"sha1_hash": "4846c7ed62c0ca85742c78bb1d2cef764341ca6e",
	"title": "Fin7 weaponization of DDE is just their latest slick move, say researchers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 149107,
	"plain_text": "Fin7 weaponization of DDE is just their latest slick move, say\r\nresearchers\r\nBy Shaun Waterman\r\nPublished: 2017-10-16 · Archived: 2026-04-05 23:49:31 UTC\r\nWhen cybercrime gang FIN7 weaponized a new attack vector against Microsoft applications within a day of it\r\nbeing published last week, it was just the latest slick move from a threat group who’ve been consistently one step\r\nahead of cyber defenders.\r\nA timeline of different attack vectors used by the group compiled by Morphisec researchers shows that FIN7\r\ntypically adopts a new technique within “a couple of days” of an attack being discovered, once the number of\r\nsecurity solutions that detect it gets into double figures.\r\nThe Morphisec researchers analyzed scoring of FIN7 attachment lures by VirusTotal — a service that scans files\r\nand tests them against 56 kinds of security software.\r\n“A look at Virus Total scoring reveals that when a FIN7 campaign is first active, is goes mostly undetected by\r\nsecurity solutions. The malicious documents do not score more than 1-3 detections. Within a couple of days,\r\nsecurity solutions update their patterns and those documents score around 10/56 or higher,” according to their\r\nreport.\r\nBut by that time, the authors write, FIN7 is already deploying new tools, by simply tweaking the code or other\r\npatterns that the security software is hunting for. This technique “diminishes the usefulness of reactive, pattern-based detection rules,” according to Morphisec.\r\nOther researchers have analyzed FIN7’s tactics, noting that they follow a familiar pattern for skilled hackers:\r\nInitial compromise; establish foothold; escalate privileges; maintain presence; move laterally; and finally complete\r\nmission.\r\nThe constant shifting of attack modes is “At the heart of FIN7’s business model,” the Morphisec researchers\r\nconclude. “Every campaign includes enough new features to make them unknowable … And as security vendors\r\nscramble to catch up, FIN7 is already preparing its next attack.”\r\nIndeed, that swift adoption of new techniques caused one researcher at InfoSecurity Europe to comment of\r\nFIN7, “In most environments, prevention is not possible,” and detection is the best defenders can hope for.\r\nEarlier this year, when FIN7 encountered a Morphisec researcher during an incident response, the group first\r\nblocked the IP he was using and then abandoned their entire command and control infrastructure.\r\nSuch caution is worthy of a high-end financial cyber crime group thought to be behind many of the most\r\naudacious recent online bank thefts — including the one identified by Kaspersky dubbed “Take the money,\r\nb*tch!” after a line of instructions in the code.\r\nhttps://www.cyberscoop.com/fin7-dde-morphisec-fileless-malware/\r\nPage 1 of 2\n\nThe group were among the first to adopt super stealthy fileless malware — an attack method in which hackers\r\neschew the download and installation of easily detectable malicious software. Instead, they use tools already\r\ninstalled on the target’s own computers — powerful and widely trusted system and security programs\r\nlike PowerShell or Metasploit — to inject their malicious code directly into the computer’s working memory.\r\nThe commands to do this are typically hidden in an attachment, abusing a functionality like Visual Basic, Object\r\nLinking or — as in last week’s example — Dynamic Data Exchange or DDE. It is these attachment lures that the\r\nMorphisec researchers analyzed for their timeline.\r\nThe lures rely on social engineering — Microsoft users will generally get a pop-up box asking them if they want\r\nto “enable content” or “update links” in the document they’re opening — and are typically spear-phished very\r\ncarefully at a small number of targets.\r\nThe kind of pop-up window displayed by malicious Word attachments using fileless malware\r\nEarlier this year, FIN7 was suspected of being behind an attack that used emails appearing to come from the\r\nSEC’s Electronic Data Gathering, Analysis and Retrieval (EDGAR) online filing system. The emails bore a\r\nMicrosoft Word attachment titled “Important changes to form 10K.”\r\nA 10K is a form that public companies have to submit to the SEC every year, and the targets were people involved\r\nin their company’s filings — often meaning their email address was listed on public documents.\r\nLast week, researchers at Cisco Talos saw spear-phishing emails, with a similarly spoofed SEC address, bearing\r\nan attachment that used DDE to launch a “complex multi-stage infection process,” typical of FIN7.\r\nSource: https://www.cyberscoop.com/fin7-dde-morphisec-fileless-malware/\r\nhttps://www.cyberscoop.com/fin7-dde-morphisec-fileless-malware/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.cyberscoop.com/fin7-dde-morphisec-fileless-malware/"
	],
	"report_names": [
		"fin7-dde-morphisec-fileless-malware"
	],
	"threat_actors": [
		{
			"id": "9de1979b-40fc-44dc-855d-193edda4f3b8",
			"created_at": "2025-08-07T02:03:24.92723Z",
			"updated_at": "2026-04-10T02:00:03.755516Z",
			"deleted_at": null,
			"main_name": "GOLD LOCUST",
			"aliases": [
				"Anunak",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Silicon "
			],
			"source_name": "Secureworks:GOLD LOCUST",
			"tools": [
				"Carbanak"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf",
			"created_at": "2023-01-06T13:46:38.405479Z",
			"updated_at": "2026-04-10T02:00:02.961112Z",
			"deleted_at": null,
			"main_name": "FIN7",
			"aliases": [
				"ATK32",
				"G0046",
				"G0008",
				"Sangria Tempest",
				"ELBRUS",
				"GOLD NIAGARA",
				"Coreid",
				"Carbanak",
				"Carbon Spider",
				"JokerStash",
				"CARBON SPIDER"
			],
			"source_name": "MISPGALAXY:FIN7",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f4f16213-7a22-4527-aecb-b964c64c2c46",
			"created_at": "2024-06-19T02:03:08.090932Z",
			"updated_at": "2026-04-10T02:00:03.6289Z",
			"deleted_at": null,
			"main_name": "GOLD NIAGARA",
			"aliases": [
				"Calcium ",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Navigator ",
				"Sangria Tempest ",
				"TelePort Crew "
			],
			"source_name": "Secureworks:GOLD NIAGARA",
			"tools": [
				"Bateleur",
				"Carbanak",
				"Cobalt Strike",
				"DICELOADER",
				"DRIFTPIN",
				"GGLDR",
				"GRIFFON",
				"JSSLoader",
				"Meterpreter",
				"OFFTRACK",
				"PILLOWMINT",
				"POWERTRASH",
				"SUPERSOFT",
				"TAKEOUT",
				"TinyMet"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "bfded1cf-be73-44f9-a391-0751c9996f9a",
			"created_at": "2022-10-25T15:50:23.337107Z",
			"updated_at": "2026-04-10T02:00:05.252413Z",
			"deleted_at": null,
			"main_name": "FIN7",
			"aliases": [
				"FIN7",
				"GOLD NIAGARA",
				"ITG14",
				"Carbon Spider",
				"ELBRUS",
				"Sangria Tempest"
			],
			"source_name": "MITRE:FIN7",
			"tools": [
				"Mimikatz",
				"AdFind",
				"JSS Loader",
				"HALFBAKED",
				"REvil",
				"PowerSploit",
				"CrackMapExec",
				"Carbanak",
				"Pillowmint",
				"Cobalt Strike",
				"POWERSOURCE",
				"RDFSNIFFER",
				"SQLRat",
				"Lizar",
				"TEXTMATE",
				"BOOSTWRITE"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82",
			"created_at": "2022-10-25T16:07:23.619566Z",
			"updated_at": "2026-04-10T02:00:04.690061Z",
			"deleted_at": null,
			"main_name": "FIN7",
			"aliases": [
				"APT-C-11",
				"ATK 32",
				"G0046",
				"Gold Niagara",
				"GrayAlpha",
				"ITG14",
				"TAG-CR1"
			],
			"source_name": "ETDA:FIN7",
			"tools": [
				"7Logger",
				"Agentemis",
				"Anubis Backdoor",
				"Anunak",
				"Astra",
				"BIOLOAD",
				"BIRDWATCH",
				"Bateleur",
				"Boostwrite",
				"CROWVIEW",
				"Carbanak",
				"Cobalt Strike",
				"CobaltStrike",
				"DICELOADER",
				"DNSMessenger",
				"FOWLGAZE",
				"HALFBAKED",
				"JSSLoader",
				"KillACK",
				"LOADOUT",
				"Lizar",
				"Meterpreter",
				"Mimikatz",
				"NetSupport",
				"NetSupport Manager",
				"NetSupport Manager RAT",
				"NetSupport RAT",
				"NetSupportManager RAT",
				"POWERPLANT",
				"POWERSOURCE",
				"RDFSNIFFER",
				"Ragnar Loader",
				"SQLRAT",
				"Sardonic",
				"Sekur",
				"Sekur RAT",
				"TEXTMATE",
				"Tirion",
				"VB Flash",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434125,
	"ts_updated_at": 1775792153,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4846c7ed62c0ca85742c78bb1d2cef764341ca6e.pdf",
		"text": "https://archive.orkl.eu/4846c7ed62c0ca85742c78bb1d2cef764341ca6e.txt",
		"img": "https://archive.orkl.eu/4846c7ed62c0ca85742c78bb1d2cef764341ca6e.jpg"
	}
}