{ "id": "ef515c22-8b8f-44c4-819f-a61577f0a025", "created_at": "2026-04-06T00:11:02.437531Z", "updated_at": "2026-04-10T03:33:53.548668Z", "deleted_at": null, "sha1_hash": "8bbc96d189536403e988201b1217cc81a252fefb", "title": "FIN6, Skeleton Spider - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 71552, "plain_text": "FIN6, Skeleton Spider - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 19:12:10 UTC\r\nHome \u003e List all groups \u003e FIN6, Skeleton Spider\r\n APT group: FIN6, Skeleton Spider\r\nNames\r\nFIN6 (FireEye)\r\nSkeleton Spider (CrowdStrike)\r\nGold Franklin (Secureworks)\r\nWhite Giant (PWC)\r\nITG08 (IBM)\r\nATK 88 (Thales)\r\nTAG-CR2 (Recorded Future)\r\nTAAL (Microsoft)\r\nStorm-0538 (Microsoft)\r\nCamouflage Tempest (Microsoft)\r\nG0037 (MITRE)\r\nCountry [Unknown]\r\nMotivation Financial crime, Financial gain\r\nFirst seen 2015\r\nDescription\r\nFIN6 is a cybercrime group that has stolen payment card data and sold it for profit\r\non underground marketplaces. This group has aggressively targeted and\r\ncompromised point of sale (PoS) systems in the hospitality and retail sectors.\r\n(FireEye) FIN6 is a cybercriminal group intent on stealing payment card data for\r\nmonetization. In 2015, FireEye Threat Intelligence supported several Mandiant\r\nConsulting investigations in the hospitality and retail sectors where FIN6 actors had\r\naggressively targeted and compromised point-of-sale (POS) systems, making off\r\nwith millions of payment card numbers. Through iSIGHT, we learned that the\r\npayment card numbers stolen by FIN6 were sold on a “card shop” — an\r\nunderground criminal marketplace used to sell or exchange payment card data.\r\nObserved Sectors: Chemical, Energy, Hospitality, Manufacturing, Retail.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=61c8ecd4-e4e1-4f36-b209-ca55106ec22f\r\nPage 1 of 3\n\nTools used\nAbaddonPOS, Anchor, BlackPOS, CmdSQL, Cobalt Strike, FlawedAmmyy,\nGrateful POS, JSPSPY, LockerGoga, Magecart, Meterpreter, Mimikatz, More_eggs,\nRyuk, SCRAPMINT, TerraStealer, Vawtrak, Windows Credentials Editor, Living off\nthe Land.\nOperations performed\n2018\nBased on Visa Payment Fraud Disruption’s (PFD) analysis of\neCommerce compromises throughout 2018, FIN6’s focus on the CNP\nenvironment has only amplified, suggesting that the cybercrime group\nhas fully incorporated targeting CNP environments into their criminal\nmethodology.\nJan 2019\nOver the past 8-10 weeks, Morphisec has been tracking multiple\nsophisticated attacks targeting Point of Sale thin clients globally. More\nspecifically, on the 6th of February we identified an extremely high\nnumber of prevention events stopping Cobalt Strike backdoor\nexecution, with some of the attacks expressly targeting Point of Sale\nVMWare Horizon thin clients.\nJan 2019\nHackers have infected the systems of Altran Technologies with\nmalware that spread through the company network, affecting\noperations in some European countries. To protect client data and their\nown assets, Altran decided to shut down its network and applications.\nMar 2019\nOne of the largest aluminum producers in the world, Norsk Hydro, has\nbeen forced to switch to partial manual operations due to a cyber attack\nthat is allegedly pushing LockerGoga ransomware.\nApr 2019\nThe Securonix Threat Research Team has been closely monitoring the\nLockerGoga targeted cyber sabotage/ransomware (TC/R) attacks\nimpacting Norsk Hydro (one of the largest aluminum companies\nworldwide), Hexion/Momentive (a chemical manufacturer), and other\ncompanies’ IT and operational technology (OT) infrastructure, causing\nover US$40 million in damages.\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=61c8ecd4-e4e1-4f36-b209-ca55106ec22f\nPage 2 of 3\n\nAug 2019\nBased on our investigation and analysis of its adversarial tactics,\ntechniques and procedures (TTPs), we believe ITG08 is actively\nattacking multinational organizations, targeting specific employees\nwith spear phishing emails advertising fake job advertisements and\nrepeatedly deploying the More_eggs Jscript backdoor malware.\nSep 2019\nHackers have breached the infrastructure of Volusion, a provider of\ncloud-hosted online stores, and are delivering malicious code that\nrecords and steals payment card details entered by users in online\nforms.\nMar 2020\nIn a new and dangerous twist to this trend, IBM X-Force Incident\nResponse and Intelligence Services (IRIS) research believes that the\nelite cybercriminal threat actor ITG08, also known as FIN6, has\npartnered with the malware gang behind one of the most active Trojans\n— TrickBot — to use TrickBot’s new malware framework dubbed\n“Anchor” against organizations for financial profit.\nCounter operations Oct 2021\nEuropol detains suspects behind LockerGoga, MegaCortex, and\nDharma ransomware attacks\nInformation\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=61c8ecd4-e4e1-4f36-b209-ca55106ec22f\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=61c8ecd4-e4e1-4f36-b209-ca55106ec22f\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=61c8ecd4-e4e1-4f36-b209-ca55106ec22f" ], "report_names": [ "showcard.cgi?u=61c8ecd4-e4e1-4f36-b209-ca55106ec22f" ], "threat_actors": [ { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-10T02:00:04.689Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed", "created_at": "2023-01-06T13:46:38.814104Z", "updated_at": "2026-04-10T02:00:03.110104Z", "deleted_at": null, "main_name": "MageCart", "aliases": [], "source_name": "MISPGALAXY:MageCart", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-10T02:00:05.280403Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-10T02:00:03.659971Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434262, "ts_updated_at": 1775792033, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8bbc96d189536403e988201b1217cc81a252fefb.pdf", "text": "https://archive.orkl.eu/8bbc96d189536403e988201b1217cc81a252fefb.txt", "img": "https://archive.orkl.eu/8bbc96d189536403e988201b1217cc81a252fefb.jpg" } }