{ "id": "e7845264-71fa-4570-919c-129776736085", "created_at": "2026-04-06T00:11:15.138874Z", "updated_at": "2026-04-10T03:35:52.823914Z", "deleted_at": null, "sha1_hash": "7d2c6d368515836e0ae599d39a56b937836c3c9d", "title": "FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings « FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 115469, "plain_text": "FIN7 Spear Phishing Campaign Targets Personnel Involved in\r\nSEC Filings « FIN7 Spear Phishing Campaign Targets Personnel\r\nInvolved in SEC Filings\r\nBy by Steve Miller, Jordan Nuce, Barry Vengerik | Advanced Malware\r\nPublished: 2017-03-07 · Archived: 2026-04-05 18:26:16 UTC\r\nIn late February 2017, FireEye as a Service (FaaS) identified a spear phishing campaign that appeared to be\r\ntargeting personnel involved with United States Securities and Exchange Commission (SEC) filings at various\r\norganizations. Based on multiple identified overlaps in infrastructure and the use of similar tools, tactics, and\r\nprocedures (TTPs), we have high confidence that this campaign is associated with the financially motivated threat\r\ngroup tracked by FireEye as FIN7.\r\nFIN7 is a financially motivated intrusion set that selectively targets victims and uses spear phishing to distribute\r\nits malware. We have observed FIN7 attempt to compromise diverse organizations for malicious operations –\r\nusually involving the deployment of point-of-sale malware – primarily against the retail and hospitality industries.\r\nSpear Phishing Campaign\r\nAll of the observed intended recipients of the spear phishing campaign appeared to be involved with SEC filings\r\nfor their respective organizations. Many of the recipients were even listed in their company’s SEC filings. The\r\nsender email address was spoofed as EDGAR \u003cfilings@sec.gov\u003e and the attachment was named\r\n“Important_Changes_to_Form10_K.doc” (MD5: d04b6410dddee19adec75f597c52e386). An example email is\r\nshown in Figure 1.\r\nhttps://web.archive.org/web/20180808125108/https:/www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html\r\nPage 1 of 3\n\nFigure 1: Example of a phishing email sent during this campaign\r\nWe have observed the following TTPs with this campaign:\r\nThe malicious documents drop a VBS script that installs a PowerShell backdoor, which uses DNS TXT\r\nrecords for its command and control. This backdoor appears to be a new malware family that FireEye\r\niSIGHT Intelligence has dubbed POWERSOURCE. POWERSOURCE is a heavily obfuscated and\r\nmodified version of the publicly available tool DNS_TXT_Pwnage. The backdoor uses DNS TXT requests\r\nfor command and control and is installed in the registry or Alternate Data Streams. Using DNS TXT\r\nrecords to communicate is not an entirely new finding, but it should be noted that this has been a rising\r\ntrend since 2013 likely because it makes detection and hunting for command and control traffic difficult.\r\nWe also observed POWERSOURCE being used to download a second-stage PowerShell backdoor called\r\nTEXTMATE in an effort to further infect the victim machine. The TEXTMATE backdoor provides a\r\nreverse shell to attackers and uses DNS TXT queries to tunnel interactive commands and other data.\r\nTEXTMATE is “memory resident” – often described as “fileless” malware. This is not a novel technique\r\nby any means, but it’s worth noting since it presents detection challenges and further speaks to the threat\r\nactor’s ability to remain stealthy and nimble in operations.\r\nIn some cases, we identified a Cobalt Strike Beacon payload being delivered via POWERSOURCE. This\r\nparticular Cobalt Strike stager payload was previously used in operations linked to FIN7.\r\nWe observed that the same domain hosting the Cobalt Strike Beacon payload was also hosting a\r\nCARBANAK backdoor sample compiled in February 2017. CARBANAK malware has been used heavily\r\nby FIN7 in previous operations.\r\nVictims\r\nThus far, we have directly identified 11 targeted organizations in the following sectors:\r\nhttps://web.archive.org/web/20180808125108/https:/www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html\r\nPage 2 of 3\n\nFinancial services, with different victims having insurance, investment, card services, and loan focuses\r\nTransportation\r\nRetail\r\nEducation\r\nIT services\r\nElectronics\r\nAll these organizations are based in the United States, and many have international presences. As the SEC is a\r\nU.S. regulatory organization, we would expect recipients of these spear phishing attempts to either work for U.S.-\r\nbased organizations or be U.S.-based representatives of organizations located elsewhere. However, it is possible\r\nthat the attackers could perform similar activity mimicking other regulatory organizations in other countries.\r\nImplications\r\nWe have not yet identified FIN7’s ultimate goal in this campaign, as we have either blocked the delivery of the\r\nmalicious emails or our FaaS team detected and contained the attack early enough in the lifecycle before we\r\nobserved any data targeting or theft.  However, we surmise FIN7 can profit from compromised organizations in\r\nseveral ways. If the attackers are attempting to compromise persons involved in SEC filings due to their\r\ninformation access, they may ultimately be pursuing securities fraud or other investment abuse. Alternatively, if\r\nthey are tailoring their social engineering to these individuals, but have other goals once they have established a\r\nfoothold, they may intend to pursue one of many other fraud types.\r\nPrevious FIN7 operations deployed multiple point-of-sale malware families for the purpose of collecting and\r\nexfiltrating sensitive financial data. The use of the CARBANAK malware in FIN7 operations also provides\r\nlimited evidence that these campaigns are linked to previously observed CARBANAK operations leading to\r\nfraudulent banking transactions, ATM compromise, and other monetization schemes.\r\nCommunity Protection Event\r\nFireEye implemented a Community Protection Event – FaaS, Mandiant, Intelligence, and Products – to secure all\r\nclients affected by this campaign. In this instance, an incident detected by FaaS led to the deployment of\r\nadditional detections by the FireEye Labs team after FireEye Labs Advanced Reverse Engineering quickly\r\nanalyzed the malware. Detections were then quickly deployed to the suite of FireEye products.\r\nThe FireEye iSIGHT Intelligence MySIGHT Portal contains additional information based on our investigations of\r\na variety of topics discussed in this post, including FIN7 and the POWERSOURCE and TEXTMATE malware.\r\nClick here for more information.\r\nSource: https://web.archive.org/web/20180808125108/https:/www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html\r\nhttps://web.archive.org/web/20180808125108/https:/www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://web.archive.org/web/20180808125108/https:/www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html" ], "report_names": [ "fin7_spear_phishing.html" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434275, "ts_updated_at": 1775792152, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7d2c6d368515836e0ae599d39a56b937836c3c9d.pdf", "text": "https://archive.orkl.eu/7d2c6d368515836e0ae599d39a56b937836c3c9d.txt", "img": "https://archive.orkl.eu/7d2c6d368515836e0ae599d39a56b937836c3c9d.jpg" } }