{ "id": "d899f030-8a57-4200-b45b-dc4a502657e3", "created_at": "2026-04-06T00:19:31.296083Z", "updated_at": "2026-04-10T03:36:36.832406Z", "deleted_at": null, "sha1_hash": "5d3ed747b4fe9d0037853a3cd7ae64d0845a2964", "title": "FIN11: Widespread Email Campaigns as Precursor for Ransomware and Data Theft | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 574336, "plain_text": "FIN11: Widespread Email Campaigns as Precursor for\r\nRansomware and Data Theft | Mandiant\r\nBy Mandiant\r\nPublished: 2020-10-14 · Archived: 2026-04-05 15:13:30 UTC\r\nWritten by: Genevieve Stark, Andrew Moore, Vincent Cannon, Jacqueline O'Leary, Nalani Fraser, Kimberly\r\nGoody\r\nMandiant Threat Intelligence recently promoted a threat cluster to a named FIN (or financially motivated) threat\r\ngroup for the first time since 2017. We have detailed FIN11's various tactics, techniques and procedures in a report\r\nthat is available now by signing up for Mandiant Advantage Free.\r\nIn some ways, FIN11 is reminiscent of APT1; they are notable not for their sophistication, but for their sheer\r\nvolume of activity. There are significant gaps in FIN11’s phishing operations, but when active, the group conducts\r\nup to five high-volume campaigns a week. While many financially motivated threat groups are short lived, FIN11\r\nhas been conducting these widespread phishing campaigns since at least 2016. From 2017 through 2018, the threat\r\ngroup primarily targeted organizations in the financial, retail, and hospitality sectors. However, in 2019 FIN11’s\r\ntargeting expanded to include a diverse set of sectors and geographic regions. At this point, it would be difficult to\r\nname a client that FIN11 hasn’t targeted.\r\nMandiant has also responded to numerous FIN11 intrusions, but we’ve only observed the group successfully\r\nmonetize access in few instances. This could suggest that the actors cast a wide net during their phishing\r\nhttps://www.fireeye.com/blog/threat-research/2020/10/fin11-email-campaigns-precursor-for-ransomware-data-theft.html\r\nPage 1 of 2\n\noperations, then choose which victims to further exploit based on characteristics such as sector, geolocation or\r\nperceived security posture. Recently, FIN11 has deployed CLOP ransomware and threatened to publish exfiltrated\r\ndata to pressure victims into paying ransom demands. The group’s shifting monetization methods—from point-of-sale (POS) malware in 2018, to ransomware in 2019, and hybrid extortion in 2020—is part of a larger trend in\r\nwhich criminal actors have increasingly focused on post-compromise ransomware deployment and data theft\r\nextortion.\r\nNotably, FIN11 includes a subset of the activity security researchers call TA505, but we do not attribute TA505’s\r\nearly operations to FIN11 and caution against using the names interchangeably. Attribution of both historic TA505\r\nactivity and more recent FIN11 activity is complicated by the actors’ use of criminal service providers. Like most\r\nfinancially motivated actors, FIN11 doesn’t operate in a vacuum. We believe that the group has used services that\r\nprovide anonymous domain registration, bulletproof hosting, code signing certificates, and private or semi-private\r\nmalware. Outsourcing work to these criminal service providers likely enables FIN11 to increase the scale and\r\nsophistication of their operations.\r\nTo learn more about FIN11’s evolving delivery tactics, use of services, post-compromise TTPs, and monetization\r\nmethods, register for Mandiant Advantage Free. The full FIN11 report is also available through our FireEye\r\nIntelligence Portal (FIP). Then for even more information, register for our exclusive webinar on Oct. 29 where\r\nMandiant threat intelligence experts will take a deeper dive into FIN11, including its origins, tactics, and potential\r\nfor future activity.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2020/10/fin11-email-campaigns-precursor-for-ransomware-data-theft.html\r\nhttps://www.fireeye.com/blog/threat-research/2020/10/fin11-email-campaigns-precursor-for-ransomware-data-theft.html\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://www.fireeye.com/blog/threat-research/2020/10/fin11-email-campaigns-precursor-for-ransomware-data-theft.html" ], "report_names": [ "fin11-email-campaigns-precursor-for-ransomware-data-theft.html" ], "threat_actors": [ { "id": "6728f306-6259-4e7d-a4ea-59586d90a47d", "created_at": "2023-01-06T13:46:39.175292Z", "updated_at": "2026-04-10T02:00:03.236282Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "TEMP.Warlock", "UNC902" ], "source_name": "MISPGALAXY:FIN11", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "dabb6779-f72e-40ca-90b7-1810ef08654d", "created_at": "2022-10-25T15:50:23.463113Z", "updated_at": "2026-04-10T02:00:05.369301Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "APT1", "Comment Crew", "Comment Group", "Comment Panda" ], "source_name": "MITRE:APT1", "tools": [ "Seasalt", "ipconfig", "Cachedump", "PsExec", "GLOOXMAIL", "Lslsass", "PoisonIvy", "WEBC2", "Mimikatz", "gsecdump", "Pass-The-Hash Toolkit", "Tasklist", "xCmd", "pwdump" ], "source_id": "MITRE", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "1db21349-11d6-4e57-805c-fb1e23a8acab", "created_at": "2022-10-25T16:07:23.630365Z", "updated_at": "2026-04-10T02:00:04.694622Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "Chubby Scorpius", "DEV-0950", "Lace Tempest", "Operation Cyclone" ], "source_name": "ETDA:FIN11", "tools": [ "AZORult", "Amadey", "AmmyyRAT", "AndroMut", "BLUESTEAL", "Cl0p", "EMASTEAL", "FLOWERPIPE", "FORKBEARD", "FRIENDSPEAK", "FlawedAmmyy", "GazGolder", "Get2", "GetandGo", "JESTBOT", "MINEBRIDGE", "MINEBRIDGE RAT", "MINEDOOR", "MIXLABEL", "Meterpreter", "NAILGUN", "POPFLASH", "PuffStealer", "Rultazo", "SALTLICK", "SCRAPMINT", "SHORTBENCH", "SLOWROLL", "SPOONBEARD", "TiniMet", "TinyMet", "VIDAR", "Vidar Stealer" ], "source_id": "ETDA", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434771, "ts_updated_at": 1775792196, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5d3ed747b4fe9d0037853a3cd7ae64d0845a2964.pdf", "text": "https://archive.orkl.eu/5d3ed747b4fe9d0037853a3cd7ae64d0845a2964.txt", "img": "https://archive.orkl.eu/5d3ed747b4fe9d0037853a3cd7ae64d0845a2964.jpg" } }