{ "id": "eb0a8392-a3d6-4e85-a3a7-1cc719f1c647", "created_at": "2026-04-06T00:14:16.45751Z", "updated_at": "2026-04-10T03:30:56.220571Z", "deleted_at": null, "sha1_hash": "897859e26d8d826c960079ec86527a483bd77bda", "title": "FinFisher RAT (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 72199, "plain_text": "FinFisher RAT (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 21:06:28 UTC\r\nFinFisher is a commercial software used to steal information and spy on affected victims. It began with few\r\nfunctionalities which included password harvesting and information leakage, but now it is mostly known for its\r\nfull Remote Access Trojan (RAT) capabilities. It is mostly known for being used in governmental targeted and\r\nlawful criminal investigations. It is well known for its anti-detection capabilities and use of VMProtect.\r\n2022-03-28 ⋅ Netzpolitik.org ⋅ Andre Meister\r\nStaatstrojaner-Hersteller FinFisher „ist geschlossen und bleibt es auch“\r\nFinFisher RAT 2021-11-15 ⋅ binarly ⋅ Binarly Team\r\nDesign issues of modern EDRs: bypassing ETW-based solutions\r\nESPecter FinFisher RAT 2021-09-28 ⋅ Kaspersky Labs ⋅ GReAT\r\nFinSpy: unseen findings\r\nFinFisher FinFisher FinFisher FinFisher RAT 2021-03-21 ⋅ Blackberry ⋅ Blackberry Research\r\n2021 Threat Report\r\nBashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth\r\nBazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader\r\nTrickBot 2020-10-14 ⋅ Netzpolitik.org ⋅ Andre Meister\r\nGerman Made State Malware Company FinFisher Raided\r\nFinFisher FinFisher FinFisher FinFisher RAT 2020-09-25 ⋅ Amnesty International ⋅ Amnesty International\r\nGerman-made FinSpy spyware found in Egypt, and Mac and Linux versions revealed\r\nFinFisher FinFisher FinFisher FinFisher RAT 2019-08-01 ⋅ Kaspersky Labs ⋅ GReAT\r\nAPT trends report Q2 2019\r\nZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger\r\nHOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy 2018-03-01 ⋅ Microsoft ⋅ Microsoft\r\nDefender ATP Research Team, Office 365 Threat Research Team\r\nFinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines\r\nFinFisher RAT 2018-02-21 ⋅ Möbius Strip Reverse Engineering ⋅ Rolf Rolles\r\nFinSpy VM Unpacking Tutorial Part 3: Devirtualization. Phase #3: Fixing The Function-Related Issues\r\nFinFisher RAT 2018-02-21 ⋅ Möbius Strip Reverse Engineering ⋅ Rolf Rolles\r\nFinSpy VM Unpacking Tutorial Part 3: Devirtualization. Phase #2: First Attempt At Devirtualization\r\nFinFisher RAT 2018-02-21 ⋅ Möbius Strip Reverse Engineering ⋅ Rolf Rolles\r\nFinSpy VM Unpacking Tutorial Part 3: Devirtualization. Phase #1: Deobfuscating FinSpy VM Bytecode\r\nPrograms\r\nFinFisher RAT 2018-02-21 ⋅ Möbius Strip Reverse Engineering ⋅ Rolf Rolles\r\nFinSpy VM Unpacking Tutorial Part 3: Devirtualization. Phase #4: Second Attempt At Devirtualization\r\nFinFisher RAT 2018-02-21 ⋅ Möbius Strip Reverse Engineering ⋅ Rolf Rolles\r\nFinSpy VM Unpacking Tutorial Part 3: Devirtualization\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.finfisher\r\nPage 1 of 2\n\nFinFisher RAT 2018-02-21 ⋅ GitHub (RolfRolles) ⋅ Rolf Rolles\r\nFinSpyVM (Static Unpacker for FinSpyVM)\r\nFinFisher RAT 2018-01-24 ⋅ ESET Research ⋅ Filip Kafka\r\nESET’S GUIDE TODEOBFUSCATING AND DEVIRTUALIZING FINFISHER\r\nFinFisher RAT 2018-01-23 ⋅ Möbius Strip Reverse Engineering ⋅ Rolf Rolles\r\nA Walk-Through Tutorial, with Code, on Statically Unpacking the FinSpy VM: Part One, x86 Deobfuscation\r\nFinFisher RAT 2017-10-16 ⋅ Kaspersky Labs ⋅ GReAT\r\nBlackOasis APT and new targeted attacks leveraging zero-day exploit\r\nFinFisher RAT BlackOasis 2017-09-21 ⋅ ESET Research ⋅ Filip Kafka\r\nNew FinFisher surveillance campaigns: Internet providers involved?\r\nFinFisher RAT 2017-09-12 ⋅ FireEye ⋅ Ben Read, Genwei Jiang, James T. Bennett\r\nFireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY,FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY\r\nFinFisher RAT BlackOasis 2017-07-18 ⋅ Elastic ⋅ Ashkan Hosseini\r\nTen process injection techniques: A technical survey of common and trending process injection techniques\r\nCryakl CyberGate Dridex FinFisher RAT Locky 2017-01-13 ⋅ Artem Baranov\r\nFinfisher rootkit analysis\r\nFinFisher RAT 2014-10-02 ⋅ CodeAndSec ⋅ CodeAndSec\r\nFinFisher Malware Analysis - Part 2\r\nFinFisher RAT\r\n[TLP:WHITE] win_finfisher_auto (20251219 | Detects win.finfisher.)\r\n[TLP:WHITE] win_finfisher_w0   (20170517 | FinFisher FinSpy)\r\n[TLP:WHITE] win_finfisher_w1   (20170517 | FinFisher FinSpy)\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.finfisher\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.finfisher\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.finfisher" ], "report_names": [ "win.finfisher" ], "threat_actors": [ { "id": "10ad5c1d-5030-4300-be4e-6d24b40a6330", "created_at": "2022-10-25T16:07:23.400966Z", "updated_at": "2026-04-10T02:00:04.581114Z", "deleted_at": null, "main_name": "BlackOasis", "aliases": [ "G0063" ], "source_name": "ETDA:BlackOasis", "tools": [ "FinFisher", "FinFisher RAT", "FinSpy", "Wingbird" ], "source_id": "ETDA", "reports": null }, { "id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed", "created_at": "2023-01-06T13:46:38.814104Z", "updated_at": "2026-04-10T02:00:03.110104Z", "deleted_at": null, "main_name": "MageCart", "aliases": [], "source_name": "MISPGALAXY:MageCart", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5200f27d-0d0a-49e9-a9de-9612971126c2", "created_at": "2023-01-06T13:46:38.959648Z", "updated_at": "2026-04-10T02:00:03.163547Z", "deleted_at": null, "main_name": "BlackOasis", "aliases": [ "G0063" ], "source_name": "MISPGALAXY:BlackOasis", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c97cf0c1-7f0d-4e35-9bb9-bceaad178c3d", "created_at": "2023-01-06T13:46:38.760807Z", "updated_at": "2026-04-10T02:00:03.091254Z", "deleted_at": null, "main_name": "ZooPark", "aliases": [], "source_name": "MISPGALAXY:ZooPark", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1ba9c064-34d2-48b5-a08c-04d241b00ebe", "created_at": "2022-10-25T15:50:23.734241Z", "updated_at": "2026-04-10T02:00:05.404606Z", "deleted_at": null, "main_name": "BlackOasis", "aliases": [ "BlackOasis" ], "source_name": "MITRE:BlackOasis", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "93edf98a-03c1-48b3-a94c-e1bddc24f0e6", "created_at": "2022-10-25T16:07:24.435275Z", "updated_at": "2026-04-10T02:00:04.988022Z", "deleted_at": null, "main_name": "ZooPark", "aliases": [ "APT-C-38", "Cobalt Juno", "Saber Lion", "TG-2884" ], "source_name": "ETDA:ZooPark", "tools": [ "ZooPark" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434456, "ts_updated_at": 1775791856, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/897859e26d8d826c960079ec86527a483bd77bda.pdf", "text": "https://archive.orkl.eu/897859e26d8d826c960079ec86527a483bd77bda.txt", "img": "https://archive.orkl.eu/897859e26d8d826c960079ec86527a483bd77bda.jpg" } }