{ "id": "e91d1aae-6b62-42ec-90e2-56063a0d1ec9", "created_at": "2026-04-06T03:37:36.143884Z", "updated_at": "2026-04-10T03:34:24.110741Z", "deleted_at": null, "sha1_hash": "4e7ec6fb70c56f1b9ef4172ef4d6a854a4ec15f0", "title": "FIN8 Threat Actor Spotted Once Again with New \"Sardonic\" Backdoor", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1561611, "plain_text": "FIN8 Threat Actor Spotted Once Again with New \"Sardonic\"\r\nBackdoor\r\nBy Eduard BUDACA\r\nArchived: 2026-04-06 03:10:28 UTC\r\nAugust 25, 2021\r\nSince January 2016, FIN8 has been steadily building a reputation among financially motivated advanced threat\r\nactors. Bitdefender researchers are constantly monitoring this group’s activity, and previous research released in\r\nearly 2021 documented the use of a new, improved version of the BADHATCH backdoor.\r\nThis whitepaper focuses on the analysis of a new backdoor component discovered during a forensic investigation,\r\ndescribed here. As this backdoor has not been documented or referenced before, we named it “Sardonic”, given\r\nthat artifacts led us to believe the threat actors use this name for an entire project including the backdoor itself, the\r\nloader and some additional scripts. We believe this project is still under development, and additional updates will\r\nlikely follow.\r\nKey facts about Sardonic:\r\nSardonic is a new backdoor in the FIN8 ecosystem\r\nSardonic is a project still under development and includes several components\r\nThe new components were identified in a real-life attack and seems to be compiled just before the attack\r\nSardonic backdoor is extremely potent and has a wide range of capabilities that help the threat actor\r\nleverage new malware on the fly without updating  components\r\nRecommendations\r\nFIN8 continues to strengthen its capabilities and malware delivery infrastructure. The highly skilled financial\r\nthreat actor is known to take long breaks to refine tools and tactics to avoid detection before it strikes viable\r\ntargets.\r\nBitdefender recommends that companies in target verticals (retail, hospitality, finance) check for potential\r\ncompromise by applying the following IoCs to their EDR, XDR and other security defenses.\r\nTo further minimize the impact of financial malware, companies should:\r\nSeparate the POS network from the ones used by employees or guests\r\nIntroduce cybersecurity awareness training for employees to help them spot phishing e-mails.\r\nTune the e-mail security solution to automatically discard malicious or suspicious attachments.\r\nhttps://www.bitdefender.com/blog/labs/fin8-threat-actor-spotted-once-again-with-new-sardonic-backdoor/\r\nPage 1 of 2\n\nIntegrate threat intelligence into existing SIEM or security controls for relevant Indicators of Compromise.\r\nSmall and medium organizations without a dedicated security team should consider outsourcing security\r\noperations to Managed Detection and Response providers.\r\nIndicators of Compromise\r\nAn up-to-date and complete list of indicators of compromise is available to Bitdefender Advanced Threat\r\nIntelligence users. The currently known indicators of compromise can be found in the whitepaper below.\r\nDownload the research whitepaper\r\nSource: https://www.bitdefender.com/blog/labs/fin8-threat-actor-spotted-once-again-with-new-sardonic-backdoor/\r\nhttps://www.bitdefender.com/blog/labs/fin8-threat-actor-spotted-once-again-with-new-sardonic-backdoor/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bitdefender.com/blog/labs/fin8-threat-actor-spotted-once-again-with-new-sardonic-backdoor/" ], "report_names": [ "fin8-threat-actor-spotted-once-again-with-new-sardonic-backdoor" ], "threat_actors": [ { "id": "3150bf4f-288a-44b8-ab48-0ced9b052a0c", "created_at": "2025-08-07T02:03:24.910023Z", "updated_at": "2026-04-10T02:00:03.713077Z", "deleted_at": null, "main_name": "GOLD HUXLEY", "aliases": [ "CTG-6969 ", "FIN8 " ], "source_name": "Secureworks:GOLD HUXLEY", "tools": [ "Gozi ISFB", "Powersniff" ], "source_id": "Secureworks", "reports": null }, { "id": "5bdde906-0416-42ee-9100-5ebd95dda77a", "created_at": "2023-01-06T13:46:38.601977Z", "updated_at": "2026-04-10T02:00:03.035842Z", "deleted_at": null, "main_name": "FIN8", "aliases": [ "ATK113", "G0061" ], "source_name": "MISPGALAXY:FIN8", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "72d09c17-e33e-4c2f-95db-f204848cc797", "created_at": "2022-10-25T15:50:23.832551Z", "updated_at": "2026-04-10T02:00:05.336787Z", "deleted_at": null, "main_name": "FIN8", "aliases": [ "FIN8", "Syssphinx" ], "source_name": "MITRE:FIN8", "tools": [ "BADHATCH", "PUNCHBUGGY", "Ragnar Locker", "PUNCHTRACK", "dsquery", "Nltest", "Sardonic", "PsExec", "Impacket" ], "source_id": "MITRE", "reports": null }, { "id": "fc80a724-e567-457c-82bb-70147435e129", "created_at": "2022-10-25T16:07:23.624289Z", "updated_at": "2026-04-10T02:00:04.691643Z", "deleted_at": null, "main_name": "FIN8", "aliases": [ "ATK 113", "G0061", "Storm-0288", "Syssphinx" ], "source_name": "ETDA:FIN8", "tools": [ "ALPHV", "ALPHVM", "BadHatch", "BlackCat", "Noberus", "PSVC", "PUNCHTRACK", "PoSlurp", "Powersniff", "PunchBuggy", "Ragnar Loader", "Ragnar Locker", "RagnarLocker", "Sardonic", "ShellTea" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775446656, "ts_updated_at": 1775792064, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4e7ec6fb70c56f1b9ef4172ef4d6a854a4ec15f0.pdf", "text": "https://archive.orkl.eu/4e7ec6fb70c56f1b9ef4172ef4d6a854a4ec15f0.txt", "img": "https://archive.orkl.eu/4e7ec6fb70c56f1b9ef4172ef4d6a854a4ec15f0.jpg" } }