{ "id": "c20eb222-26a1-4f32-9c76-fc9d2c1b4d4e", "created_at": "2026-04-06T00:16:22.445363Z", "updated_at": "2026-04-10T03:35:53.151011Z", "deleted_at": null, "sha1_hash": "9651b574652ab142d132063c82d850dbf997e570", "title": "FBI: FIN7 hackers target US companies with BadUSB devices to install ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 86150, "plain_text": "FBI: FIN7 hackers target US companies with BadUSB devices to\r\ninstall ransomware\r\nBy Catalin Cimpanu\r\nPublished: 2023-01-17 · Archived: 2026-04-05 16:00:08 UTC\r\nThe US Federal Bureau of Investigation says that FIN7, an infamous cybercrime group that is behind the Darkside\r\nand BlackMatter ransomware operations, has sent malicious USB devices to US companies over the past few\r\nmonths in the hopes of infecting their systems with malware and carrying out future attacks.\r\n\"Since August 2021, the FBI has received reports of several packages containing these USB devices, sent to US\r\nbusinesses in the transportation, insurance, and defense industries,\" the Bureau said in a security alert sent\r\nyesterday to US organizations.\r\n\"The packages were sent using the United States Postal Service and United Parcel Service,\" the agency added.\r\n\"There are two variations of packages—those imitating HHS [US Department of Health and Human Services ] are\r\noften accompanied by letters referencing COVID-19 guidelines enclosed with a USB; and those imitating Amazon\r\narrived in a decorative gift box containing a fraudulent thank you letter, counterfeit gift card, and a USB.\"\r\nIn both cases, the packages contained LilyGO-branded USB devices.\r\nSome BadUSB attacks lead to ransomware\r\nBut the FBI says that if recipients plugged the USB thumb drives into their computers, the devices would execute\r\na BadUSB attack, where the USB drive would register itself as a keyboard instead and send a series of\r\npreconfigured automated keystrokes to the user's PC.\r\nThese keystrokes would run PowerShell commands that downloaded and installed various malware strains that\r\nacted as backdoors for the attackers into the victims' networks.\r\nIn cases investigated by the FBI, the agency said it has seen the group obtain administrative access and then move\r\nlaterally to other local systems.\r\n\"[The] FIN7 actors then used a variety of tools—including Metasploit, Cobalt Strike, PowerShell scripts,\r\nCarbanak, GRIFFON, DICELOADER, TIRION—and deployed ransomware, including BlackMatter and REvil,\r\non the compromised network,\" the agency added.\r\nUS defense company also targeted\r\nIn the most recent case of these attacks, the group also targeted a US defense industry company as recently as\r\nNovember 2021, using the Amazon thank-you letter trick detailed above.\r\nThis marks the second alert the FBI has sent about FIN7 mailing malicious USB devices to US companies.\r\nhttps://therecord.media/fbi-fin7-hackers-target-us-companies-with-badusb-devices-to-install-ransomware/\r\nPage 1 of 3\n\nThe FBI sent the first one in March 2020, after security firm Trustwave found one of the malicious BadUSB\r\ndevices sent to one of its customers, a US hospitality provider.\r\nImages of the Amazon thank-you letter, the HHS COVID-19 alert, and of the LilyGO-branded BadUSB device are\r\nincluded in the FBI alert, which, we cannot reproduce here. US companies can register on the InfraGard portal to\r\ngain access to the alert and learn more about FIN7's latest BadUSB attacks.\r\nGet more insights with the\r\nRecorded Future\r\nIntelligence Cloud.\r\nLearn more.\r\nNo previous article\r\nNo new articles\r\nhttps://therecord.media/fbi-fin7-hackers-target-us-companies-with-badusb-devices-to-install-ransomware/\r\nPage 2 of 3\n\nCatalin Cimpanu\r\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nactions against hackers.\r\nSource: https://therecord.media/fbi-fin7-hackers-target-us-companies-with-badusb-devices-to-install-ransomware/\r\nhttps://therecord.media/fbi-fin7-hackers-target-us-companies-with-badusb-devices-to-install-ransomware/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE" ], "references": [ "https://therecord.media/fbi-fin7-hackers-target-us-companies-with-badusb-devices-to-install-ransomware/" ], "report_names": [ "fbi-fin7-hackers-target-us-companies-with-badusb-devices-to-install-ransomware" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434582, "ts_updated_at": 1775792153, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9651b574652ab142d132063c82d850dbf997e570.pdf", "text": "https://archive.orkl.eu/9651b574652ab142d132063c82d850dbf997e570.txt", "img": "https://archive.orkl.eu/9651b574652ab142d132063c82d850dbf997e570.jpg" } }