{ "id": "3b2ba39c-b8e5-4d39-9fb7-3d1dfd75d7eb", "created_at": "2026-04-06T00:08:46.087861Z", "updated_at": "2026-04-10T03:35:52.769685Z", "deleted_at": null, "sha1_hash": "60424b447beb8798de1d15675baeef3f36a589a2", "title": "On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 723156, "plain_text": "On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global\r\nCriminal Operation | Mandiant\r\nBy Mandiant\r\nPublished: 2018-08-01 · Archived: 2026-04-05 13:34:59 UTC\r\nWritten by: Nick Carr, Kimberly Goody, Steve Miller, Barry Vengerik\r\nOn Aug. 1, 2018, the United States District Attorney’s Office for the Western District of Washington unsealed indictments\r\nand announced the arrests of three individuals within the leadership ranks of a criminal organization that aligns with activity\r\nwe have tracked since 2015 as FIN7. These malicious actors are members of one of the most prolific financial threat groups\r\nof this decade, having carefully crafted attacks targeted at more than 100 organizations. FIN7 is referred to by many vendors\r\nas “Carbanak Group,” although we do not equate all usage of the CARBANAK backdoor with FIN7. This blog explores the\r\nrange of FIN7's criminal ventures, the technical innovation and social engineering ingenuity that powered their success, a\r\nglimpse into their recent campaigns, their apparent use of a security company as a front for criminal operations, and what\r\ntheir success means for the threat landscape moving forward. With this release, FireEye is also providing technical context,\r\nhistorical indicators, and techniques that organizations can use to hunt for FIN7 behavior enterprise-wide.\r\nFIN7 Does the Crime...\r\nThe threat group is characterized by their persistent targeting and large-scale theft of payment card data from victim\r\nsystems, which it has monetized at least a portion of through a prominent card shop. But FIN7’s financial operations were\r\nnot limited to card data theft. In some instances, when they encountered and could not obtain payment card data from point\r\nof sale (POS) systems secured with end-to-end encryption (E2EE) or point-to-point encryption (P2PE), FIN7 pivoted to\r\ntarget finance departments within their victim organizations.\r\nFurthermore, in April 2017, FireEye reported that FIN7 sent spear phishing emails to personnel involved with United States\r\nSecurities and Exchange Commission (SEC) filings at multiple organizations, providing further insight into FIN7’s\r\ntargeting. These targeted individuals would likely have access to material non-public information that FIN7 actors could use\r\nto gain a competitive advantage in stock trading.\r\nDiversification of their monetization tactics has allowed the group to impact a wide range of industries beyond those solely\r\nassociated with payment card industry. During campaigns that FireEye associates with FIN7, victims within the following\r\nsectors have been targeted within the United States and Europe:\r\nRestaurants                                 *Travel\r\nHospitality                                  *Education\r\nCasinos and Gaming                 *Construction\r\nEnergy                                        *Retail\r\nFinance                                       *Telecommunications\r\nHigh-tech                                   *Government\r\nSoftware                                     *Business services\r\nFIN7’s Innovation Enabled their Success\r\nThroughout FireEye’s tracking of FIN7 campaigns, the attackers have attempted to stay ahead of the game and thwart\r\ndetection, using novel tactics and displaying characteristics of a well-resourced operation. For example, in April 2017,\r\nFireEye blogged about FIN7’s spear phishing emails that leveraged hidden shortcut files (LNK files) to initiate the infection\r\nand VBScript functionality launched by mshta.exe to infect the victim. This was a direct departure from their established use\r\nof weaponized Office macros and highlighted the group’s adaptive nature to evade detection.\r\nFireEye also previously reported on FIN7’s use of the CARBANAK backdoor as a post-exploitation tool to cement their\r\nfoothold in a network and maintain access to victim environments. CARBANAK is well known for its use in highly\r\nprofitable and sophisticated attacks dating back to 2013, with usage attributable to FIN7 beginning in late 2015, although\r\nhow interconnected the campaigns employing the malware over this five-year span are is unclear. FIN7’s use of\r\nCARBANAK is particularly notable due to their use of creative persistence mechanisms to launch the backdoor. The group\r\nleveraged an application shim database that injected a malicious in-memory patch into the Services Control Manager\r\n(\"services.exe\") process, and then spawned a CARBANAK backdoor process. FIN7 also used this tactic to install a payment\r\ncard harvesting utility.\r\nAnother notable characteristic of FIN7 has been their heavy use of digital certificates. Unsurprisingly, malicious threat\r\nactors have sought to exploit the legitimacy afforded by these certificates. By digitally signing their phishing documents,\r\nhttps://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\r\nPage 1 of 37\n\nbackdoors and later stage tools, FIN7 was able to bypass many security controls that may limit execution of macros from\r\nOffice documents and restrict execution of unsigned binaries on trusted systems.\r\nOrganization Country Serial Email\r\nKorsar Travel TOV UA 88:21:ac:7e:6c:da:11:00:1d:b3:d3:1a:16:c1:5c:26 korsartravel@bk.ru\r\nKaitschuck James GB 30:2e:7f:14:3a:f3:f3:98:20:70:42:4e:ea:52:5d:d2 oliversoftware@hotmail.com\r\nPark Travel RU 4d:e2:87:56:98:bf:c7:74:a3:f3:47:d6:70:7c:9b:f0 inga@parktravel-mx.ru\r\nTable 1: Sample FIN7 code signing certificates\r\nFIN7 developed evasive techniques at a rapid pace. Throughout 2017, FIN7 was observed creating novel obfuscation\r\nmethods, and in some cases modifying the methods on a daily basis while launching attacks targeting multiple victims. The\r\nthreat group regularly tested malicious DOC, DOCX, and RTF phishing documents against public repositories to check\r\nstatic detection engine coverage. Their development of a payload obfuscation style using the Windows command\r\ninterpreter's (cmd.exe) native string substitution was so unique that FireEye dubbed it \"FINcoding.\" These methods inspired\r\ndeep command line obfuscation research and the release of Daniel Bohannon's Invoke-DOSfuscation. Reference Table 2 and\r\nTable 3 for a selection of samples and their associated command line obfuscation techniques.\r\nFIN7’s Relentless Phone Calls and Bellyaching\r\nOver the three years of responding to a multitude of compromises and proactively defending against FIN7, FireEye observed\r\nunprecedented social engineering prowess. From leveraging web forms for initial contact to targeting and engaging directly\r\nwith pre-determined store managers, the operators demonstrated a range of capabilities. FIN7’s reach extended beyond their\r\ntargets’ computer systems. FireEye has responded to incidents where FIN7 has called victims prior to lodging digital\r\ncomplaints laden with malicious documents as well as after the phishing documents have been sent, in order to check if they\r\nwere received – a crude but effective FIN7 email delivery tracking technique.\r\nAs FIN7 has matured, so did the quality of their phishing lures and templates, which were most often sent from fake but\r\nthoroughly disguised individuals and businesses – and occasionally from sender addresses impersonating legitimate\r\ngovernment entities. Their phishing has often exploited urgent, high value business matters tailored to their chosen targets.\r\nAt individual stores, managers were contacted about lost items or sent a “receipt” claiming overcharging. Other FIN7\r\nphishing emails masqueraded as detailed catering orders or requests for special menus tailored to individuals with dietary\r\nrestrictions.\r\nIn early 2017, a pattern of complaints emerged and has continued for well over a year, where FIN7 has contacted stores and\r\ncorporate offices to lodge food poisoning complaints with malicious attachments. Internally dubbed “FINdigestion” by\r\nFireEye, this pattern of detailed complaints eventually expanded beyond individual complaints and into litigious concerns\r\nraised on behalf of “the government”, as shown in Figure 1.\r\nhttps://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\r\nPage 2 of 37\n\nFigure 1: FDA themed spear phishing email\r\nIt is noteworthy that the BATELEUR backdoor activity first identified by Proofpoint in July 2017, which FireEye tracks as a\r\nsuspected FIN7 subgroup, uses highly-customized graphics for their targets, often created in Adobe Photoshop. In this same\r\nphishing campaign, FIN7’s malicious attachment was graphically themed to match, as shown in Figure 2.\r\nhttps://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\r\nPage 3 of 37\n\nFigure 2: FDA themed spear phishing attachment\r\nThroughout their operations, the professional design and continued development of phishing elements in parallel to other\r\npost-compromise tools indicated to FireEye that FIN7 was most likely a well-resourced criminal operation.\r\nIt’s Just Metadata\r\nFireEye has tracked several FIN7 personas throughout their operations by collecting and parsing filetypes of forensic value\r\nfor juicy metadata. In a previous blog, we shared how LNK files created by FIN7 unintentionally revealed valuable\r\ninformation about their development environment.\r\nLNK files can contain metadata that reveals attributes about the systems on which the LNKs were created, including original\r\nfile paths, volume serial numbers, MAC addresses, and hostnames. By studying values within the LNK metadata we often\r\nidentify \"toolmarks,\" or unique values associated with distinct malware developer and operator personas.\r\nFIN7 LNK metadata shows that the actors routinely used virtual machines with generic hostnames such as ANDY-PC or\r\nUSER-PC, and default hostnames with the structure WIN-[A-Z0-9]{11} (e.g. WIN-ABCDEFGH1JK).\r\nFireEye has tracked several hostname and path toolmarks associated with FIN7’s operations, which we have used to link\r\nclusters of threat activity together. These toolmarks may be linked to FIN7 members who are involved in tool development\r\nor the broader criminal operation. Notable personas from the technical data, which are explored in more detail in the\r\nTechnical Appendix section, include:\r\n\"andy\" / \"andy-pc\"\r\n\"Hass\"\r\n\"jimbo\"\r\n\"Константин\" (Konstantin)\r\n\"oleg\"\r\nThis analysis allowed us to understand FIN7’s systems and correlate future attack activity to the different personas.\r\nFurthermore, the metadata analysis helped us monitor for files generated by the group and use the established toolmarks to\r\nestablish detection for other adversary methodologies (such as direct RDP or SMB access) if the group changed TTPs.\r\nVideo Playback of FIN7 Operations\r\nhttps://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\r\nPage 4 of 37\n\nWhile responding to multiple FIN7 intrusions, FireEye recovered a custom video recording capability used by FIN7 as a\r\npart of their operations. FireEye’s FLARE team reverse engineered the video protocol, which appeared to be custom-written\r\nby FIN7 as it has no external library dependencies, contained Cyrillic comments in the code, and required the use of a\r\nbespoke video player unique to FIN7. The attackers most likely leveraged this video recording capability in their arsenal to\r\nmonitor operations in victim environments to inform later stages of their intrusions.\r\nFireEye obtained a version of the criminal developers’ video player from a trusted source and with the knowledge of the\r\nreverse engineered protocol, the FLARE team modified the source code to support multiple versions of FIN7’s custom\r\nencoding. With the patched source code, FireEye can decode and playback FIN7’s video monitoring for affected victims in\r\npossession of these files.\r\nRecent Shifts in FIN7 Operations\r\nThroughout 2018, FireEye has continued to identify multiple domains registered using patterns consistent with prior FIN7\r\nactivity, as well as campaigns using disparate TTPs that we have attributed to FIN7 with varying degrees of confidence. ZIP\r\narchives delivering the BIRDDOG backdoor were hosted on a portion of suspected FIN7 domains registered in 2018. Some\r\nevidence further characterizing the nature of this campaign suggests these malicious documents were sent to financial\r\ninstitution customers in Eastern Europe and Central Asia as early as September 2017. The targeting of individuals rather\r\nthan organizations would mark a significant shift in their targeting, although it is also possible that the banks spoofed in\r\nthese campaigns were FIN7's ultimate targets.\r\nAdditionally, we have identified similarities between FIN7 activity and BATELEUR campaigns, which began as early as\r\nmid-2017 and have been primarily aimed at U.S.-based restaurant chains. These campaigns leveraged macro-embedded\r\nWord documents directly attached to the emails as well as ones hosted on Google Drive. The documents were meticulously\r\ncrafted to appear as though they came from legitimate organizations (e.g. restaurant associations and suppliers of POS\r\nhardware). This suspected FIN7 activity continued past the date of most recent arrest announced by U.S. law enforcement,\r\nalthough the attackers are now leveraging an updated JavaScript backdoor dubbed GRIFFON.\r\nThese recent campaigns could be representative of a decisive effort to diversify TTPs to avoid detection or could indicate the\r\nformation of FIN7 splinter groups carrying out autonomous campaigns. As a result, organizations need to remain vigilant\r\nand continue to monitor for changes in the methods employed by the FIN7 actors.\r\nUnveiling FIN7’s Front Company and Industry\r\nFigure 3: Combi Security logo as retrieved from 2016 cache of combisecurity.com\r\nAccording to U.S. law enforcement, at least a portion of FIN7 activity was run out of a front company dubbed Combi\r\nSecurity. A cache of its website reveals that the company purported to be “the world leaders in the field of comprehensive\r\nprotection of large information systems from modern cyber threats” with headquarters in Moscow, Haifa, and Odessa. We\r\nhave identified job advertisements for Combi Security that have been posted on popular Russian, Ukrainian, and Uzbek job\r\nrecruitment sites, as well as numerous individuals who most likely worked for the company. Due to the seeming legitimacy\r\nof the recruitment postings, some individuals may have been unaware of illicit nature of their work. While the recruitment of\r\nunwitting individuals as puppets has been a common component of at least some criminal schemes – for example,\r\nreshipping mules who are recruited through postings on career sites advertising attractive work-from-home jobs – FIN7’s\r\nveiling of full-scale financial compromises as legitimate offensi\r\nve security engagements is particularly notable. The apparent success of Combi Security in recruiting unsuspecting\r\nindividuals in this manner, may lead to more of this type of technical recruitment by cyber criminals in the future.\r\nSplitting Up?\r\nhttps://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\r\nPage 5 of 37\n\nThe criminal organization behind FIN7 is almost certainly comprised of many additional individuals beyond those already\r\napprehended by law enforcement authorities. FireEye iSIGHT Intelligence expects that at least a portion of these malicious\r\nactors are likely to continue conducting cyber crime activity in some capacity. Although we expect activity to continue, it is\r\nextremely common for threat actors to either modify their TTPs or temporarily halt operations following significant\r\ndevelopments such as arrests of high-level members and/or public disclosure of TTPs that they employ.\r\nDepending on the organizational and communication structure of the group, it is also plausible that multiple subgroups could\r\nform and carry out independent operations in the future. Recent campaigns, as well as those using tactics that were atypical\r\nfor historical FIN7 campaigns, such as the SEC campaigns with widespread targeting, may be representative of semi-autonomous groups pre-existing within, or cooperating with, the FIN7 criminal organization. As noted in our CARBANAK\r\noverview, certain malware families and techniques transcend strictly defined threat groups, and may be re-used by\r\ndevelopers and operators as they transition between organizations and campaigns.\r\nConclusion\r\nThese recent announcements by U.S. law enforcement highlight the positive impact that can result from synergy between\r\nprivate and public sector organizations in disrupting organized cyber crime operations. As demonstrated by FIN7,\r\nfinancially-motivated threat actors are becoming extremely advanced and are capable of inflicting significant harm on\r\norganizations through vast, but carefully orchestrated campaigns. As sophisticated threat groups continue to emerge,\r\npartnerships, such as those exhibited here, will almost certainly play a key role in combating these threats.\r\nAcknowledgements\r\nJordan Nuce, Tom Bennett, Michael Bailey, and Daniel Bohannon\r\nTechnical Appendix\r\nFireEye has responded to many FIN7 incidents, which has provided us extensive insight into their operations. As part of this\r\nblog post, we are also including numerous indicators that we attribute to FIN7 and an overview of their techniques to aid\r\norganizations in identifying malicious activity across their networks.\r\nPhishing Documents Technical Details\r\nIn addition to LNK metadata, FIN7 phishing documents consistently contained artifacts detailing the local file system paths\r\nof component files used to construct the spear phishing documents. In the following tables, we have also included examples\r\nof the myriad of command line obfuscation techniques used by FIN7. Of particular note is the quick turnaround time\r\nbetween documents employing different techniques.\r\nEXIF Creation Time Attribution Malware MD5 Filename\r\n2018:05:21 17:32:00\r\nSuspected\r\nFIN7\r\nGRIFFON 7e703dddcfc83cd352a910b48eaca95e  \r\nC:\\Users\\jimbo\\Desktop\\Files\\Картинки\\outlook2.png        \r\ncmd.exe /k \"SET a01=wscr\u0026 SET a02=ipt\u0026\u0026call\r\n%a01%%a02% /e:jscript //b %TEMP%\\errors.txt\r\n       \r\nEXIF Creation Time Attribution Malware MD5 Filename\r\n2018:01:26 15:59:00\r\nSuspected\r\nFIN7\r\nBATELEUR bb1a76702e2e7d0aa23385f24683d214 Doc1.doc\r\nC:\\Users\\Hass\\Desktop\\Картинки\\New\\outlook3.png        \r\ncmd.exe /c wscript.exe //b /e:jscript %TEMP%\\crashpad.ini        \r\nEXIF Creation Time Attribution Malware MD5 Filename\r\n2018:01:11 13:16:00\r\nSuspected\r\nFIN7\r\nBATELEUR 5972597b729a7d2853a3b37444e58e01 check.doc\r\nC:\\Users\\Hass\\Desktop\\Картинки\\New\\outlook2.png        \r\ncmd.exe /c wscript.exe //b /e:jscript %TEMP%\\crashpad.ini        \r\nEXIF Creation Time Attribution Malware MD5 Filename\r\n2017:10:25 07:43:00\r\nSuspected\r\nFIN7\r\nBATELEUR c4aabdcf19898d9c30c4c2edea0147f0 document1.d\r\nhttps://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\r\nPage 6 of 37\n\nC:\\Users\\oleg\\Desktop\\Файлы\\Картинки\\New\\defender.jpg        \r\ncmd.exe /c wscript.exe //b /e:jscript %TEMP%\\crashpad.ini        \r\nEXIF Creation Time Attribution Malware MD5 Filename\r\n2017:06:23 15:18:00\r\nSuspected\r\nFIN7\r\nBATELEUR 467062d2a5a341716c42c6d7f36ba0ed check.doc\r\nC:\\Users\\Work\\Desktop\\IMAGES\\outlook2.png        \r\nwscript.exe //b /e:jscript %TEMP%\\debug.txt        \r\nTable 2: Suspected FIN7 spear phishing launch parameters and attacker local system artifacts\r\nEXIF Creation Time\r\n2017:10:06 11:21:00\r\nC:\\Users\\andy\\Desktop\\unlock.cmd\r\ncmd /c \"\"%TMP%\\unlock.cmd\" \"\r\n@set w=wsc@ript /b /e:js@cript %HOMEPATH%\\tt.txt@echo try{var fs=new ActiveXObject('Scripting.FileSystemObject');sh=new ActiveXObject('W\r\nf=fs.OpenTextFile(p,1,false);for(i=0;i^\u003c4;i++)f.SkipLine();var com='';while(!f.AtEndOfStream)com+=f.ReadLine().substr(1);f.Close();try{fs.DeleteFile\r\n\u003e%HOMEPATH%\\tt.txt@copy /y %TMP%\\unlock.cmd %HOMEPATH%\\pp.txt@echo %w:@=%|cmd\r\nEXIF Creation Time\r\n2017:09:27 11:56:00\r\nC:\\Users\\usr\\Documents\\send\\270917\\unlock.doc.lnk\r\nwmic.exe process call create \"cmd start /min cmd /c for /f \\\"usebackq delims=\\\" %x in (`FindStr /R /C:\\\"@#[0-9]#@\\\" \\\"%TEMP%\\unlock.doc.lnk\\\"`) d\r\ncmd.exe /S /D /c\" echo /*@#8#@*/try{sh=new ActiveXObject(\"Wscript.Shell\");fs=new\r\nActiveXObject(\"Scripting.FileSystemObject\");p=sh.ExpandEnvironmentStrings(\"%TM\"+\"P%\");f=fs.GetFile(p+\"//unlock.doc.lnk\");s=f.OpenAsTextStr\r\n(c);}catch(e){} \u003e%HOMEPATH%\\t.txt  \u0026 wscript //b /e:jscript %HOMEPATH%\\t.txt  \u003enul 2\u003e\u00261 \u0026\"\r\nEXIF Creation Time\r\n2017:08:08 17:38:00\r\nC:\\Users\\andy\\Desktop\\unlock.doc.lnk\r\nwmic.exe process call create \"mshta javascript:eval(\\\"try{eval('wall=GetObject(\\\\'\\\\''+String.fromCharCode(44)+'\\\\'Word.Application\\\\')');eval(wall.Acti\r\nmshta.exe \"try{jelo = 'try{w=GetObject(\"\",\"Wor\"+\"d.Application\");this[String.fromCharCode(101)+\\\\'va\\\\'+\\\\'l\\\\'](w.ActiveDocument.Shapes(1).TextFr\r\nActiveXObject(\"Scripting.FileSystemObject\");var sh = new ActiveXObject(\"Wscript.Shell\");var p = sh.ExpandEnvironmentStrings(\"%HOMEPATH%\"\r\nEXIF Creation Time\r\nhttps://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\r\nPage 7 of 37\n\n2017:07:27 15:51:00\r\nC:\\Users\\jinvr-3-1\\Desktop\\unlock.doc.lnk\r\ncmd.exe /C set x=wsc@ript /e:js@cript %HOMEPATH%\\ttt.txt \u0026 echo try{w=GetObject(\"\",\"Wor\"+\"d.Application\");this[String.fromCharCode(101)+'v\r\n\u003e%HOMEPATH%\\ttt.txt \u0026 echo %x:@=%|cmd\r\nEXIF Creation Time\r\n2017:06:28 16:21:00\r\nC:\\Users\\andy\\Desktop\\unprotect.rtf.lnk\r\ncmd.exe /C set x=wsc@ript /e:js@cript %HOMEPATH%\\md5.txt \u0026 echo try{w=GetObject(\"\",\"Wor\"+\"d.Application\");this[String.fromCharCode(101)\r\n\u003e%HOMEPATH%\\md5.txt \u0026 echo %x:@=%|cmd\r\nEXIF Creation Time\r\n2017:05:11 12:59:00\r\nC:\\Users\\user\\Documents\\unprotect.lnk\r\nC:\\WINDOWS\\system32\\mshta.exe vbscript:Execute(\"On Error Resume Next:set yjdsqjtrn=GetObject(,\"\"Word.Application\"\"):execute yjdsqjtrn.Active\r\nEXIF Creation Time\r\n2017:04:20 16:27:00\r\nC:\\Users\\testadmin.TEST\\Desktop\\unprotect.lnk\r\nC:\\WINDOWS\\system32\\mshta.exe vbscript:Execute(\u0026quot;On Error Resume Next:set wprotect=GetObject(,\u0026quot;\u0026quot;Word.Application\u0026quot;\u0026\r\nwprotect.ActiveDocument.Shapes(1).TextFrame.TextRange.Text:close\u0026quot;)\r\nEXIF Creation Time\r\n2017:01:12 18:00:00\r\nC:\\Users\\testadmin.TEST\\Desktop\\unprotected.vbeC:\\Users\\tst01\\Desktop\\unprotected.vbs\r\n%WINDIR%\\System32\\Wscript.exe %TEMP%\\WindowsUpdate_X24532\\beginer.vbs\r\nEXIF Creation Time\r\n2016:08:12 11:26:00\r\nhttps://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\r\nPage 8 of 37\n\nC:\\Users\\test\\Documents\\sploits\\120816\\order.vbe\r\n%WINDIR%\\System32\\Wscript.exe %TEMP%\\AdobeUpdateManagementTool.vbs\r\nTable 3: FIN7 spear phishing launch parameters and attacker local system artifacts\r\nFIN7 Tactics, Techniques \u0026 Procedures (TTPs)\r\nFireEye is providing insight into FIN7’s notable methodologies across multiple stages of the attack lifecycle and tips for\r\nidentifying evidence of this activity and similarly suspicious activity in your environment.\r\nAttack\r\nLifecycle Stage\r\nAdversary Methodology Discovery Tips\r\nInitial\r\nCompromise\r\nSpear phishing emails sent\r\nusing PHP Mailer\r\nInbound emails containing metadata such as “X-Mailer:\r\nPHPMailer”\r\nEstablish\r\nFoothold\r\nPersistence using registry Run\r\nand Run Once keys\r\nNew Run and RunOnce registry entries referencing .VBS and\r\n.VBA\r\nEstablish\r\nFoothold\r\nExecution or persistence using\r\nScheduled Tasks\r\nNew Scheduled Tasks referencing .CMD, .LNK, .VBS, .VBA,\r\n.PS1 and other scripting language extensions\r\nEstablish\r\nFoothold\r\nPersistence using Windows\r\nServices, Startup Directory\r\nNew Windows Services, new files in Startup directories\r\nEstablish\r\nFoothold\r\nPersistence using AppCompat\r\nShim\r\nNew shim database files and modifications of AppCompatFlags\r\nregistry keys (see FIN7 SDB Persistence)\r\nMaintain\r\nPresence\r\nC2 using favored C2 ports\r\nOutbound connections with port-protocol mismatches on\r\ncommon ports such as 53,80,443,8080\r\nMaintain\r\nPresence\r\nC2 using favored generic 3LDs\r\nOutbound connections or DNS resolutions to \"sketchy\"\r\n2\r\nnd\r\n level domains with generic 3rd level domains such as mail,\r\nwww1, www2, dns, ftp (eg. “mail[.]qefg[.]info”)\r\nMaintain\r\nPresence\r\nC2 using VPS infrastructure\r\nwith low reputation\r\nInbound and outbound connections from and to non-standard IP\r\nranges, especially from international Virtual Private Server\r\n(VPS) providers\r\nMaintain\r\nPresence\r\nC2 using legitimate services\r\nincluding Google Docs, Google\r\nScripts and Pastebin\r\nMaintain\r\nPresence\r\nC2 using DNS via A, OPT, TXT\r\nrecords\r\nUnusually long or numerous DNS A, TXT and OPT record\r\nqueries\r\nMaintain\r\nPresence\r\nC2 domains registered with\r\nREG.RU\r\nNewly observed domains registered via REG.RU\r\nhttps://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\r\nPage 9 of 37\n\nMaintain\r\nPresence\r\nC2 domains registered with\r\nNameCheap\r\nNewly observed domains registered via NameCheap\r\nMaintain\r\nPresence\r\nC2 domains registered with odd\r\nformat and top-level domains\r\nUnusually long or numerous DNS queries with the structure [a-zA-Z]{4,5}\\.[pw|us|club|info|site|top] (eg. “pvze[.]club”)\r\nMaintain\r\nPresence\r\nC2 domains registered with\r\nhyphen\r\nOutbound connections to newly registered, hyphenated domains\r\nTable 4: FIN7 TTPs\r\nFIN7 Indicators\r\nFireEye is providing these granular technical indicators so that interested parties can better understand the threat actor and\r\nsearch for their historical activity across enterprise networks.\r\nPhishing Documents Droppers\r\nFilename MD5 Attribution Malware\r\nmenu.rtf c14eb54769ff208a2562e4ef47958d9e FIN7\r\n76eb6f124fba6599a54e92b829c55b63 FIN7 BEACON\r\n3-ThompsonDan.rtf 4b783bd0bd7fcf880ca75359d9fc4da6 FIN7 BEACONBELLHOPHALFBAKED\r\nclaim.rtf af53db730732aa7db5fdd45ebba34b94 FIN7 BEACONBELLHOPHALFBAKED\r\norder.rtf cea2989309ccd5128f437335622978f1 FIN7 BEACONBELLHOPHALFBAKED\r\norder.rtf cf4ccb3707e5597969738b4754782e4d FIN7 BEACONBELLHOPHALFBAKED\r\nDoc2_rtf.rtf 2dc0f4bece10759307026d90f585e006 FIN7 BEACONHALFBAKED\r\ndoc1.doc 37759603c6cd91ebc8a1ea9ac0f2d580 FIN7 BEACONHALFBAKED\r\nquote.rtf 3c0bd71e91e0f18621ba43de4419f901 FIN7 BEACONHALFBAKED\r\nDoc2_rtf.rtf 562a64f1c09306d385962cf8084b6827 FIN7 BEACONHALFBAKED\r\ninformation.doc 5dace5ac5ba89c9bba4479264f75b2b6 FIN7 BEACONHALFBAKED\r\nDoc_rest_rtf.rtf 619aa4e6c9db275381ab0e7fc7078f5f FIN7 BEACONHALFBAKED\r\ndoc1.docx 67c9bfd4d6ac397fb0cd7da2441a6fe2 FIN7 BEACONHALFBAKED\r\nDoc33.docx 6a5a42ed234910121dbb7d1994ab5a5e FIN7 BEACONHALFBAKED\r\nhttps://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\r\nPage 10 of 37\n\ninfo_.rtf 6ac5ae6546746e3a9502cc489b71146e FIN7 BEACONHALFBAKED\r\nbmg.docx 754fc509328af413d93131e65fc46d31 FIN7 BEACONHALFBAKED\r\nDoc_0405_1.rtf 7b2315ff1f2d763857aa70ad34b75449 FIN7 BEACONHALFBAKED\r\ndoc1.docx 99975b5ee2ddd31e89c9bdda7a3871d9 FIN7 BEACONHALFBAKED\r\ndoc0505_1.rtf 9eb71edd5ec99294a1c341efa780b1b1 FIN7 BEACONHALFBAKED\r\nDonovanR.docx b5829caad7c448c558cb1dab2d9f4320 FIN7 BEACONHALFBAKED\r\nrising star.rtf c8b8420d1503ae48ff35362f5d29eeb3 FIN7 BEACONHALFBAKED\r\ninf6.docx e494356fc0db7ef6009d29e5ae869717 FIN7 BEACONHALFBAKED\r\nClaim.docx 06b9e2fdd2c0eeb78b851c93ca66f25f FIN7 BELLHOP\r\norder.rtf 80eed9f87a18b0093eb3f16fa495b6f7 FIN7 BELLHOP\r\nDetails Joseph.docx b4d48f3e1ae339f2fcb94b7abceecfff FIN7 BELLHOP\r\norder.doc e2a6b351c276d02d71e18cd0677e8236 FIN7 BELLHOPHALFBAKED\r\nb14bc8cbc7f2d36179ebff96ade6d867 FIN7 CARBANAK\r\nfeatures.doc bbd99ef280efebe9066c0aef91bf02cd FIN7 DRIFTPINHALFBAKED\r\ndoc2709.rtf 01d666fcbc4cdcedbfe7963f498e7858 FIN7 HALFBAKED\r\ndoc_n0908.rtf 03e85ad4217775906e6b5ceae8dc27af FIN7 HALFBAKED\r\ndoc1.docx 0d6619481cfd29791a51ebb42ace5c03 FIN7 HALFBAKED\r\ndoc1.rtf 0e0a51489054529a9dcb177d39f08b81 FIN7 HALFBAKED\r\ndoc0719.docx 101bdbbd99cfd74aa5724842404642f2 FIN7 HALFBAKED\r\ndoc0507.docx 17fabe288d640476a70154c59d5a1ba1 FIN7 HALFBAKED\r\ninfo_1.rtf 189c5a090d2b3b87ab65a8b156cd971e FIN7 HALFBAKED\r\ndoc.docx 1a6c18967f4ce1c91c77098af4957e6e FIN7 HALFBAKED\r\nhttps://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\r\nPage 11 of 37\n\nMail.rtf 1a9e113b2f3caa7a141a94c8bc187ea7 FIN7 HALFBAKED\r\nDoc_rest_n_rtf.rtf 1f5022a02c82fbe414dc91bf3f1b5180 FIN7 HALFBAKED\r\ndoc.docx 1f98c4ff12fc2c6fbf8247a5b2e4e7f4 FIN7 HALFBAKED\r\ndoc1909.docx 1fbe77a3b5771ce4f95e02a49c5b7f30 FIN7 HALFBAKED\r\ndoc_n0808.rtf 21926646a658bdf39cf28cdfbb1aced7 FIN7 HALFBAKED\r\ndoc0507.rtf 22ad7c05128ca7b48b0a2a4507803b16 FIN7 HALFBAKED\r\nDoc2.docx 22e7d4f7401ef34b3b6d17c15291c497 FIN7 HALFBAKED\r\nmenu.rtf 24fab1e9831e57307d17981abaabf960 FIN7 HALFBAKED\r\n2-order.docx 28ad8e3a225400a1d00f6023f8e6c9c8 FIN7 HALFBAKED\r\ndoc0610.docx 29a3666cee0762fcd731fa663ebc0011 FIN7 HALFBAKED\r\ndoc2209_1.rtf 2d36634974c85eff393698b39edc561c FIN7 HALFBAKED\r\nDoc1.rtf 307a9ce257e97189e046fa91d3c27dab FIN7 HALFBAKED\r\ndoc1.rtf 325844f1b956c52fc220932bc717f224 FIN7 HALFBAKED\r\ndoc0910.rtf 3917028799d2aa3a43ec5bad067e99a5 FIN7 HALFBAKED\r\ndoc1.docx 397d45b6001919b04739e26379c84dd9 FIN7 HALFBAKED\r\ndocr.rtf 3a303f02e16d7d27fa78c3f48a55d992 FIN7 HALFBAKED\r\noliver_davis.docx 3b12f36a01326ec649e4def08b860339 FIN7 HALFBAKED\r\ndoc2209.docx.docx 402c34d7d6ce92bf5a048023bd2fde4a FIN7 HALFBAKED\r\nDooq.docx 41c6861313e731bd3f84dd70360573ce FIN7 HALFBAKED\r\ninfo.rtf 42a2a2352f6b1f5818f3b695f240fc3a FIN7 HALFBAKED\r\njames.docx 499ebef3ab31a2f98fc8a358bd085b0f FIN7 HALFBAKED\r\ndoc1007.rtf 4b7a742d5c98fc62f0f67445032e7bc6 FIN7 HALFBAKED\r\nhttps://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\r\nPage 12 of 37\n\ntem6.doc 4bf691809224d17e49cebb071d22a867 FIN7 HALFBAKED\r\ndoc1.rtf 511af2b4c62fa4c2bb91f3be1ca96094 FIN7 HALFBAKED\r\ndoc1.docx 52cf6a63da29331d805a5a9b5015580f FIN7 HALFBAKED\r\ndoc2209.rtf 560e72858ee413d7a6f72fff5ab7577b FIN7 HALFBAKED\r\ndoc1.docx 5a0b796c7a6040e02c822cac4475f11a FIN7 HALFBAKED\r\ndoc0717.rtf 5d49b444734b003b6917b81f0a779b3e FIN7 HALFBAKED\r\n5d9525b48870dc438130bd96fb8c5b66 FIN7 HALFBAKED\r\ndoc2.doc 5dd2e677fd1d65f051b7f54e7402721f FIN7 HALFBAKED\r\nDooq.docx 63e2eb258a85ed4e72f951cdbff2a58e FIN7 HALFBAKED\r\ndoc0720.rtf 6a860285a6f7521995151a2a0cb6e316 FIN7 HALFBAKED\r\ndoc0719.rtf 6adec78e874232722c3758bbbcb95829 FIN7 HALFBAKED\r\nvirus.docx 70f0f8db551dd6b084682188c3923e26 FIN7 HALFBAKED\r\ncheck.rtf 72d973ebfbc00d26170bfafdfbbd0179 FIN7 HALFBAKED\r\nDoc_0405.rtf 74165408ff12d195fb9d68afe0a6011e FIN7 HALFBAKED\r\noliver_davis.rtf 793511c86a0469d579ff8cc99a7311e3 FIN7 HALFBAKED\r\ndoc_n0808.docx 79628a598303692238cc4aeb19da6fed FIN7 HALFBAKED\r\nDoc1.rtf 7d664485c53b98180e6f3c69e9dfa81e FIN7 HALFBAKED\r\ndoc1.docx 82a32d98e68891625b6de67a9d0b61c6 FIN7 HALFBAKED\r\ndocument.doc 853a53419d9dbc606d2392b99e60c173 FIN7 HALFBAKED\r\ndoc2806.rtf 856cec68ddd28367c0d0f0a6f566187a FIN7 HALFBAKED\r\ndoc1.rtf 8608b31a446f42a7f36807bd6c16d2c0 FIN7 HALFBAKED\r\nDoc1.rtf 8bd798e89d075827cc757b9586f15ce2 FIN7 HALFBAKED\r\nhttps://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\r\nPage 13 of 37\n\ndoc1.rtf 94771bcf572d5c0b834f73d577f06cc8 FIN7 HALFBAKED\r\ndoc1610.rtf 973377e27b5dffa289f84e62a6833ebc FIN7 HALFBAKED\r\nDoc0725.rtf 9788b3faa29ba9eb4cae46f3c249937e FIN7 HALFBAKED\r\nDoc1.rtf 9b87f9f6498c241f50208f9906907195 FIN7 HALFBAKED\r\ndoc1.rtf a5f75333d0c81387a5a9c7696b967a20 FIN7 HALFBAKED\r\ndoc0610.rtf a8e312d0c230e226e97e7a441fadbd85 FIN7 HALFBAKED\r\ndoc2_r_new.rtf a9c50b7761519fb684cdee2d59f99f91 FIN7 HALFBAKED\r\ncredit details.rtf aaf42acedc38565f4c33cfdbb09733b9 FIN7 HALFBAKED\r\ndoc2.docx_ b5cc86726ab8f1fb3c281ab8f935260f FIN7 HALFBAKED\r\nb6f005236a37367a147f9060c708ccca FIN7 HALFBAKED\r\ndoc1.rtf c0d122bcdcb6ede7fc7f1182e4d0e599 FIN7 HALFBAKED\r\ndoc2806.docx c3f48e69bb90be828ba2835b76fb2080 FIN7 HALFBAKED\r\ndoc1.rtf c5e94d973ed4f963ddc09ab88def3b5f FIN7 HALFBAKED\r\ndoc1.rtf c6cddc475d62503a17a34419918e7fc0 FIN7 HALFBAKED\r\ndoc0714.docx caec3babdec3cf267cc846fd084c4626 FIN7 HALFBAKED\r\ndoc1909.rtf d1f55491472ca747561509106b71eab8 FIN7 HALFBAKED\r\ndoc_n0908.docx d38fb2d95812ffa1014e52ef3079e5da FIN7 HALFBAKED\r\ncatering_.rtf d5cd1dedf3bf5c943e348a8b84e37b2a FIN7 HALFBAKED\r\ndoc0714.rtf dde72a54716deb88c1ffef2a63faab6b FIN7 HALFBAKED\r\nm1.doc e0ca85c0d264b84d977df0c48fd383cc FIN7 HALFBAKED\r\ndoc1.rtf e17fe2978ebe1b0a6923acd2ffeda3c2 FIN7 HALFBAKED\r\ndoc2009.rtf e184219366afb2e6bd0b9502beab1156 FIN7 HALFBAKED\r\nhttps://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\r\nPage 14 of 37\n\ndoc1610.docx e9154e2f80389b853ab4cf2fe98f1ed2 FIN7 HALFBAKED\r\ndoc1.rtf edc4f02f265a4aaa552435f293409f01 FIN7 HALFBAKED\r\ndoc2_r_new.rtf ee5a600ef9fd1defe07ea097095d1beb FIN7 HALFBAKED\r\ndoc1.rtf effdaf7f61acb277ac44ee4d9bc8900a FIN7 HALFBAKED\r\ninfo_.docx f2ac2ec8173db4963dc2089ac90b8807 FIN7 HALFBAKED\r\nDoc0725.docx f80a80d25b3393825baa1e84e76ddf6c FIN7 HALFBAKED\r\n1.rtf fa1c548a5d691ac9ce7bfd929f204261 FIN7 HALFBAKED\r\nfa93c93a02fe2dee8a3b3d1cd82f293f FIN7 HALFBAKED\r\npoisoning.rtf faed087e820cad3c023be1db8d4ba70a FIN7 HALFBAKED\r\norder.docx fc661e18137583dc140e201338582a99 FIN7 HALFBAKED\r\nSEC_Security_Policy_2017_02.doc 032fe02e54a010d21fd71e97596f4101 FIN7 POWERSOURCE\r\nSEC_Security_Policy_2017_10.doc 14334c8f93f049659212773ecee477a2 FIN7 POWERSOURCE\r\nVargheseJ.doc 2abad0ae32dd72bac5da0af1e580a2eb FIN7 POWERSOURCE\r\nSEC_Security_Policy_2017_03.doc 37d323ffc33a0e1c6cd20234589a965d FIN7 POWERSOURCE\r\n2017.doc 5a88e3825c5e89b07fa9050b6b6eca7c FIN7 POWERSOURCE\r\nSEC_Security_Policy_2017.doc 6ff3272cd9edf115230bad6a55cb3ca8 FIN7 POWERSOURCE\r\nEDGAR_FILLINGS_RULES_2016.doc 7bd2235f105dee20825b4395a04892bf FIN7 POWERSOURCE\r\nSEC_Security_Policy_2017_05.doc 8fa8d4c30429c099dc7e565e57db55c0 FIN7 POWERSOURCE\r\nSEC_Security_Policy_2017_06.doc ccd2372bb6b07f1b5a125e597005688d FIN7 POWERSOURCE\r\nImportant_Changes_to_Form10_K.doc d04b6410dddee19adec75f597c52e386 FIN7 POWERSOURCE\r\nSEC_Security_Policy_2017.doc f20328b49ec605fd425ed101ff31f14b FIN7 POWERSOURCE\r\nSEC_Security_Policy_2017_07.doc f74958adcfb11abcb37e043013f6a90f FIN7 POWERSOURCE\r\nhttps://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\r\nPage 15 of 37\n\nFilings_and_Forms.docx 47111e9854db533c328ddbe6e962602a FIN7 POWERSOURCE (Downloader)\r\ndoc.doc 189c72bfd8ae31abcff5e7da691a7d30\r\nSuspected\r\nFIN7\r\nBATELEUR\r\nprotected_instructions.doc 302ab8bd6a8effa58a675165aa9600a2\r\nSuspected\r\nFIN7\r\nBATELEUR\r\nDoc2.doc 40c4c02d1e506a5ffc2939ec0ee8e105\r\nSuspected\r\nFIN7\r\nBATELEUR\r\n3528579_security_protocol.doc 58fbf6f9405327d8d158a1eeac19b81a\r\nSuspected\r\nFIN7\r\nBATELEUR\r\ncheck.doc 5972597b729a7d2853a3b37444e58e01\r\nSuspected\r\nFIN7\r\nBATELEUR\r\n6fff1d68203f8d23ccd23507ba00b9df\r\nSuspected\r\nFIN7\r\nBATELEUR\r\ncheck.doc 762eef684e01831aa2f96031eff378bf\r\nSuspected\r\nFIN7\r\nBATELEUR\r\ncheck.doc 9b1af2d9c0c0687c70466385800b6847\r\nSuspected\r\nFIN7\r\nBATELEUR\r\nDoc1.doc bb1a76702e2e7d0aa23385f24683d214\r\nSuspected\r\nFIN7\r\nBATELEUR\r\ncheck.doc d4088f8202e0eb27f90e692f988f0780\r\nSuspected\r\nFIN7\r\nBATELEUR\r\ninvoices.doc dc8b30c5253f02a790a31f2853fe41f8\r\nSuspected\r\nFIN7\r\nBATELEUR\r\nblah.doc e020668055eb1d22710aa07f72860075\r\nSuspected\r\nFIN7\r\nBATELEUR\r\nphotos.doc c517f48bf95a4f3ecba2046d12e62c88\r\nSuspected\r\nFIN7\r\nGRIFFON\r\ntest.doc d7ca38e21327541787ab84bde83d7f81\r\nSuspected\r\nFIN7\r\nGRIFFON\r\nAdditional Malware\r\nMD5 Malware Attribution\r\nhttps://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\r\nPage 16 of 37\n\n5f73beb23c45006ad952a71fa62c6f9f BABYMETAL FIN7\r\na3754fba24f85d1d1bb7c0382e41586b BABYMETAL FIN7\r\ndad8ebcbb5fa6721ccad45b81874e22c BABYMETAL FIN7\r\necd8879702347966750c37247ef6c2e6 BABYMETAL FIN7\r\n039d9e47e4474bee24785f8ec5307695 BIRDDOG FIN7\r\n92dfd0534b080234f9536371be63e37a BIRDDOG FIN7\r\n188f261e5fca94bd1fc1edc1aafee8c0 CARBANAK FIN7\r\n2828ea78cdda8f21187572c99ded6dc2 CARBANAK FIN7\r\n291a17814d5dbb5bce5b186334cde4b1 CARBANAK FIN7\r\n4b3dac0a4f452b07d29f26b119180bd2 CARBANAK FIN7\r\n4eda75dfd4d12eda6a6219423b5972bd CARBANAK FIN7\r\n6e9408c338e98a8bc166a8d4f8264019 CARBANAK FIN7\r\n749c5085cda920e830cfed32842ba835 CARBANAK FIN7\r\n80b022b39d91527f6ae5b4834d7c8173 CARBANAK FIN7\r\n8ae284d547bd1b8bd6bc2431735f9142 CARBANAK FIN7\r\n8e1e7f5ad99e48b740fd00085eab1f84 CARBANAK FIN7\r\n9ae433cd5397af6b485f1abb06b2c5a2 CARBANAK FIN7\r\nbe1154e38df490e1dcbde3ffb2ebd05c CARBANAK FIN7\r\nc6b57e042ceadb60d6fab217d3523e17 CARBANAK FIN7\r\nc6ec176592ea26c4ee27974273e592ff CARBANAK FIN7\r\ndd4f312c7e1c25564a8d00b0f3495e24 CARBANAK FIN7\r\nfacd37cd76989f45088ae98de8ed7aa0 CARBANAK FIN7\r\nhttps://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\r\nPage 17 of 37\n\n4dc99280459292ef60d6d01ed8ece312 DRIFTPIN FIN7\r\n63241a3580cd1135170b044a84005e92 DRIFTPIN FIN7\r\n70345aa0b970e1198a9267ae4532a11b DRIFTPIN FIN7\r\nde50d41d70b8879cdc73e684ad4ebe9f DRIFTPIN FIN7\r\nddc9b71808be3a0e180e2befae4ff433 SIMPLECRED FIN7\r\n90f35fd205556a04d13216c33cb0dbe3 BIRDDOG Suspect FIN7\r\nIPs\r\nIP Address Malware Attribution\r\n107.161.159.17 CARBANAK FIN7\r\n107.181.160.12 CARBANAK FIN7\r\n107.181.160.75* DRIFTPINHALFBAKED FIN7\r\n162.244.32.168 CARBANAK FIN7\r\n162.244.32.175 CARBANAK FIN7\r\n179.43.140.82* CARBANAK FIN7\r\n179.43.140.85* CARBANAK FIN7\r\n179.43.160.162 CARBANAK FIN7\r\n179.43.160.215 CARBANAK FIN7\r\n185.104.8.173 CARBANAK FIN7\r\n198.100.119.28 CARBANAK FIN7\r\n204.155.30.100 CARBANAK FIN7\r\n204.155.30.100 DRIFTPINHALFBAKED FIN7\r\n23.249.162.161 CARBANAK FIN7\r\nhttps://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\r\nPage 18 of 37\n\n5.8.88.64 BIRDDOG FIN7\r\n94.140.120.132 CARBANAK FIN7\r\n95.215.45.95 CARBANAK FIN7\r\n95.215.46.70 CARBANAK FIN7\r\n95.215.46.76 CARBANAK FIN7\r\n185.66.15.50 Suspected FIN7\r\n194.165.16.113 Suspected FIN7\r\n46.161.3.23 Suspected FIN7\r\n85.93.2.148 Suspected FIN7\r\n85.93.2.149 Suspected FIN7\r\n81.177.27.41 Suspected FIN7\r\n95.46.45.128 BATELEUR Suspected FIN7\r\n185.17.121.200 BATELEUR Suspected FIN7\r\n185.20.184.109* BATELEUR Suspected FIN7\r\n185.220.35.20 BATELEUR Suspected FIN7\r\n185.5.248.167* BATELEUR Suspected FIN7\r\n194.165.16.134 BATELEUR Suspected FIN7\r\n195.133.48.65 BATELEUR Suspected FIN7\r\n195.133.49.73 BATELEUR Suspected FIN7\r\n217.23.155.19 BATELEUR Suspected FIN7\r\n31.184.234.66 BATELEUR Suspected FIN7\r\n31.184.234.71 BATELEUR Suspected FIN7\r\nhttps://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\r\nPage 19 of 37\n\n5.188.10.102 BATELEUR Suspected FIN7\r\n5.188.10.102 BATELEUR Suspected FIN7\r\n5.188.10.248 BATELEUR Suspected FIN7\r\n85.93.2.111 BATELEUR Suspected FIN7\r\n85.93.2.148 BATELEUR Suspected FIN7\r\n85.93.2.56 BATELEUR Suspected FIN7\r\n85.93.2.73 BATELEUR Suspected FIN7\r\n85.93.2.92 BATELEUR Suspected FIN7\r\n89.223.30.99 BATELEUR Suspected FIN7\r\n104.193.252.167 HALFBAKED FIN7\r\n104.232.34.166 HALFBAKED FIN7\r\n104.232.34.36 HALFBAKED FIN7\r\n107.181.160.76* HALFBAKED FIN7\r\n119.81.178.100 HALFBAKED FIN7\r\n119.81.178.101 HALFBAKED FIN7\r\n138.201.44.3 HALFBAKED FIN7\r\n138.201.44.4 HALFBAKED FIN7\r\n179.43.147.71 HALFBAKED FIN7\r\n185.180.197.20 HALFBAKED FIN7\r\n185.180.197.34 HALFBAKED FIN7\r\n185.86.151.175 HALFBAKED FIN7\r\n191.101.242.162 HALFBAKED FIN7\r\nhttps://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\r\nPage 20 of 37\n\n195.54.162.237* HALFBAKED FIN7\r\n195.54.162.245 HALFBAKED FIN7\r\n195.54.162.79* HALFBAKED FIN7\r\n198.100.119.6 HALFBAKED FIN7\r\n198.100.119.7 HALFBAKED FIN7\r\n204.155.31.167 HALFBAKED FIN7\r\n204.155.31.174 HALFBAKED FIN7\r\n217.12.208.80 HALFBAKED FIN7\r\n31.148.219.141* HALFBAKED FIN7\r\n31.148.219.18* HALFBAKED FIN7\r\n31.148.219.44* HALFBAKED FIN7\r\n31.148.220.107* HALFBAKED FIN7\r\n31.148.220.215* HALFBAKED FIN7\r\n5.149.250.235 HALFBAKED FIN7\r\n5.149.250.241 HALFBAKED FIN7\r\n5.149.252.144 HALFBAKED FIN7\r\n5.149.253.126 HALFBAKED FIN7\r\n8.28.175.68* HALFBAKED FIN7\r\n81.17.28.118* HALFBAKED FIN7\r\n91.235.129.251* HALFBAKED FIN7\r\n94.140.120.122 HALFBAKED FIN7\r\n94.140.120.134 HALFBAKED FIN7\r\nhttps://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\r\nPage 21 of 37\n\n95.215.46.229 HALFBAKED FIN7\r\n95.215.47.105 HALFBAKED FIN7\r\n5.135.73.113 BIRDDOG Suspect FIN7\r\n5.8.88.64 BIRDDOG FIN7\r\n*VPS that may also have legitimate traffic.\r\nFull Qualified Domain Names (FQDNs)\r\nDomain Malware Attribution\r\nbigred-tours.com FIN7\r\nclients12-google.com BEACON.DNS FIN7\r\nclients2-google.com FIN7\r\np3-marketing.com FIN7\r\ncdn-googleapi.com GRIFFON Suspect FIN7\r\ncdn-googleservice.com GRIFFON Suspect FIN7\r\nacity-lawfirm.com FIN7\r\nalgew.me POWERSOURCE FIN7\r\naloqd.pw POWERSOURCE FIN7\r\namhs.club TEXTMATE FIN7\r\nanselbakery.com FIN7\r\napvo.club TEXTMATE FIN7\r\narctic-west.com FIN7\r\nauyk.club POWERSOURCE FIN7\r\nb-bconsult.com FIN7\r\nbcleaningservice.com FIN7\r\nhttps://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\r\nPage 22 of 37\n\nbigrussianbss.com FIN7\r\nbipismol.com FIN7\r\nbipovnerlvd.com FIN7\r\nblopsadmvdrl.com FIN7\r\nblopsdmvdrl.com FIN7\r\nbnrnboerxce.com FIN7\r\nbpee.pw POWERSOURCE FIN7\r\nbureauofinspections.com FIN7\r\nbvyv.club POWERSOURCETEXTMATE FIN7\r\nbwuk.club POWERSOURCETEXTMATE FIN7\r\nbwwrvada.com FIN7\r\ncgqy.us POWERSOURCETEXTMATE FIN7\r\nchatterbuzz-media.com FIN7\r\nchenstravelconsulting.com FIN7\r\ncihr.site POWERSOURCETEXTMATE FIN7\r\ncitizentravel.biz FIN7\r\ncjsanandreas.com FIN7\r\nckwl.pw POWERSOURCETEXTMATE FIN7\r\ncloo.com POWERSOURCE FIN7\r\ncnkmoh.pw POWERSOURCE FIN7\r\ncnlu.net TEXTMATE FIN7\r\ncnmah.pw POWERSOURCE FIN7\r\nhttps://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\r\nPage 23 of 37\n\ncoec.club POWERSOURCETEXTMATE FIN7\r\ncoffee-joy-usa.com FIN7\r\ncspg.pw TEXTMATE FIN7\r\nctxdns.org FIN7\r\nctxdns.pw FIN7\r\ncuuo.us POWERSOURCETEXTMATE FIN7\r\ndaskd.me POWERSOURCE FIN7\r\ndbxa.pw POWERSOURCETEXTMATE FIN7\r\nddmd.pw POWERSOURCE FIN7\r\ndeliciouswingsny.com FIN7\r\ndlex.pw POWERSOURCE FIN7\r\ndlox.pw POWERSOURCE FIN7\r\ndnstxt.net FIN7\r\ndnstxt.org FIN7\r\ndoof.pw POWERSOURCE FIN7\r\ndosdkd.mo POWERSOURCE FIN7\r\ndpoo.pw POWERSOURCE FIN7\r\ndsud.com POWERSOURCE FIN7\r\ndtxf.pw POWERSOURCE FIN7\r\nduglas-manufacturing.com FIN7\r\ndvso.pw POWERSOURCETEXTMATE FIN7\r\ndyiud.com POWERSOURCE FIN7\r\nhttps://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\r\nPage 24 of 37\n\neady.club POWERSOURCETEXTMATE FIN7\r\nenuv.club POWERSOURCETEXTMATE FIN7\r\neter.pw POWERSOURCETEXTMATE FIN7\r\nextmachine.biz FIN7\r\nfacs.pw TEXTMATE FIN7\r\nfbjz.pw POWERSOURCETEXTMATE FIN7\r\nfhyi.club POWERSOURCETEXTMATE FIN7\r\nfirsthotelgroup.com FIN7\r\nfirstprolvdrec.com FIN7\r\nfkij.net TEXTMATE FIN7\r\nflowerprosv.com FIN7\r\nfredbanan.com POWERSOURCE FIN7\r\nfuth.pw POWERSOURCETEXTMATE FIN7\r\ngcan.site TEXTMATE FIN7\r\nge-stion.com FIN7\r\ngjcu.pw POWERSOURCE FIN7\r\ngjuc.pw POWERSOURCE FIN7\r\nglavpojdfde.com BEACON.DNS FIN7\r\ngnoa.pw POWERSOURCETEXTMATE FIN7\r\ngnsn.us TEXTMATE FIN7\r\ngoldman-travel.com FIN7\r\ngoproders.com BEACON.DNS FIN7\r\nhttps://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\r\nPage 25 of 37\n\ngprw.site TEXTMATE FIN7\r\ngrand-mars.ru FIN7\r\ngrij.us POWERSOURCETEXTMATE FIN7\r\ngsdg.site TEXTMATE FIN7\r\nguopksl.com BEACON.DNS FIN7\r\ngxhp.top POWERSOURCETEXTMATE FIN7\r\nhijrnataj.com FIN7\r\nhilertonv.com BEACON.DNS FIN7\r\nhilopser.com BEACON.DNS FIN7\r\nhippsjnv.com FIN7\r\nhldu.site POWERSOURCE FIN7\r\nhoplessinple.com FIN7\r\nhoplessinples.com FIN7\r\nhopsl3.com BEACON.DNS FIN7\r\nhvzr.info POWERSOURCETEXTMATE FIN7\r\nidjb.us POWERSOURCETEXTMATE FIN7\r\nihrs.pw POWERSOURCE FIN7\r\nimyo.site TEXTMATE FIN7\r\nitstravel-ekb.ru FIN7\r\nivcm.club TEXTMATE FIN7\r\njblz.net TEXTMATE FIN7\r\njersetl.com BEACON.DNS FIN7\r\nhttps://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\r\nPage 26 of 37\n\njimw.club POWERSOURCETEXTMATE FIN7\r\njipdfonte.com FIN7\r\njiposlve.com BEACON.DNS FIN7\r\njjee.site POWERSOURCE FIN7\r\njohsimsoft.org FIN7\r\njomp.site POWERSOURCETEXTMATE FIN7\r\njosephevinchi.com FIN7\r\njust-easy-travel.com FIN7\r\njuste-travel.com HALFBAKED FIN7\r\njxhv.site POWERSOURCETEXTMATE FIN7\r\nkalavadar.com FIN7\r\nkashtanspb.ru FIN7\r\nkbep.pw TEXTMATE FIN7\r\nkiposerd.com BEACON.DNS FIN7\r\nkiprovol.com FIN7\r\nkiprovolswe.com FIN7\r\nkjke.pw POWERSOURCE FIN7\r\nkjko.pw POWERSOURCE FIN7\r\nkoldsdes.com FIN7\r\nkshv.site POWERSOURCETEXTMATE FIN7\r\nkuyarr.com FIN7\r\nkwoe.us POWERSOURCETEXTMATE FIN7\r\nhttps://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\r\nPage 27 of 37\n\nldzp.pw POWERSOURCE FIN7\r\nlgdr.com POWERSOURCE FIN7\r\nlhlv.club POWERSOURCETEXTMATE FIN7\r\nlnoy.site POWERSOURCETEXTMATE FIN7\r\nluckystartwith.com FIN7\r\nlvrm.pw POWERSOURCETEXTMATE FIN7\r\nlvxf.pw POWERSOURCE FIN7\r\nmanchedevs.org FIN7\r\nmaofmdfd5.com FIN7\r\nmeli-travel.com HALFBAKED FIN7\r\nmelitravel.ru FIN7\r\nmewt.us POWERSOURCE FIN7\r\nmfka.pw POWERSOURCETEXTMATE FIN7\r\nmichigan-construction.com FIN7\r\nmjet.pw POWERSOURCE FIN7\r\nmjot.pw POWERSOURCE FIN7\r\nmjut.pw POWERSOURCE FIN7\r\nmkwl.pw TEXTMATE FIN7\r\nmolos-2.com BEACON.DNS FIN7\r\nmtgk.site POWERSOURCE FIN7\r\nmtxf.com TEXTMATE FIN7\r\nmuedandubai.com FIN7\r\nhttps://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\r\nPage 28 of 37\n\nmuhh.us POWERSOURCE FIN7\r\nmut.pw POWERSOURCE FIN7\r\nmvze.pw POWERSOURCE FIN7\r\nmvzo.pw POWERSOURCE FIN7\r\nmxfg.pw POWERSOURCE FIN7\r\nmxtxt.net FIN7\r\nmyspoernv.com FIN7\r\nnavigators-travel.com FIN7\r\nneartsay.com FIN7\r\nnevaudio.com FIN7\r\nneverfaii.com FIN7\r\nnroq.pw POWERSOURCE FIN7\r\nns0.site POWERPIPE FIN7\r\nns0.space POWERPIPE FIN7\r\nns0.website POWERPIPE FIN7\r\nns1.press POWERPIPEPOWERSOURCE.V2 FIN7\r\nns1.website POWERPIPEPOWERSOURCE.V2 FIN7\r\nns2.press POWERPIPEPOWERSOURCE.V2 FIN7\r\nns3.site POWERPIPEPOWERSOURCE.V2 FIN7\r\nns3.space POWERPIPEPOWERSOURCE.V2 FIN7\r\nns4.site POWERPIPEPOWERSOURCE.V2 FIN7\r\nns4.space POWERPIPEPOWERSOURCE.V2 FIN7\r\nhttps://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\r\nPage 29 of 37\n\nns5.biz POWERPIPEPOWERSOURCE.V2 FIN7\r\nns5.online POWERPIPEPOWERSOURCE.V2 FIN7\r\nns5.pw MAL FIN7\r\nntlw.net POWERSOURCE FIN7\r\nnwrr.pw POWERSOURCE FIN7\r\nnxpu.site POWERSOURCETEXTMATE FIN7\r\noaax.site POWERSOURCETEXTMATE FIN7\r\nodwf.pw POWERSOURCE FIN7\r\nodyr.us POWERSOURCETEXTMATE FIN7\r\nokiq.pw POWERSOURCE FIN7\r\noknz.club POWERSOURCETEXTMATE FIN7\r\nolckwses.com FIN7\r\nolgw.my POWERSOURCE FIN7\r\noloqd.pw POWERSOURCE FIN7\r\noneliveforcopser.com FIN7\r\nonokder.com BEACON.DNS FIN7\r\nooep.pw POWERSOURCETEXTMATE FIN7\r\noof.pw POWERSOURCE FIN7\r\nooyh.us POWERSOURCETEXTMATE FIN7\r\norfn.com POWERSOURCE FIN7\r\notzd.pw POWERSOURCE FIN7\r\noxrp.info POWERSOURCETEXTMATE FIN7\r\nhttps://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\r\nPage 30 of 37\n\noyaw.club POWERSOURCETEXTMATE FIN7\r\np3marketing.org FIN7\r\npafk.us POWERSOURCETEXTMATE FIN7\r\npalj.us POWERSOURCETEXTMATE FIN7\r\npark-travels.com FIN7\r\nparktravel-mx.ru FIN7\r\npartnersind.biz FIN7\r\npbbk.us POWERSOURCETEXTMATE FIN7\r\npbsk.site TEXTMATE FIN7\r\npdoklbr.com BEACON.DNS FIN7\r\npdokls3.com BEACON.DNS FIN7\r\npgnb.net POWERSOURCE FIN7\r\npinewood-financial.com FIN7\r\npjpi.com POWERSOURCE FIN7\r\nplusmarketingagency.com FIN7\r\nppdx.pw POWERSOURCETEXTMATE FIN7\r\nprideofhume.com FIN7\r\npronvowdecee.com FIN7\r\nproslr3.com BEACON.DNS FIN7\r\nprostelap3.com BEACON.DNS FIN7\r\nproverslokv4.com FIN7\r\nprovnkfexxw.com FIN7\r\nhttps://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\r\nPage 31 of 37\n\npvze.club POWERSOURCETEXTMATE FIN7\r\nqdtn.us TEXTMATE FIN7\r\nqefg.info POWERSOURCETEXTMATE FIN7\r\nqlpa.club POWERSOURCETEXTMATE FIN7\r\nqsez.club TEXTMATE FIN7\r\nqznm.pw POWERSOURCE FIN7\r\nrdnautomotiv.biz FIN7\r\nredtoursuk.org FIN7\r\nreld.info POWERSOURCETEXTMATE FIN7\r\nrescsovwe.com BEACON.DNS FIN7\r\nrevital-travel.com HALFBAKED FIN7\r\nrevitaltravel.com FIN7\r\nrmbs.club TEXTMATE FIN7\r\nrnkj.pw POWERSOURCE FIN7\r\nrtopsmve.com BEACON.DNS FIN7\r\nrzzc.pw POWERSOURCE FIN7\r\nsgvt.pw POWERSOURCE FIN7\r\nshield-checker.com FIN7\r\nsimpelkocsn.com FIN7\r\nsimplewovmde.com FIN7\r\nsoru.pw POWERSOURCE FIN7\r\nsprngwaterman.com FIN7\r\nhttps://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\r\nPage 32 of 37\n\nstrideindastry.biz FIN7\r\nstrideindustrial.com FIN7\r\nstrideindustrialusa.com MAL FIN7\r\nstrikes-withlucky.com FIN7\r\nswio.pw POWERSOURCE FIN7\r\ntijm.pw POWERSOURCE FIN7\r\ntnt-media.net FIN7\r\ntrue-deals.com BEACON.DNS FIN7\r\ntrustbankinc.com FIN7\r\ntsrs.pw POWERSOURCE FIN7\r\nturp.pw POWERSOURCE FIN7\r\ntwfl.us POWERSOURCE FIN7\r\nueox.club POWERSOURCETEXTMATE FIN7\r\nufyb.club POWERSOURCETEXTMATE FIN7\r\nutca.site POWERSOURCETEXTMATE FIN7\r\nuwqs.club TEXTMATE FIN7\r\nvdfe.site POWERSOURCETEXTMATE FIN7\r\nviebsdsccscw.com FIN7\r\nviebvbiiwcw.com FIN7\r\nvikppsod.com BEACON.DNS FIN7\r\nvjro.club POWERSOURCETEXTMATE FIN7\r\nvkpo.us POWERSOURCETEXTMATE FIN7\r\nhttps://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\r\nPage 33 of 37\n\nvoievnenibrinw.com FIN7\r\nvpua.pw POWERSOURCE FIN7\r\nvpuo.pw POWERSOURCE FIN7\r\nvqba.info POWERSOURCETEXTMATE FIN7\r\nvwcq.us POWERSOURCETEXTMATE FIN7\r\nvxqt.us POWERSOURCETEXTMATE FIN7\r\nvxwy.pw POWERSOURCE FIN7\r\nwein.net POWERSOURCE FIN7\r\nwfsv.us POWERSOURCETEXTMATE FIN7\r\nwhily.pw FIN7\r\nwider-machinery-usa.com FIN7\r\nwidermachinery.biz FIN7\r\nwidermachinery.com FIN7\r\nwnzg.us TEXTMATE FIN7\r\nwqiy.info POWERSOURCETEXTMATE FIN7\r\nwruj.club TEXTMATE FIN7\r\nwuc.pw POWERSOURCE FIN7\r\nwvzu.pw POWERSOURCETEXTMATE FIN7\r\nxhqd.pw POWERSOURCE FIN7\r\nxnlz.club TEXTMATE FIN7\r\nxnmy.com POWERSOURCE FIN7\r\nyamd.pw POWERSOURCE FIN7\r\nhttps://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\r\nPage 34 of 37\n\nybnz.site TEXTMATE FIN7\r\nydvd.net TEXTMATE FIN7\r\nyedq.pw POWERSOURCE FIN7\r\nyodq.pw POWERSOURCE FIN7\r\nyomd.pw POWERSOURCE FIN7\r\nyqox.pw POWERSOURCE FIN7\r\nysxy.pw POWERSOURCETEXTMATE FIN7\r\nzcnt.pw POWERSOURCETEXTMATE FIN7\r\nzdqp.pw POWERSOURCE FIN7\r\nzjav.us POWERSOURCETEXTMATE FIN7\r\nzjvz.pw POWERSOURCE FIN7\r\nzmyo.club POWERSOURCETEXTMATE FIN7\r\nzody.pw POWERSOURCETEXTMATE FIN7\r\nzrst.com POWERSOURCE FIN7\r\nzugh.us POWERSOURCETEXTMATE FIN7\r\nclients14-google.com FIN7\r\nclients18-google.com FIN7\r\nclients19-google.com FIN7\r\nclients23-google.com FIN7\r\nclients31-google.com FIN7\r\nclients33-google.com BEACON.DNS FIN7\r\nclients39-google.com FIN7\r\nhttps://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\r\nPage 35 of 37\n\nclients46-google.com FIN7\r\nclients47-google.com FIN7\r\nclients51-google.com FIN7\r\nclients52-google.com FIN7\r\nclients55-google.com FIN7\r\nclients56-google.com FIN7\r\nclients57-google.com FIN7\r\nclients58-google.com FIN7\r\nclients6-google.com HALFBAKED FIN7\r\nclients62-google.com FIN7\r\nclients7-google.com MAL FIN7\r\nfda-gov.com FIN7\r\ndropbox-security.com FIN7\r\ngoogle-sll1.com FIN7\r\ngoogle-ssls.com FIN7\r\ngoogle-stel.com FIN7\r\ngoogle3-ssl.com FIN7\r\ngoogle4-ssl.com FIN7\r\ngoogle5-ssl.com FIN7\r\nssl-googles4.com FIN7\r\nssl-googlesr5.com FIN7\r\nstats10-google.com CARBANAK FIN7\r\nhttps://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\r\nPage 36 of 37\n\nstats25-google.com BEACON.DNS FIN7\r\ntreasury-government.com FIN7\r\nusdepartmentofrevenue.com FIN7\r\nbols-googls.com FIN7\r\nmoopisndvdvr.com FIN7\r\ndewifal.com Suspect FIN7\r\nessentialetimes.com Suspect FIN7\r\nfisrdteditionps.com Suspect FIN7\r\nfisrteditionps.com Suspect FIN7\r\nmicro-earth.com Suspect FIN7\r\nmoneyma-r.com Suspect FIN7\r\nnewuniquesolutions.com Suspect FIN7\r\nwedogreatpurchases.com Suspect FIN7\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\r\nhttps://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\r\nPage 37 of 37", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MITRE", "MISPGALAXY" ], "references": [ "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" ], "report_names": [ "fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434126, "ts_updated_at": 1775792152, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/60424b447beb8798de1d15675baeef3f36a589a2.pdf", "text": "https://archive.orkl.eu/60424b447beb8798de1d15675baeef3f36a589a2.txt", "img": "https://archive.orkl.eu/60424b447beb8798de1d15675baeef3f36a589a2.jpg" } }