{ "id": "3ccebc13-4ee7-46df-b0b2-61d695158644", "created_at": "2026-04-06T00:13:03.618341Z", "updated_at": "2026-04-10T13:13:10.13148Z", "deleted_at": null, "sha1_hash": "7f9448774c5b50a9873a964dc968fe0e8b2c75b9", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 58998, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 16:34:40 UTC\r\n APT group: FIN8\r\nNames\r\nFIN8 (FireEye)\r\nATK 113 (Thales)\r\nSyssphinx (Symantec)\r\nStorm-0288 (Microsoft)\r\nG0061 (MITRE)\r\nCountry [Unknown]\r\nMotivation Financial crime\r\nFirst seen 2016\r\nDescription\r\n(FireEye) We attribute the use of this EoP to a financially motivated threat actor. In\r\nthe past year, not only have we observed this group using similar infrastructure and\r\ntactics, techniques, and procedures (TTPs), but they are also the only group we have\r\nobserved to date who uses the downloader PUNCHBUGGY and POS malware\r\nPUNCHTRACK. Designed to scrape both Track 1 and Track 2 payment card data,\r\nPUNCHTRACK is loaded and executed by a highly obfuscated launcher and is\r\nnever saved to disk.\r\nThis actor has conducted operations on a large scale and at a rapid pace, displaying a\r\nlevel of operational awareness and ability to adapt their operations on the fly. These\r\nabilities, combined with targeted usage of an EoP exploit and the reconnaissance\r\nrequired to individually tailor phishing emails to victims, potentially speaks to the\r\nthreat actors’ operational maturity and sophistication.\r\nFireEye identified more than 100 organizations in North America that fell victim to\r\nthis campaign.\r\nObserved\r\nSectors: Entertainment, Financial, Food and Agriculture, Healthcare, Hospitality,\r\nRetail.\r\nCountries: Canada, Italy, Panama, South Africa, USA.\r\nTools used BadHatch, BlackCat, PoSlurp, PunchBuggy, RagnarLocker, Sardonic.\r\nOperations performed Mar 2016 Tailored spear-phishing campaigns\r\nIn March 2016, a financially motivated threat actor launched several\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=92691488-ff3b-4ff0-92f1-1c732bce88d2\r\nPage 1 of 3\n\ntailored spear phishing campaigns primarily targeting the retail,\nrestaurant, and hospitality industries. The emails contained variations\nof Microsoft Word documents with embedded macros that, when\nenabled, downloaded and executed a malicious downloader that we\nrefer to as PUNCHBUGGY.\n2017\nIn early 2017, FIN8 began using environment variables paired with\nPowerShell’s ability to receive commands via stdin (standard input) to\nevade detection based on process command line arguments. In the\nFebruary 2017 phishing document “COMPLAINT Homer Glynn.doc”\nMar 2019\nDuring the period of March to May 2019, Morphisec Labs observed a\nnew, highly sophisticated variant of the ShellTea / PunchBuggy\nbackdoor malware that attempted to infiltrate a number of machines\nwithin the network of a customer in the hotel-entertainment industry. It\nis believed that the malware was deployed as a result of several\nphishing attempts.\nJul 2019\nThis blog will introduce a new reverse shell from FIN8, dubbed\nBADHATCH and compare publicly reported versions of ShellTea and\nPoSlurp to variants observed by Gigamon Applied Threat Research\n(ATR).\nMar 2021\nFin8 Group is Back in Business with Improved BADHATCH Kit\nJul 2021\nFIN8 Threat Actor Spotted Once Again with New 'Sardonic' Backdoor\nDec 2022\nFIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus\nRansomware\nMITRE ATT\u0026CK https://apt.etda.or.th/cgi-bin/showcard.cgi?u=92691488-ff3b-4ff0-92f1-1c732bce88d2\nPage 2 of 3\n\nLast change to this card: 16 August 2025\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=92691488-ff3b-4ff0-92f1-1c732bce88d2\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=92691488-ff3b-4ff0-92f1-1c732bce88d2\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=92691488-ff3b-4ff0-92f1-1c732bce88d2" ], "report_names": [ "showcard.cgi?u=92691488-ff3b-4ff0-92f1-1c732bce88d2" ], "threat_actors": [ { "id": "3150bf4f-288a-44b8-ab48-0ced9b052a0c", "created_at": "2025-08-07T02:03:24.910023Z", "updated_at": "2026-04-10T02:00:03.713077Z", "deleted_at": null, "main_name": "GOLD HUXLEY", "aliases": [ "CTG-6969 ", "FIN8 " ], "source_name": "Secureworks:GOLD HUXLEY", "tools": [ "Gozi ISFB", "Powersniff" ], "source_id": "Secureworks", "reports": null }, { "id": "5bdde906-0416-42ee-9100-5ebd95dda77a", "created_at": "2023-01-06T13:46:38.601977Z", "updated_at": "2026-04-10T02:00:03.035842Z", "deleted_at": null, "main_name": "FIN8", "aliases": [ "ATK113", "G0061" ], "source_name": "MISPGALAXY:FIN8", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "72d09c17-e33e-4c2f-95db-f204848cc797", "created_at": "2022-10-25T15:50:23.832551Z", "updated_at": "2026-04-10T02:00:05.336787Z", "deleted_at": null, "main_name": "FIN8", "aliases": [ "FIN8", "Syssphinx" ], "source_name": "MITRE:FIN8", "tools": [ "BADHATCH", "PUNCHBUGGY", "Ragnar Locker", "PUNCHTRACK", "dsquery", "Nltest", "Sardonic", "PsExec", "Impacket" ], "source_id": "MITRE", "reports": null }, { "id": "fc80a724-e567-457c-82bb-70147435e129", "created_at": "2022-10-25T16:07:23.624289Z", "updated_at": "2026-04-10T02:00:04.691643Z", "deleted_at": null, "main_name": "FIN8", "aliases": [ "ATK 113", "G0061", "Storm-0288", "Syssphinx" ], "source_name": "ETDA:FIN8", "tools": [ "ALPHV", "ALPHVM", "BadHatch", "BlackCat", "Noberus", "PSVC", "PUNCHTRACK", "PoSlurp", "Powersniff", "PunchBuggy", "Ragnar Loader", "Ragnar Locker", "RagnarLocker", "Sardonic", "ShellTea" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434383, "ts_updated_at": 1775826790, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7f9448774c5b50a9873a964dc968fe0e8b2c75b9.pdf", "text": "https://archive.orkl.eu/7f9448774c5b50a9873a964dc968fe0e8b2c75b9.txt", "img": "https://archive.orkl.eu/7f9448774c5b50a9873a964dc968fe0e8b2c75b9.jpg" } }