{ "id": "5fe7a21d-1c43-4cef-bf71-7506ebfb4477", "created_at": "2026-04-06T00:11:40.268307Z", "updated_at": "2026-04-10T03:35:52.803831Z", "deleted_at": null, "sha1_hash": "49a2253eb720e7abdb90cc8fd8b37b1c36689cef", "title": "FIN7 Backdoor Masquerades as Ethical Hacking Tool", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 76756, "plain_text": "FIN7 Backdoor Masquerades as Ethical Hacking Tool\r\nBy Tara Seals\r\nPublished: 2021-05-14 · Archived: 2026-04-05 13:41:22 UTC\r\nThe financially motivated cybercrime gang behind the Carbanak RAT is back with the Lizar malware, which can\r\nharvest all kinds of info from Windows machines.\r\nThe notorious FIN7 cybercrime gang, a financially motivated group, is spreading a backdoor called Lizar under\r\nthe guise of being a Windows pen-testing tool for ethical hackers.\r\nAccording to the BI.ZONE Cyber Threats Research Team, FIN7 is pretending to be a legitimate organization that\r\nhawks a security-analysis tool. They go to great lengths for verisimilitude, researchers said: “These groups hire\r\nemployees who are not even aware that they are working with real malware or that their employer is a real\r\ncriminal group.”\r\nSince 2015, FIN7 has targeted point-of-sale systems at casual-dining restaurants, casinos and hotels. The group\r\ntypically uses malware-laced phishing attacks against victims in hopes they will be able to infiltrate systems to\r\nsteal bank-card data and sell it. Since 2020, it has also added ransomware/data exfiltration attacks to its mix,\r\ncarefully selecting targets according to revenue using the ZoomInfo service, researchers noted.\r\nIts choice of malware is always evolving, including occasionally using never-before-seen samples that surprise\r\nresearchers. But its go-to toolkit has been Carbanak remote-access trojan (RAT), which previous analysis shows is\r\nhighly complex and sophisticated compared with its peers: It’s basically a Cadillac in a sea of golf carts. Carbanak\r\nis typically used for reconnaissance and establishing a foothold on networks.\r\nLately, though, BI.ZONE researchers have noticed the group using a new type of backdoor, called Lizar. The latest\r\nversion has been in use since February, and it offers a powerful set of data retrieval and lateral movement\r\ncapabilities, according to an analysis published on Thursday.\r\n“Lizar is a diverse and complex toolkit,” according to the firm. “It is currently still under active development and\r\ntesting, yet it is already being widely used to control infected computers, mostly throughout the United States.”\r\nVictims so far have included attacks on a gambling establishment, several educational institutions and\r\npharmaceutical companies in the U.S., along with an IT company headquartered in Germany and a financial\r\ninstitution in Panama.\r\nInside FIN7’s Lizar Toolkit\r\nhttps://threatpost.com/fin7-backdoor-ethical-hacking-tool/166194/\r\nPage 1 of 3\n\nThe Lizar toolkit is structurally similar to Carbanak, researchers said. It consists of a loader and various plugins\r\nthat are used for different tasks. Together they run on an infected system and can be combined into the Lizar bot\r\nclient, which in turn communicates with a remote server.\r\n“The bot’s modular architecture makes the tool scalable and allows for independent development of all\r\ncomponents,” according to the analysis. “We’ve detected three kinds of bots: DLLs, EXEs and PowerShell scripts,\r\nwhich execute a DLL in the address space of the PowerShell process.”\r\nThe plugins are sent from the server to the loader and are executed when a certain action is performed in the Lizar\r\nclient application, according to BI.ZONE.\r\nThe six stages of the plugins’ lifecycle are as follows:\r\nThe user selects a command in the Lizar client application interface;\r\nThe Lizar server receives the information about the selected command;\r\nThe server finds a suitable plugin from the plugins directory, then sends it to the loader;\r\nThe loader executes the plugin and stores the result of the plugin’s execution in a specially allocated area of\r\nmemory on the heap;\r\nThe server retrieves the results of plugin execution and sends them on to the client; and\r\nThe client application displays the plugin results.\r\nThe plugins are variously designed to load other tools like Mimikatz or Carbanak, retrieve information from the\r\nvictim machine, take screenshots, harvest credentials, retrieve browser histories, and more.\r\nThe specific bot commands are as follows:\r\nCommand Line – get CMD on the infected system;\r\nExecuter – launch an additional module;\r\nGrabber – run one of the plugins that collect passwords in browsers, Remote Desktop Protocol and\r\nWindows OS;\r\nInfo – retrieve information about the system;\r\nJump to – migrate the loader to another process;\r\nKill – stop plugin;\r\nList Processes – get a list of processes;\r\nMimikatz – run Mimikatz;\r\nNetwork analysis – run one of the plugins to retrieve Active Directory and network information;\r\nNew session – create another loader session (run a copy of the loader on the infected system);\r\nRat – run Carbanak; and\r\nScreenshot – take a screenshot.\r\nThe Lizar server application, meanwhile, is written using the .NET framework and runs on a remote Linux host,\r\nresearchers said. It supports encrypted communications with the bot client.\r\n“Before being sent to the server, the data is encrypted on a session key with a length ranging from 5 to 15 bytes\r\nand then on the key specified in the configuration (31 bytes),” researchers explained. “If the key specified in the\r\nconfiguration (31 bytes) does not match the key on the server, no data is sent from the server.”\r\nhttps://threatpost.com/fin7-backdoor-ethical-hacking-tool/166194/\r\nPage 2 of 3\n\nCybercriminals Posing as Security Researchers\r\nThe impressively ironic tactic of posing as a security outfit while contributing to, well, insecurity is not a new\r\nidea, even for FIN7. In the past, BI.ZONE has observed it pushing Carbanak under the guise of the package being\r\na tool from cybersecurity stalwarts Check Point Software or Forcepoint.\r\nEarlier this year, a North Korean advanced persistent threat group (APT) called Zinc, which has links to the more\r\nnotorious APT Lazarus, mounted two separate attacks targeting security researchers.\r\nIn January, the group used elaborate social-engineering efforts through Twitter and LinkedIn, as well as other\r\nmedia platforms like Discord and Telegram, to set up trusted relationships with researchers by appearing to\r\nthemselves be legitimate researchers interested in offensive security.\r\nSpecifically, attackers initiated contact by asking researchers if they wanted to collaborate on vulnerability\r\nresearch together. They demonstrated their own credibility by posting videos of exploits they’ve worked on,\r\nincluding faking the success of a working exploit for an existing, patched Windows Defender vulnerability that\r\nhad been exploited as part of the massive SolarWinds attack.\r\nEventually, after much correspondence, attackers provided the targeted researchers with a Visual Studio Project\r\ninfected with malicious code that could install a backdoor onto their system. Victims also could be infected by\r\nfollowing a malicious Twitter link.\r\nSecurity researchers infected in those attacks were running fully patched and up-to-date Windows 10 and Chrome\r\nbrowser versions, according to Google TAG at the time, which signaled that hackers likely were using zero-day\r\nvulnerabilities in their campaign.\r\nZinc was back at it in April, using some of the same social-media tactics but adding Twitter and LinkedIn profiles\r\nfor a fake company called “SecuriElite,” which purported to be an offensive security firm located in Turkey. The\r\ncompany claimed to offer pen tests, software-security assessments and exploits, and purported to actively recruit\r\ncybersecurity personnel via LinkedIn.\r\nDownload our exclusive FREE Threatpost Insider eBook, “2021: The Evolution of Ransomware,” to help\r\nhone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover\r\nwhat’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the\r\neBook now – on us!\r\nSource: https://threatpost.com/fin7-backdoor-ethical-hacking-tool/166194/\r\nhttps://threatpost.com/fin7-backdoor-ethical-hacking-tool/166194/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://threatpost.com/fin7-backdoor-ethical-hacking-tool/166194/" ], "report_names": [ "166194" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434300, "ts_updated_at": 1775792152, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/49a2253eb720e7abdb90cc8fd8b37b1c36689cef.pdf", "text": "https://archive.orkl.eu/49a2253eb720e7abdb90cc8fd8b37b1c36689cef.txt", "img": "https://archive.orkl.eu/49a2253eb720e7abdb90cc8fd8b37b1c36689cef.jpg" } }