{ "id": "b68be7db-5dcc-426b-9f5d-538c86e78108", "created_at": "2026-04-06T00:22:12.994836Z", "updated_at": "2026-04-10T03:35:53.020048Z", "deleted_at": null, "sha1_hash": "9e16dd26cc89fa9f4c871cdc60ba552b01e86db8", "title": "FIN7.5: the infamous cybercrime rig “FIN7” continues its activities", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 438202, "plain_text": "FIN7.5: the infamous cybercrime rig “FIN7” continues its activities\r\nBy Yury Namestnikov\r\nPublished: 2019-05-08 · Archived: 2026-04-05 16:29:01 UTC\r\nOn August 1, 2018, the US Department of Justice announced that it had arrested several individuals suspected of\r\nhaving ties to the FIN7 cybercrime rig. FIN7 operations are linked to numerous intrusion attempts having targeted\r\nhundreds of companies since at least as early as 2015. Interestingly, this threat actor created fake companies in\r\norder to hire remote pentesters, developers and interpreters to participate in their malicious business. The main\r\ngoal behind its malicious activities was to steal financial assets from companies, such as debit cards, or get access\r\nto financial data or computers of finance department employees in order to conduct wire transfers to offshore\r\naccounts.\r\nIn 2018-2019, researchers of Kaspersky Lab’s Global Research and Analysis Team analyzed various campaigns\r\nthat used the same Tactics Tools and Procedures (TTPs) as the historic FIN7, leading the researchers to believe\r\nthat this threat actor had remained active despite the 2018 arrests. In addition, during the investigation, we\r\ndiscovered certain similarities to other attacker groups that seemed to share or copy the FIN7 TTPs in their own\r\noperations.\r\nRecent FIN7 campaigns\r\nThe FIN7 intrusion set continued its tailored spear phishing campaigns throughout last year. Kaspersky Lab has\r\nbeen able to retrieve some of these exchanges from a FIN7 target. The spear phishing campaigns were remarkably\r\nsophisticated from a social engineering perspective. In various cases, the operators exchanged numerous messages\r\nwith their victims for weeks before sending their malicious documents. The emails were efficient social-engineering attempts that appealed to a vast number of human emotions (fear, stress, anger, etc.) to elicit a\r\nresponse from their victims. One of the domains used by the attackers in their 2018 campaign of spear phishing\r\ncontained more than 130 email aliases, leading us to think that more than 130 companies had been targeted by the\r\nend of 2018.\r\nMalicious Documents\r\nWe have seen two types of documents sent to victims in these spear phishing campaigns. The first one exploits the\r\nINCLUDEPICTURE feature of Microsoft Word to get context information about the victim’s computer, and the\r\navailability and version number of Microsoft Word. The second one, which in many cases is an Office document\r\nprotected with a trivial password, such as “12345”, “1234”, etc., uses macros to execute a GRIFFON implant on\r\nthe target’s computer. In various cases, the associated macro also scheduled tasks to make GRIFFON persistent.\r\nInterestingly, following some open-source publications about them, the FIN7 operators seems to have developed a\r\nhomemade builder of malicious Office document using ideas from ThreadKit, which they employed during the\r\nsummer of 2018. The new builder inserts random values in the Author and Company metadata fields. Moreover,\r\nthe builder allows these to modify different IOCs, such as the filenames of wscript.exe or sctasks.exe copies, etc.\r\nhttps://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/\r\nPage 1 of 10\n\nwscript.exe copy sctasks copy Task name C2\r\nbyzNne10.exe byzNne17.exe TaskbyzNne logitech-cdn.com\r\nc9FGG10.exe c9FGG17.exe Taskc9FGG logitech-cdn.com\r\nzEsb10.exe zEsb17.exe TaskzEsb servicebing-cdn.com\r\nIOCs extracted from docs which use sctasks for GRIFFON persistence\r\nAuthor Company wscript.exe copy C2\r\nmogjxjtvte mogjxjtvte mswmex44.exe logitech-cdn[.]com\r\nsoxvremvge soxvremvge c9FGG10.exe logitech-cdn[.]com\r\ngareljtjhvd gareljtjhvd zEsb10.exe servicebing-cdn[.]com\r\nIOCs extracted from regular documents associated to GRIFFON\r\nGRIFFON Implant\r\nGriffon Malware attack pattern\r\nThe GRIFFON implant is a lightweight JScript validator-style implant without any persistence mechanism. The\r\nmalware is designed for receiving modules to be executed in-memory and sending the results to C2s. We were\r\nable to obtain four different modules during the investigation.\r\nReconnaissance module\r\nhttps://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/\r\nPage 2 of 10\n\nThe first module downloaded by the GRIFFON malware to the victim’s computer is an information-gathering\r\nJScript, which allows the cybercriminals to understand the context of the infected workstation. This module\r\nmainly relies on WMI and Windows objects to deliver results, which will be sent back to the operators.\r\nInterestingly, more than 20 artifacts are retrieved from the system by this implant during the reconnaissance stage,\r\nfrom the date and time of operating system installation and membership in a Windows domain to a list of and the\r\nresolutions of the workstation’s monitors.\r\nMeterpreter downloader\r\nThe second module is used by the operators to execute an obfuscated PowerShell script, which contains a\r\nMeterpreter downloader widely known as “Tinymet“. This downloader, seen in past FIN7 campaigns, downloads a\r\none-byte XOR-encrypted (eg. with the key equal to 0x50 or 0x51) piece of meterpreter shellcode to execute.\r\nScreenshot module\r\nThe third module allows the operators to take a screenshot of the remote system. To do that, it also drops a\r\nPowerShell script on the workstation to execute. The script executes an open-source .NET class used for taking a\r\nscreenshot. The resulting screenshot is saved at “%TMP%/image.png”, sent back to the attackers by the\r\nGRIFFON implant and then deleted.\r\nPersistence module\r\nThe last retrieved module is a persistence module. If the victim appears valuable to the attackers, a GRIFFON\r\nimplant installer is pushed to the victim’s workstation. This module stores another instance of the GRIFFON\r\nimplant inside the registry to achieve persistence. Here is a PowerLinks-style method used by the attackers to\r\nachieve persistence and execute the GRIFFON implant at each user logon. The new GRIFFON implant is written\r\nto the hard drive before each execution, limiting the “file-less” aspect of this method.\r\nThrough its light weight and modular architecture, the GRIFFON implant is the perfect validator. Even though we\r\nhave been able to retrieve four different modules, it is possible that the FIN7 operators have more modules in their\r\ntoolsets for achieving their objectives on the victim’s workstation.\r\nOn the hunt for GRIFFON infrastructure\r\nAttackers make mistakes, and FIN7 are no exception. The major error made by its operators allowed us to follow\r\nthe command and control server of the GRIFFON implant last year. In order to trick blue teams and other DFIR\r\nanalysts, the operators created fake HTTP 302 redirection to various Google services on their C2s servers.\r\nHTTP/1.1 302 Found\r\nServer: nginx\r\nDate: [retracted]\r\nContent-Type: text/html; charset=UTF-8\r\nhttps://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/\r\nPage 3 of 10\n\nContent-Length: 0\r\nConnection: keep-alive\r\nLocation: https://cloud.google.com/cdn/\r\nReturned headers for most of the GRIFFON C2s servers on port 443\r\nThis error allowed us to follow the infrastructure week by week, until an individual pushed on Twitter the heuristic\r\nto track their C2 at the end of December 2018. A few days after the tweet, in January 2019, the operators changed\r\ntheir landing page in order to prevent this type of tracking against their infrastructure.\r\nFake pentest company\r\nDuring the investigation related to the GRIFFON infrastructure, we found a strange overlap between the WHOIS\r\nrecord of an old GRIFFON C2 and the website of a fake company.\r\nAccording to the website, that domain supposedly belongs to a legitimate security company “fully owned by the\r\nRussian Government” (sic.) and having offices in “Moscow, Saint Petersburg and Yekaterinburg”, but the address\r\nsays the company is located in Trump Tower, in New York. Given FIN7’s previous use of false security\r\ncompanies, we decided to look deeper into this one.\r\nAs we were looking at the content of the website, it became evident that almost all of the text used was lifted from\r\nlegitimate security-company websites. Phrases and sentences were borrowed from at least the following\r\ncompanies/sites:\r\nDKSec – www.dksec.com\r\nOKIOK – www.okiok.com/services/tailored-solutions\r\nMainNerve – www.mainnerve.com\r\nDatics – www.datatics.com/cyber-security\r\nPerspective Risk – www.perspectiverisk.com\r\nSynack – https://www.synack.com/company\r\nFireEye – https://www.fireeye.com/services/penetration-testing.html\r\nThis company seems to have been used by the FIN7 threat actor to hire new people as translators, developers and\r\npentesters. During our research, we found various job advertisements associated with the company on freelance\r\nand remote-work websites.\r\nIn addition to that, various individuals have mentioned the company in their resumes. We believe that some of\r\nthese individuals may not even be aware that they are working for a cybercrime business.\r\nLinks to other intrusion sets\r\nWhile tracking numerous threat actors on a daily basis during the final days of 2018 and at the beginning of 2019,\r\nwe discovered various activity clusters sharing certain TTPs associated with the FIN7 intrusion set. The link\r\nhttps://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/\r\nPage 4 of 10\n\nbetween these threat actors and FIN7 is still weak, but we decided to disclose a few hints regarding these in this\r\nblog post.\r\nCobaltGoblin/EmpireMonkey\r\nIn his history, FIN7 has overlapped several times with Cobalt/EmpireMonkey in terms of TTPs. This activity\r\ncluster, which Kaspersky Lab has followed for a few years, uses various implants for targeting mainly banks, and\r\ndevelopers of banking and money processing software solutions. At the end of 2018, the cluster started to use not\r\nonly CobaltStrike but also Powershell Empire in order to gain a foothold on the victims’ networks. After a\r\nsuccessful penetration, it uses its own backdoors and the CobaltStrike framework or Powershell Empire\r\ncomponents to hop to interesting parts of the network, where it can monetize its access.\r\nFIN7’s last campaigns were targeting banks in Europe and Central America. This threat actor stole suspected of\r\nstealing €13 million from Bank of Valetta, Malta earlier this year.\r\nExample of malicious documents used in the end of 2018 to beginning of 2019\r\nA few interesting overlaps in recent FIN7 campaigns:\r\nBoth used macros to copy wscript.exe to another file, which began with “ms” (mses.exe – FIN7, msutil.exe\r\n– EmpireMonkey).\r\nBoth executed a JScript file named “error” in %TEMP% (Errors.txt in the case of FIN7, Errors.bat for\r\nEmpireMonkey).\r\nBoth used DocuSign decoy documents with different macros. The macros popped the same “Document\r\ndecryption error” error message—even if macro code remain totally different.\r\nWe have a high level of confidence in a historic association between FIN7 and Cobalt, even though we believe\r\nthat these two clusters of activity are operated by different teams.\r\nAveMaria\r\nhttps://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/\r\nPage 5 of 10\n\nAveMaria is a new botnet, whose first version we found in September 2018, right after the arrests of the FIN7\r\nmembers. We have medium confidence that this botnet falls under the FIN7 umbrella. In fact, AveMaria is a\r\nclassic infostealer bot that collects all possible credentials from various types of software: browsers, email clients,\r\nmessengers, etc., and can act as a keylogger. Since the beginning of 2019, we have collected more than 1300\r\nsamples and extracted more than 130 C2s.\r\nTo deliver their malware, the cyber criminals use spearphishing emails with various types of attachments: MS\r\nOffice documents or spreadsheet files exploiting some known vulnerability like CVE-2017-11882, or documents\r\nwith Ole2Link and SCT. They also use AutoIT droppers, password-protected EXE files and even ISO images.\r\nWhat is interesting, in some emails, they ask targets to phone them if they have any questions, like the FIN7 guys\r\ndo.\r\nExample of AveMaria spearphing emails. Criminals suggest calling them.\r\nDuring the investigation into FIN7, our threat-hunting systems found an interesting overlap in between the\r\ninfrastructure of FIN7 and AveMaria. Basically, two servers in the same IP range and AS14576 (autonomous\r\nsystem) share a non-standard SSH port, which is 222. One of the servers is a Griffon C2, and the other one, an\r\nAveMaria C2.\r\nhttps://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/\r\nPage 6 of 10\n\nDistribution of targets is another factor suggesting that these two malware families may be connected. We\r\nanalyzed AveMaria targets during February and March of 2019. The spearphishing emails were sent to various\r\nkinds of businesses only and did not target individuals. Thirty percent of the targets were small and medium-sized\r\ncompanies that were suppliers or service providers for bigger players and 21% were various types of\r\nmanufacturing companies. We also spotted several typical FIN7 targets, such as retailers and hotels. Most\r\nAveMaria targets (72%) were in the EU.\r\nCopyPaste\r\nAt the end of 2018, while searching for new FIN7 campaigns via telemetry, we discovered a set of activity that we\r\ntemporarily called “CopyPaste” from a previously unknown APT. Interestingly, this actor targeted financial\r\nentities and companies in one African country, which lead us to think that CopyPaste was associated with\r\ncybermercenaries or a training center.\r\nThis set of activity relied on open-source tools, such as Powershell Empire, and well-documented red teaming\r\ntechniques, in order to get a foothold within the victim’s networks and avoid detection.\r\nHere are the main similarities between CopyPaste and FIN7:\r\nBoth used the same Microsoft PowerShell argument obfuscation order: “powershell.exe -NoP -NonI -\r\nExecutionPolicy Bypass”. We have only seen FIN7 and CopyPaste use this argument list for executing\r\ntheir malicious Powershell Scripts.\r\nBoth used decoy 302 HTTP redirections and typosquatting on their C2s (reminiscent of Cobalt and FIN7).\r\nThe Empire C2s associated with CopyPaste had decoy redirections to Digitcert and Microsoft websites and\r\nused decoy job employment and tax websites with decoy redirections to host their payloads. FIN7 and\r\nCobalt used decoy 302 HTTP redirections too, FIN7 on its GRIFFON C2s before January 2018, and\r\nCobalt, on its staging servers, similar to CopyPaste.\r\nQuite recently, FIN7 threat actors typosquatted the brand “Digicert” using the domain name digicert-cdn[.]com, which is used as a command and control server for their GRIFFON implants. CopyPaste, in\r\nturn, also typosquatted this brand with their domains digicertweb[.]com and digi-cert[.]org, both used as a\r\nPowershell Empire C2 with decoy HTTP 302 redirects to the legitimate Digicert website.\r\nThe links between CopyPaste and FIN7 are still very weak. It is possible that the CopyPaste operators were\r\ninfluenced by open-source publications and do not have any ties with FIN7.\r\nhttps://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/\r\nPage 7 of 10\n\nConclusions\r\nDuring 2018, Europol and DoJ announced the arrest of the leader of the FIN7 and Carbanak/CobaltGoblin\r\ncybercrime groups. It was believed that the arrest of the group leader will have an impact on the group’s\r\noperations. However, recent data seems to indicate that the attacks have continued without significant drawbacks.\r\nOne may say CobaltGoblin and FIN7 have even extended the number of groups operating under their umbrella.\r\nWe observe, with various level of confidence, that there are several interconnected groups using very similar\r\ntoolkits and the same infrastructure to conduct their cyberattacks.\r\nThe first of them is the well-known FIN7, which specializes in attacking various companies to get access to\r\nfinancial data or PoS infrastructure. They rely on a Griffon JS backdoor and Cobalt/Meterpreter, and in recent\r\nattacks, Powershell Empire. The second one is CobaltGoblin/Carbanak/EmpireMonkey, which uses the same\r\ntoolkit, techniques and similar infrastructure but targets only financial institutions and associated software/services\r\nproviders.\r\nWe link the AveMaria botnet to these two groups with medium confidence: AveMaria’s targets are mostly\r\nsuppliers for big companies, and the way AveMaria manages its infrastructure is very similar to FIN7. The last\r\npiece is the newly discovered CopyPaste group, who targeted financial entities and companies in one African\r\ncountry, which lead us to think that CopyPaste was associated with cybermercenaries or a training center. The\r\nlinks between CopyPaste and FIN7 are still very weak. It is possible that the operators of this cluster of activity\r\nwere influenced by open-source publications and do not have any ties with FIN7.\r\nAll of the aforementioned groups greatly benefit from unpatched systems in corporate environments. They thus\r\ncontinue to use effective spearphishing campaigns in conjunction with well-known MS Office exploits generated\r\nby the framework. So far, the groups have not used any zero-days.\r\nFIN7/Cobalt phishing documents may seem basic, but when combined with their extensive social engineering and\r\nfocused targeting, they are quite successful. As with their previous fake company “Combi Security”, we are\r\nconfident that they continue to create new personas for use in either targeting or recruiting under a “new” brand,\r\n“IPC”.\r\nMore information about these and related attacks is available to customers of Kaspersky Intelligence Reports.\r\nContact: intelreports@kaspersky.com\r\nIndicators of compromise\r\nAveMaria\r\n185.61.138.249\r\ntain.warzonedns[.]com\r\nnoreply377.ddns[.]net\r\n185.162.131.97\r\n91.192.100.62\r\nserver.mtcc[.]me\r\ndoddyfire.dyndns[.]org\r\nhttps://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/\r\nPage 8 of 10\n\n212.8.240.116\r\n168.167.45.162\r\ntoekie.ddns[.]net\r\nwarmaha.warzonedns[.]com\r\nCopyPaste\r\ndigi-cert[.]org\r\nsomtelnetworks[.]com\r\ngeotrusts[.]com\r\nsecureclientupdate[.]com\r\ndigicertweb[.]com\r\nsport-pesa[.]org\r\nitaxkenya[.]com\r\nbusinessdailyafrica[.]net\r\ninfotrak-research[.]com\r\nnairobiwired[.]com\r\nk-24tv[.]com\r\nFIN7/GRIFFON\r\nhpservice-cdn[.]com\r\nrealtek-cdn[.]com\r\nlogitech-cdn[.]com\r\npci-cdn[.]com\r\nappleservice-cdn[.]com\r\nservicebing-cdn[.]com\r\ncisco-cdn[.]com\r\nfacebook77-cdn[.]com\r\nyahooservices-cdn[.]com\r\nglobaltech-cdn[.]com\r\ninfosys-cdn[.]com\r\ngoogle-services-s5[.]com\r\ninstagram-cdn[.]com\r\nmse-cdn[.]com\r\nakamaiservice-cdn[.]com\r\nbooking-cdn[.]com\r\nlive-cdn2[.]com\r\ncloudflare-cdn-r5[.]com\r\ncdnj-cloudflare[.]com\r\nbing-cdn[.]com\r\nservicebing-cdn[.]com\r\ncdn-yahooapi[.]com\r\nhttps://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/\r\nPage 9 of 10\n\ncdn-googleapi[.]com\r\ngoogl-analytic[.]com\r\nmse-cdn[.]com\r\ntw32-cdn[.]com\r\ngmail-cdn3[.]com\r\ndigicert-cdn[.]com\r\nvmware-cdn[.]com\r\nexchange-cdn[.]com\r\ncdn-skype[.]com\r\nwindowsupdatemicrosoft[.]com\r\nmsdn-cdn[.]com\r\ntesting-cdn[.]com\r\nmsdn-update[.]com\r\nEmpireMonkey/CobaltGoblin\r\nIn order to preserve the privacy of the potential victims, we stripped the targeted entities from the domain names.\r\n(entity)-corporate[.]com\r\n(entity)-cert[.]com\r\n(entity)-no[.]org\r\n(entity)-fr[.]org\r\n(entity)-acquisition[.]org\r\n(entity)-trust[.]org\r\nriscomponents[.]pw\r\nnlscdn[.]com\r\nSource: https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/\r\nhttps://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA", "MITRE" ], "references": [ "https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/" ], "report_names": [ "90703" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "56daf304-dd2c-4fa1-a01f-8c0a7e5e5c30", "created_at": "2022-10-25T16:07:23.586985Z", "updated_at": "2026-04-10T02:00:04.676803Z", "deleted_at": null, "main_name": "EmpireMonkey", "aliases": [ "Anthropoid Spider", "CobaltGoblin", "EmpireMonkey" ], "source_name": "ETDA:EmpireMonkey", "tools": [ "AKO Doxware", "AKO Ransomware", "MedusaLocker", "MedusaReborn" ], "source_id": "ETDA", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "186f3cc2-500c-4233-b688-8b6d6e08e2a3", "created_at": "2023-01-06T13:46:39.098169Z", "updated_at": "2026-04-10T02:00:03.212492Z", "deleted_at": null, "main_name": "ANTHROPOID SPIDER", "aliases": [ "Empire Monkey", "CobaltGoblin" ], "source_name": "MISPGALAXY:ANTHROPOID SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434932, "ts_updated_at": 1775792153, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9e16dd26cc89fa9f4c871cdc60ba552b01e86db8.pdf", "text": "https://archive.orkl.eu/9e16dd26cc89fa9f4c871cdc60ba552b01e86db8.txt", "img": "https://archive.orkl.eu/9e16dd26cc89fa9f4c871cdc60ba552b01e86db8.jpg" } }