{ "id": "f96f70ba-6a18-4559-b24f-67597bfa89cc", "created_at": "2026-04-06T00:11:55.626093Z", "updated_at": "2026-04-10T03:34:24.168049Z", "deleted_at": null, "sha1_hash": "d0a844e2945ef77e7a6c68c23e2e5ac9667eca89", "title": "ABADBABE 8BADF00D: Discovering BADHATCH and a Detailed Look at FIN8’s Tooling", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 489035, "plain_text": "ABADBABE 8BADF00D: Discovering BADHATCH and a Detailed Look\r\nat FIN8’s Tooling\r\nBy ATR\r\nPublished: 2019-07-23 · Archived: 2026-04-05 12:46:09 UTC\r\nby Kristina Savelesky, Ed Miles, Justin Warner\r\nFIN8 is a financially-motivated threat group originally identified by FireEye in January of 2016, with capabilities further\r\nreported on by Palo Alto Networks’ Unit 42 and root9B. This blog will introduce a new reverse shell from FIN8, dubbed\r\nBADHATCH and compare publicly reported versions of ShellTea and PoSlurp to variants observed by Gigamon Applied\r\nThreat Research (ATR). With these comparisons, we aim to show how FIN8 continues to evolve and adapt their tooling. Our\r\ngoal in sharing this intelligence is to enable defenders to better prevent, discover, or disrupt FIN8’s operations and offer a\r\ngreater understanding of their capabilities.\r\nEvolving Toolsets\r\nGigamon ATR, along with incident response partners, observed FIN8 on numerous occasions and on each occasion collected\r\nand analyzed malicious samples for detection research. We analyzed variants of the ShellTea implant and PoSlurp memory\r\nscraper malware, designated ShellTea.B and PoSlurp.B. One of the most interesting samples analyzed appears to be a\r\npreviously unreported tool, BADHATCH, that provides file transfer and reverse shell functionality.   \r\nAs part of our research, Gigamon ATR reviewed previously reported samples when available, assessed public reports, and\r\ncompared intelligence to our own observations from incident response engagements. Previous reporting on FIN8 indicates\r\nthat initial infection typically begins with a malicious email campaign, using weaponized Microsoft Word document\r\nattachments aimed at enticing the user to enable macros. These macros execute a PowerShell command which downloads a\r\nsecond PowerShell script containing the shellcode of the first stage of a downloader, called PowerSniff by root9B and Unit\r\n42, or PUNCHBUGGY by FireEye. While Gigamon ATR does not have phishing documents available for comparison, an\r\nincident response partner recovered the BADHATCH PowerShell script that, at first sight, appears comparable to\r\nPowerSniff/PUNCHBUGGY.\r\nBADHATCH Malware\r\nThe BADHATCH sample begins with a self-deleting PowerShell script containing a large byte array of 64-bit shellcode that\r\nit copies into the PowerShell process’s memory and executes with a call to CreateThread. This script differs slightly from\r\npublicly reported samples in that the commands following the byte array are base64 encoded, possibly to evade security\r\nproducts. While previous analyses saw PowerSniff downloaded from online sources and executed, Gigamon ATR incident\r\nresponse partners recorded the attackers launching the initial PowerShell script via WMIC as visible in Figure 1.\r\nwmic /node:“\u003cserver_name\u003e” process call create “powershell –ep bypass –c .\\\u003cscript_name\u003e.ps1”\r\nFigure 1: WMIC command used to launch BADHATCH PowerShell script.\r\nThe first stage of the malware then loads an embedded second stage DLL into the same memory space (using the Carberp\r\nfunction hash resolution routine to hide the names of API functions being used) and executes it. The use of hexadecimal\r\nconstants 0xABADBABE 0x8BADF00D to locate the beginning of the embedded DLL was a common trait across all first\r\nstages of the FIN8 PowerShell scripts we analyzed (see Figure 2).\r\nFigure 2: The BADHATCH first stage locates the embedded DLL using 0xABADBABE 0x8BADF00D\r\nconstants. The hex dump of the embedded DLL is shown on the left, with the disassembly of instructions and\r\nconstants used for locating the DLL on the right\r\nOnce executed, depending on the session ID, the embedded DLL either APC injects into a svchost.exe process (launched\r\nwith svchost.exe -k netsvcs), or injects into explorer.exe (using the ToolHelp32 API functions and RtlAdjustPrivilege to\r\nenable SeDebugPrivilege). The malware creates a local event object, with the hardcoded name Local\\{45292C4F-AABA-49ae-9D2E-EAF338F50DF4}, which is used similarly to a mutex (to ensure only one copy is running at a time).\r\nOn startup, and every 5 minutes thereafter, the sample beacons to a hardcoded command and control (C2) IP\r\n(149.28.203[.]102) using TLS encryption, and sends a host identification string derived from several system configuration\r\ndetails and formatted as %08X-%08X-%08X-%08X-%08X-SH. Only the one hardcoded IP address and no C2 domains\r\nhttps://blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/\r\nPage 1 of 14\n\nwere observed. Upon connecting back to the C2 server and sending the system ID, the shell will offer the banner shown in\r\nFigure 3, with the OS version and bitness as well as the hostname values filled in.\r\n----------------------------------------\r\n* SUPER REMOTE SHELL v2.2 SSL\r\n----------------------------------------\r\nOS: %s SP %d %s\r\nHOSTNAME: %s\r\nPress i+enter to impersonate shell or just press enter\r\nFigure 3: banner of the BADHATCH reverse shell.\r\nThe shell even includes a small bit of online help with troubleshooting suggestions (displayed in Figure 4) if there are issues\r\nwith launching the cmd.exe process the shell uses for command execution.\r\nLogon failure: unknown user name or bad password.\r\nLogon failure: user account restriction. Possible reasons are blank passwords not allowed, logon hour restrict\r\nThe trust relationship between this workstation and the primary domain failed.\r\nThe service cannot be started, either because it is disabled or because it has no enabled devices associated w\r\nRun 'sc start seclogon' if you can ;)\r\nFailed to execute shell, error %u\r\nFigure 4: Plaintext error messages present in the strings of the BADHATCH DLL.\r\nAn option for impersonating a specific user via the Windows APIs is given, but both execution paths will start a cmd.exe\r\nprocess for command execution. Upload and download functions are available, and the shell looks for those commands, as\r\nwell as a ‘terminate’ command, before sending any input to the cmd.exe process.\r\nBADHATCH uses the Windows IO Completion Port APIs and low-level encryption APIs from the Security Support\r\nProvider Interface to implement an asynchronous TLS-wrapped TCP/IP channel. As a side effect of this implementation,\r\nport 3885 will be opened and bound on localhost. The malware connects back to itself on this port and uses this as a\r\nloopback transmission channel in the course of encrypting and transferring data between threads. Internally, this mechanism\r\nuses CompletionKeys of ’nScS’ and ‘rScS’. These keys are used to track which IO operations have completed and identify\r\nthe sender/receiver threads that handle the shell communication.\r\nBesides the networking behavior, BADHATCH appears to be considerably different from PowerSniff in that it contains no\r\nmethods for sandbox detection or anti-analysis features apart from some slight string obfuscation. It includes none of the\r\nenvironmental checks to evaluate if it is running on possible education or healthcare systems and has no observed built-in,\r\nlong-term persistence mechanisms. Below, Table 1 summarizes the differences between PowerSniff, PUNCHBUGGY, and\r\nBADHATCH.\r\nShared Component root9B PowerSniff Unit 42 PowerSniff\r\nVirusTotal\r\nPUNCHBUGGY\r\nSHA-256 Hash not provided in report\r\nHash for maldoc provided\r\nin report\r\n5024306ade133b0\r\nebd415f01cf64c23\r\na586c99450afa9b7\r\n9176f87179d78c51d\r\nInfection vector is a spearphishing email with\r\nan attached maldoc that downloads a\r\nPowerShell stager\r\n✓ ✓ ✓\r\nTarget architecture is 32- or 64-bit ✓ ✓ ✓\r\nhttps://blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/\r\nPage 2 of 14\n\nShared Component root9B PowerSniff Unit 42 PowerSniff\r\nVirusTotal\r\nPUNCHBUGGY\r\nFirst stage loads and runs shellcode in\r\nmemory that loads a DLL second stage\r\n✓ ✓\r\n0xABADBABE\r\n0x8BADF00D checks to\r\nfind embedded DLL\r\nUse of Carberp function hash resolution\r\nroutine in shellcode to find API functions\r\n✓ Unmentioned in report\r\nSame hashes and\r\nalgorithm as\r\nBADHATCH\r\nEmbedded DLL decrypts strings using\r\nalgorithm with seed 0xDDBC9D5B,\r\nmultiplier 0x19660D, increment 0x3C6EF35F\r\nUnmentioned in report\r\nSame seed and constants\r\nas PUNCHBUGGY\r\nSame seed and constants\r\nas Unit 42 PowerSniff\r\nsample\r\nIncludes methods for sandbox detection\r\nSlightly different than Unit 42\r\nsample/PUNCHBUGGY\r\nIdentical to\r\nPUNCHBUGGY\r\nIdentical to Unit 42\r\nsample\r\nAbility to write DLL to\r\n%%userprofile%%\\AppData\\LocalLow\\%u.db\r\nand run via rundll32\r\n✓ ✓ ✓\r\nAbility to write an executable and run it ✓ Unmentioned ✓\r\nAbility to write a DLL and load into calling\r\nprocess with LoadLibraryW\r\n✓ Unmentioned ✓\r\nPerforms HTTP requests with user agent of\r\nMozilla/4.0 (compatible; MSIE 8.0; Windows\r\nNT %u.%u%s)\r\n✓\r\nContacts C2 via HTTP,\r\nuser agent unspecified in\r\nreport\r\n✓\r\nPersistence\r\nAbility to write a DLL and add it\r\nto\r\nHKLM\\System\\CurrentControlSet\\\r\nControl\\Session\r\nManger\\AppCertDlls for\r\npersistence\r\nPersistence unspecified\r\nNo observed registry\r\nmodifications\r\nMemory string similarity Similar to PUNCHBUGGY and\r\nUnit 42 PowerSniff\r\nSeem identical to\r\nPUNCHBUGGY, similar\r\nto root9B PowerSniff\r\nSeem identical to Unit 42\r\nPowerSniff, similar to\r\nroot9B PowerSniff\r\nAbility to inject into explorer.exe ✓ Unmentioned Unobserved\r\nAbility to spawn and inject into svchost.exe\r\nprocess if sessionID = 1\r\nUnmentioned Unmentioned Unobserved\r\nAbility to download/uploaded files to/from\r\nuser-supplied path\r\nUnmentioned Unmentioned Unobserved\r\nAbility to start interactive shell Unmentioned Unmentioned Unobserved\r\nEphemeral localhost port 3885 usage Unmentioned Unmentioned Unobserved\r\nCommand and control\r\nvseflijkoindex[.]net\r\nvortexclothings[.]biz\r\nunkerdubsonics[.]org\r\npopskentown[.]com\r\nsupratimewest[.]com\r\nletterinklandoix[.]net\r\nsupratimewest[.]biz\r\nstarwoodhotels[.]pw\r\noklinjgreirestacks[.]biz\r\nwww.starwoodhotels[.]pw\r\nbrookmensoklinherz[.]org\r\nsupratimewest[.]com\r\nletterinklandoix[.]net\r\nsupratimewest[.]biz\r\nstarwoodhotels[.]pw\r\noklinjgreirestacks[.]biz\r\nwww.starwoodhotels[.]pw\r\nbrookmensoklinherz[.]or\r\nTable 1: A comparison table showing shared and differentiating components between root9B’s PowerSniff (as\r\nreported), Unit 42’s PowerSniff (as reported), a PUNCHBUGGY sample from VirusTotal, and the\r\nBADHATCH sample from Gigamon ATR.\r\nShellTea.B Implant\r\nhttps://blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/\r\nPage 3 of 14\n\nShellTea is a memory-resident implant that includes multiple methods for downloading and executing additional code and\r\ncan install persistence via the registry. Its primary use case appears to be serving as a stealthy foothold in the victim network\r\nand deploying additional payloads.\r\nDuring two previous incident response engagements involving FIN8, response partners recovered registry keys containing\r\nhexadecimal-encoded data and corresponding PowerShell scripts. Gigamon ATR discovered these to be persistence artifacts\r\nof ShellTea variants, with a few differences from root9B’s ShellTea sample. Table 2 presents a comparison of differentiating\r\nfeatures between ShellTea and ShellTea.B.\r\nroot9B ShellTea ATR ShellTea.B\r\nHash not provided in report\r\nShellcode from registry:\r\n385538451e59f630db6f1b\r\n367aacfdbb85b7d730210\r\nfc6d5b2bee7037f0362a5\r\nPowerShell script waits five seconds for thread to\r\ncomplete\r\nPowerShell script includes Start-Sleep 2; then\r\nwaits for one minute for thread to complete\r\nUses a custom function resolver with 4-byte hashes\r\nand seed 0x463283F5, multiplier 0x19660D,\r\nincrement 0x3C6EF35F\r\nUses a custom function resolver with 4-byte\r\nhashes and seed 0x463283F5, multiplier\r\n0x19660D, increment 0x3C6EF35F\r\nUse of Ws2_32.dll exports for network\r\nfunctionality (connect, send, etc.)\r\nUse of wininet.dll exports for network\r\nfunctionality (InternetConnectA,\r\nHttpSendRequestA, etc.)\r\nConnects to command and control over port 443\r\nusing a custom binary protocol with XTEA\r\nencryption in CBC mode, can communicate\r\nthrough proxies via CONNECT\r\nCommunicates with command and control servers\r\nusing HTTPS POST requests, with XTEA-encrypted payload in the body (see Figure 5 for\r\nheaders)\r\nThe command and control servers utilized a\r\nstandard self-signed “Internet Widgets” Apache\r\nTLS certificate\r\nC2 domains include:\r\nneofilgestunin[.]org\r\nverfgainling[.]net\r\nstraubeoldscles[.]org\r\nolohvikoend[.]org\r\nmenoograskilllev[.]net\r\nasojinoviesder[.]org\r\nC2 domains include:\r\nmoreflorecast[.]org\r\npreploadert[.]net\r\ntroxymuntisex[.]org\r\nnduropasture[.]net\r\nNo encoded DNS traffic mentioned\r\nEncoded DNS requests to generated subdomains\r\nof nduropasture[.]net\r\nTable 2: A comparison table showing differentiating components between root9B’s ShellTea implant (as\r\nreported) and the ShellTea.B sample from Gigamon ATR.\r\nPOST\r\njson/\r\nMozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0\r\nAccept: application/octet-stream\r\nContent-Type: application/octet-stream\r\nConnection: close\r\nFigure 5: Strings output of hardcoded HTTP POST headers used in ShellTea.B communications, note the missing right\r\nparenthesis of the user agent string.\r\nIn addition to the HTTPS channel, ShellTea.B uses DNS to communicate with C2 infrastructure. Small messages, usually 39\r\nbytes, are encoded in the subdomain field of DNS A-record queries. These messages are composed of several pieces of\r\ninternal state encoded in the character space “abcdefghijklmnopqrstuvwxyz012345”. The state transmitted includes an\r\ninternal PRNG seed as well as several hardcoded values embedded in the malware at compile time, while the query\r\nresponses consist of single IP addresses. The DNS channel is initiated from within several nested loops, that can cause\r\nhttps://blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/\r\nPage 4 of 14\n\nrepeated lookups depending on the IP address. If the IP doesn’t conform to several value checks, the inner loop will run\r\nagain after a 30 second delay, up to 3 times. Iterations of the inner loop are controlled by checking if the IPs first octet plus 7\r\nis not equal to the second octet, or if the fourth octet modulo 10 does not result in 0, 1, 2, or 3 (see Figure 6). If the inner\r\nloop terminates while the result of the modulo is greater than 0, the outer loop will run again after a delay based on the\r\nmodulo value, causing the cycle to begin again. NOTE: On initialization, this DNS channel will be active before the HTTP\r\nchannel.\r\nFigure 6: The ShellTea.B DNS channel processing.\r\nThe differences in communication protocols between ShellTea and ShellTea.B suggest minor changes to this element of the\r\nFIN8 attack chain, possibly to adapt to target environments by blending in with other HTTPS or DNS traffic in lieu of a\r\nmore suspicious custom protocol.\r\nPoSlurp.B Scraper\r\nThe final, perhaps most important component in the FIN8 toolkit, is the one that actually retrieves credit card numbers as\r\nthey pass through payment card processing systems. Credit card numbers are 15 or 16 digits long and conform to the Luhn\r\nalgorithm. This algorithm defines valid credit card numbers, and most scrapers check card numbers against it. Notably,\r\nPoSlurp does not run the Luhn algorithm on card numbers it collects. Verification may be performed offline, after the\r\nexfiltration of the card data, but either way, FIN8 knows the environment and PoSlurp targets the card processing software\r\ndirectly for scraping rather than arbitrarily scraping other process memory.\r\nDuring previous incident response engagements involving FIN8, response partners also recovered POS memory-scraping\r\nsamples: one, an executable binary that appears to be a 32-bit version of the PoSlurp malware reported by root9B (reported\r\nas PUNCHTRACK by FireEye), and another, a PowerShell script highly similar to the BADHATCH PowerShell script. This\r\nscript was also observed being executed via WMIC, illustrated in Figure 7.\r\nwmic /node:”@t.txt” /user:”\u003cusername\u003e” /password:”\u003cpassword\u003e” process call create “powershell -ep bypass –c c\r\nFigure 7: WMIC command used to launch the PoSlurp.B script.\r\nLike the BADHATCH script, this script base64 decodes and executes further commands which load a byte array of\r\nshellcode into memory and begin execution. The PowerShell script is then moved to a temporary file before being\r\noverwritten with a copy of the Regedit executable and then deleted. True to the previously analyzed first stage scripts, the\r\nshellcode uses the Carberp function hash resolution routine to locate an embedded DLL by parsing for the same\r\nhexadecimal constants, loads the DLL into memory, and executes it. Unlike the notable use of low-level API functions and\r\nanti-analysis techniques in PoSlurp, PoSlurp.B’s first stage simply calls VirtualAlloc, LoadLibrary, and GetProcAddress to\r\ndynamically resolve imported functions, without other tricks to thwart analysis. Where PoSlurp and PUNCHTRACK\r\narguments are passed in as part of the command line, PoSlurp.B arguments are passed in an environment variable and are\r\npipe-delimited instead of hash- or asterisk-delimited (see Figure 8).\r\n$env:PRMS = “i|\u003cinject_process_name\u003e|\u003cscrape_process_name\u003e|t|2800|”;\r\nFigure 8: Pipe-delimited PoSlurp.B arguments passed in an environment variable in the PowerShell script.\r\nMajor functional differences in PoSlurp.B include the ability to:\r\nInject into the target process given an ‘i’ argument.\r\nCreate a svchost netsvcs process and APC inject the main loop given an ‘s’ argument.\r\nRun the main loop without injection given a ‘p’ argument.\r\nThe PUNCHTRACK sample that we analyzed (downloaded from VirusTotal) also had the ability to create and inject into a\r\nsvchost process, though it did so regardless of command line arguments.  \r\nAdditionally, the call to DeleteFile that cleaned up old output files has been removed. Incident response partners captured\r\nthese actions being performed manually, show in Figure 9.\r\nfor /F %i in (\u003cfilename\u003e.txt) DO attrib -h \\\\%i\\c$\\users\\\u003clocal_admin_user\u003e\\appdata\\local\\temp\\\u003cfilename\u003e.tmp\r\nfor /F %i in (\u003cfilename\u003e.txt) DO net use \\\\%i\\c$ /user:%i\\\u003cusername\u003e \u003cpassword\u003e\r\nfor /F %i in (\u003cfilename\u003e.txt) DO copy \\\\%i\\c$\\users\\\\\u003clocal_admin_user\u003e\\appdata\\local\\temp\\\u003cfilename\u003e.tmp %i.t\r\nhttps://blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/\r\nPage 5 of 14\n\nfor /F %i in ((\u003cfilename\u003e.txt) DO del \\\\%i\\c$\\users\\\\\\\u003clocal_admin_user\u003e\\appdata\\local\\temp\\\\\u003cfilename\u003e.tmp\r\nFigure 9: Commands to manually unhide, copy, and delete encrypted PoSlurp.B log files.\r\nThe following table (Table 3) provides a comparison between features observed in two versions of PoSlurp, a\r\nPUNCHTRACK sample downloaded from VirusTotal, and PoSlurp.B.\r\nShared component root9B PoSlurp ATR PoSlurp\r\nVirusTotal\r\nPUNCHTRACK\r\nATR P\r\nSHA-256 Hash not provided in report\r\ncc952950a73909a\r\n655044dbb87f85f\r\n66d44d1d4e3a1e0\r\n96777bbc938a62bd\r\n080 (link)\r\nffc133ea83deac\r\n94bce5db1a4202\r\n57304931e6d3cfb\r\n82c6d9e50a2a98\r\nf43d310 (link)\r\n8c6fe4c\r\nb756d5\r\n230ceaf\r\n91dac42\r\nInvocation\r\nwmic /node:”@targets.txt” process\r\ncall create “cmd /c\r\n[PoSlurp_filename].exe\r\nTARGET1.EXE\r\n#TARGET2.exe*1234*winlogon.exe”\r\ncmd /c psv.exe TARGET1.EXE\r\n#TARGET2.EXE*1400*winlogon.exe\r\nTakes 3 args:\r\nPUNCHTRACK\r\nfilename\r\n(psvc.exe), POS\r\ntarget process,\r\nand timeout\r\nwmic /n\r\n/user:”\u003c\r\n/passwo\r\nprocess\r\n“power\r\n–c c:\\us\r\n\u003cadmin\r\nlocal\\te\r\n\u003cscript_\r\n$env:PR\r\n“i|winin\r\n\u003cscrape\r\n|t|2800|”\r\nTarget architecture 64-bit judging by screenshots 32-bit 32-bit 64-bit\r\nUse of\r\nRtlWriteMemoryStream\r\nfor constants, uses custom\r\nAPI hashing algorithm for\r\nresolving functions\r\n✓ ✓ ✓ Not obs\r\nUse of Carberp function\r\nhashing code to resolve\r\nimports\r\n✓ ✓ ✓\r\nFirst stage byte length 6610 bytes 6608 bytes 6368 bytes 7186 by\r\n0xABADBABE and\r\n0x8BADF00D checks in\r\nfirst stage to find start of\r\nembedded DLL\r\nNot mentioned ✓ ✓\r\nUses\r\nZwAllocateVirtualMemory\r\nLdrLoadDll and\r\nLdrGetProcedureAddress\r\n✓ Same hashes as PUNCHTRACK\r\nSame hashes as\r\npsv.exe\r\nUses Vi\r\nLoadLi\r\nGetProc\r\nCreateToolhelp32Snapshot\r\nto find processes\r\n✓ ✓ ✓\r\nRtlAdjustPrivilege\r\n(SE_DEBUG) +\r\nWrtieProcessMemory +\r\nRtlCreateUserThread to\r\ninject into target process\r\n✓ ✓ ✓\r\nInjects\r\n‘i’\r\nhttps://blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/\r\nPage 6 of 14\n\nShared component root9B PoSlurp ATR PoSlurp\r\nVirusTotal\r\nPUNCHTRACK\r\nATR P\r\nCreates svchost netsvcs\r\nprocess and APC injects\r\nmain loop\r\nNot mentioned Not observed Always Only w\r\nAble to run main loop\r\nwithout injection\r\nNot mentioned Not observed Not observed When g\r\nDeletes old log files ✓\r\nCalls DeleteFileW before running\r\nscraper\r\nCalls\r\nDeleteFileW\r\nbefore running\r\nscraper\r\nDoes no\r\nDeleteF\r\nscraping\r\nScans target process’s\r\nmemory every 5 seconds\r\nuntil timeout, encrypts\r\ncard data and saves\r\n✓ ✓ ✓\r\nTable 3: A comparison table showing shared and differentiating components between root9B’s PoSlurp (as\r\nreported), Gigamon ATR’s PoSlurp, a PUNCHTRACK sample from VirusTotal, and the PoSlurp.B sample\r\nfrom ATR.\r\nStitching Together the Pieces\r\nOur analysis is the result of the combined efforts of Gigamon ATR and our incident response partners. With shared data from\r\none recent engagement, we put together a more complete picture of the role each tool plays in FIN8’s kill chain. The\r\nBADHATCH, ShellTea.B, and PoSlurp.B samples detailed above were recovered from forensic analysis during incident\r\nresponse. While our data regarding the entire attack is incomplete, the analysis of evidence obtained revealed an interesting\r\npicture of FIN8’s workflow, displayed in Figure 10.\r\nFigure 10: A visual timeline of FIN8 activity during the incident response engagement.\r\nOur response partner’s timeline began with observed modifications to suspicious registry keys, which Gigamon ATR\r\nanalyzed and determined to be containing persistence mechanisms for the ShellTea.B memory implant. Logs also revealed\r\ntwo PowerShell scripts launched via WMIC with compromised credentials. We found these scripts to be the PowerShell\r\nstagers for BADHATCH and PoSlurp.B.  Even though multiple workstations had ShellTea.B persistence keys in the registry,\r\nthe attackers operated predominately from a single workstation. From the ShellTea.B infected workstation, they enumerated\r\nthree different servers on the network and deployed the BADHATCH reverse shell to two, but ultimately were observed only\r\nusing one server to communicate with POS devices (see Figure 11).\r\nFigure 11: A breakdown of FIN8’s data collection process.\r\nhttps://blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/\r\nPage 7 of 14\n\nAfter successfully reaching their objectives, interactions increased, with almost daily sessions featuring BADHATCH\r\ndeployments. Card data was removed from the POS hosts, collected on the infected IT server, and staged there for\r\nexfiltration. The repetitive scraping and collection process was:\r\n1. Deploy the (non-persistent) BADHATCH reverse shell to the server\r\n2. From the server, issue commands to each POS system in a target list to\r\n1. Unhide the hidden log of encrypted card data\r\n2. Copy the log back to the server\r\n3. Delete the old log file\r\n3. Execute the PoSlurp.B PowerShell script\r\nIn the first weeks of the command log, PoSlurp.B was not seen being deployed, even though uncollected card data existed\r\non one of the POS machines with an earlier timestamp. Only two attacker sessions were seen, performing some basic\r\nnetwork recon using ping and netstat, prior to deploying BADHATCH, with commands illustrated in Figure 12.\r\nwmic/node:\"\u003cIT_server\u003e\" process call create \"cmd /c ping \u003cip_address\u003e \u003e out.txt\"\r\nwmic/node:\"\u003cIT_server\u003e \" process call create \"cmd /c netstat -f \u003e out.txt\"\r\nFigure 12: WMIC commands used for reconnaissance.\r\nAlthough the command logs only captured the later stages of the operation, analysis of this data proved vital for\r\nunderstanding the relationships between the attacker’s components, as well as how they moved and interacted in the\r\nenvironment. Large variations in timing data demonstrated that actions were performed by humans, rather than automated\r\ntasks. This data also revealed some unexpected details: it turns out threat actors make mistakes too! Multiple command\r\nerrors were observed, including a session where the operator attempted to run a command from the wrong directory multiple\r\ntimes before getting it right. Another session featured commands accidentally run from the wrong machine before being\r\nproperly executed on the intended target.\r\nAt the end of the day, the actors behind FIN8 are human and clearly fallible. While they may make rapid improvements to\r\ntools and procedures, we hope the technical and operational information shared here will help other organizations detect and\r\ndisrupt FIN8 operations.\r\nLearn more about financially motivated threats in our newest report: A Look Inside Financially Motivated Attacks and the\r\nActive FIN8 Threat Group\r\nGigamon Applied Threat Research would like to acknowledge Charles River Associates, a Gigamon Insight\r\nincident response partner, with a special thank you to Peter Seddon, Andrew Fry, Kevin Kirst, and Geoff Fisher,\r\nfor their contributions to this research.\r\nAppendix: Detection Strategies\r\nThere are several unique opportunities for detection across the operational lifecycle and artifacts generated by FIN8’s\r\ntoolset. Indicators vary from recurring observed techniques to campaign-specific atomic indicators. This section draws on\r\ninformation from the analysis of each sample and observations from the live incident response engagement to build\r\ndetection strategies for future use.\r\nObservations \u0026 Signatures\r\nDuring our engagements with FIN8, we saw several patterns in their behavior that serve as useful observations but are not\r\nunique enough or associated with malicious activity directly enough to be alert worthy. Checking for these characteristics\r\nand adding context from the environment should produce investigable data: \r\nDefault self-signed certificates on low reputation infrastructure – FIN8 infrastructure utilized the default self-signed\r\n“Internet Widgets” Apache TLS certificate as well as newly-registered domains and common VPS-based hosting\r\nproviders. These observations can be used to hunt FIN8 and many other threat actors.\r\nPeriodic connections – Identifying periodic connections can help detect automated behaviors, such as the 5-minute\r\ntiming of callbacks from BADHATCH and the periodic DNS and HTTPS traffic of ShellTea.B.\r\nNewly observed one-to-many RPC/WMI interactions – FIN8 makes heavy use of Windows file sharing and WMIC\r\nto distribute and execute its tooling. Spotting these actions can help identify infected hosts at various stages of an\r\noperation.\r\nEncoded DNS Traffic – As detailed above, ShellTea.B utilizes a DNS-based communication channel to contact its C2\r\nservers. A-record queries are generated with high-entropy subdomains that can be matched by a regex like “[a-z0-5]\r\n{39,42}”. The responses to these queries would also stand out as being distributed among random IP blocks.\r\nAdditionally, while signature-based detection tends to be prone to evasion, it is a valuable part of a comprehensive detection\r\nstrategy, particularly with actors that reuse infrastructure and tools between engagements. With this set of malware,\r\nhttps://blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/\r\nPage 8 of 14\n\nsignature-based network detection is complicated by the use of encryption, but signatures are provided for cases where\r\nSSL/TLS termination is in use. The following signatures can identify the tools discussed in this blog:\r\nrule FIN8_abadbabe\r\n{\r\n meta:\r\n author = \"Kristina Savelesky – Gigamon ATR\"\r\n description = \"Hexadecimal constants used in FIN8 unembedding\"\r\n last_modified = \"June 27, 2019\"\r\n strings:\r\n $abadbabe= \"0xbe,0xba,0xad,0xab\"\r\n $8badf00d = \"0x0d,0xf0,0xad,0x8b\"\r\n $hex = { be ba ad ab 0d f0 ad 8b }\r\n condition:\r\n $hex or ($abadbabe and $8badf00d)\r\n}\r\nalert tcp $HOME_NET 1024: -\u003e $EXTERNAL_NET 443 (msg:\"GIGAMON_ATR COMMAND_AND_CONTROL BADHATCH Check-in\"; flow\r\nalert tcp $HOME_NET 1024: -\u003e $EXTERNAL_NET 443 (msg:\"GIGAMON_ATR COMMAND_AND_CONTROL BADHATCH Banner\"; flow:es\r\nreject http $HOME_NET any -\u003e $EXTERNAL_NET any (msg:\"GIGAMON_ATR COMMAND_AND_CONTROL ShellTea.B User Agent POS\r\nAtomic Indicators\r\nAtomic indicators are a valuable component of a detection strategy, particularly in situations when the actor has been known\r\nto reuse infrastructure. Due to the use of shared hosting, IP address indicators will vary in usefulness. The atomic indicators\r\nin Table A1 were observed in our analysis.\r\nIndicator Type Sample\r\nc5642641064afc79402614cb916a1e3bd5\r\nddd4932779709e38db64d6cc561cd5\r\nSHA256 BADHATCH\r\n149.28.203[.]102 IP Address BADHATCH\r\nLocal\\{45292C4F-AABA-49ae-9D2E-EAF338F50DF4} Event String BADHATCH\r\nsubarnakan[.]org Domain ATR ShellTea\r\nsubarnakan[.]org Domain ATR ShellTea\r\nasilofsen[.]net Domain ATR ShellTea\r\nmanrodoerkes[.]org Domain ATR ShellTea\r\nashkidiore[.]org Domain ATR ShellTea\r\ndruhanostex[.]net Domain ATR ShellTea\r\nkapintarama[.]net Domain ATR ShellTea\r\n385538451e59f630db6f1b367aacfdbb\r\n85b7d730210fc6d5b2bee7037f0362a\r\nSHA256 ShellTea.B\r\nmoreflorecast[.]org Domain ShellTea.B\r\n198.199.105.192 IP ShellTea.B Resolution\r\npreploadert[.]net Domain ShellTea.B\r\n104.248.9.143 IP ShellTea.B Resolution\r\ntroxymuntisex[.]org Domain ShellTea.B\r\nhttps://blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/\r\nPage 9 of 14\n\nIndicator Type Sample\r\nnduropasture[.]net Domain ShellTea.B\r\n8c6fe4c8b000e87b756d5fd0b53d3e\r\n230ceafa8928851a91dac42445c0bab8e3\r\nSHA256\r\nPoSlurp.B\r\n%TMP%\\wmsetup.tmp File path PoSlurp.B\r\nTable A1: Atomic indicators from BADHATCH, a ShellTea sample analyzed by Gigamon ATR, ShellTea.B,\r\nand PoSlurp.B.\r\nATT\u0026CK Mapping\r\nATT\u0026CK is a framework developed by MITRE and widely used by intelligence communities to characterize and model\r\nTTPs used by threat actors and their tooling. In Table A2 below, we map the TTPs observed in BADHATCH, ShellTea.B,\r\nand PoSlurp.B, as well as operational techniques, to ATT\u0026CK techniques.\r\nStage Techniques observed in:\r\nBADHATCH\r\nShellTea.B\r\nPoSlurp.B\r\nOperationally\r\nCollection Data from Local Systems (T1005)\r\nData Staged (T1074)\r\nCommand and\r\nControl\r\nCommonly Used Port (T1043)\r\n \r\nCustom Command and Control Protocol (T1094)\r\n \r\nCustom Cryptographic Protocol (T1024)\r\n \r\nData Encoding (T1132)\r\n \r\nStandard Cryptographic Protocol (T1032)\r\nObfuscation (T1001)\r\n \r\nMultiband Communication (T1026)\r\nRemote File Copy (T1105)\r\nStandard Application Layer Protocol (T1071)\r\nhttps://blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/\r\nPage 10 of 14\n\nStage Techniques observed in:\r\nBADHATCH\r\nShellTea.B\r\nPoSlurp.B\r\nOperationally\r\nStandard Cryptographic Protocol (T1032)\r\n \r\nUncommonly Used Port (T1065)\r\nDefense Evasion Access Token Manipulation (T1134)\r\nDeobfuscate/Decode Files or Information (T1140)\r\nExecution Guardrails (T1480)\r\n \r\nFile Deletion (T1107)\r\n \r\nFile Permissions Modification (T1222)\r\nHidden Files and Directories (T1158)\r\n \r\nModify Registry (T1112)\r\nObfuscated Files or Information (T1027)\r\nProcess Injection (T1055)\r\nScripting (T1064)\r\nValid Accounts (T1078)\r\n \r\nhttps://blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/\r\nPage 11 of 14\n\nStage Techniques observed in:\r\nBADHATCH\r\nShellTea.B\r\nPoSlurp.B\r\nOperationally\r\nVirtualization/Sandbox Evasion (T1497)\r\nDiscovery Network Share Discovery (T1135)\r\nProcess Discovery (T1057)\r\nQuery Registry (T1012)\r\nRemote System Discovery (T1018)\r\nSecurity Software Discovery (T1063)\r\nSystem Information Discovery (T1082)\r\n \r\nSystem Network Configuration Discovery (T1016)\r\nSystem Network Connections Discovery (T1049)\r\nSystem Owner/User Discovery (T1033)\r\n \r\nSystem Time Discovery (T1124)\r\nVirtualization/Sandbox Evasion (T1497)\r\nExecution Command-Line Interface (T1059)\r\n \r\nExecution through Module Load (T1129)\r\nhttps://blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/\r\nPage 12 of 14\n\nStage Techniques observed in:\r\nBADHATCH\r\nShellTea.B\r\nPoSlurp.B\r\nOperationally\r\nPowerShell (T1086)\r\nScripting (T1064)\r\nService Execution (T1035)\r\nWindows Management Instrumentation (T1047)\r\nExfiltration Data Encrypted (T1022)\r\nExfiltration over Command and Control Channel\r\n(T1041)\r\n \r\nInitial Access Valid Accounts (T1078)\r\n \r\nLateral Movement Remote File Copy (T1105)\r\nRemote Services (T1021)\r\nWindows Admin Shares (T1077)\r\nPersistence Hidden Files and Directories (T1158)\r\n \r\nRegistry Run Keys / Startup Folder (T1060)\r\nValid Accounts (T1078)\r\n \r\nhttps://blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/\r\nPage 13 of 14\n\nStage Techniques observed in:\r\nBADHATCH\r\nShellTea.B\r\nPoSlurp.B\r\nOperationally\r\nPrivilege Escalation Access Token Manipulation (T1134)\r\nProcess Injection (T1055)\r\nValid Accounts (T1078)\r\nTable A2: Mapping of TTPs observed in BADHATCH, ShellTea.B, and PoSlurp.B to ATT\u0026CK techniques.\r\nSource: https://blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/\r\nhttps://blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE" ], "references": [ "https://blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/" ], "report_names": [ "abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling" ], "threat_actors": [ { "id": "3150bf4f-288a-44b8-ab48-0ced9b052a0c", "created_at": "2025-08-07T02:03:24.910023Z", "updated_at": "2026-04-10T02:00:03.713077Z", "deleted_at": null, "main_name": "GOLD HUXLEY", "aliases": [ "CTG-6969 ", "FIN8 " ], "source_name": "Secureworks:GOLD HUXLEY", "tools": [ "Gozi ISFB", "Powersniff" ], "source_id": "Secureworks", "reports": null }, { "id": "5bdde906-0416-42ee-9100-5ebd95dda77a", "created_at": "2023-01-06T13:46:38.601977Z", "updated_at": "2026-04-10T02:00:03.035842Z", "deleted_at": null, "main_name": "FIN8", "aliases": [ "ATK113", "G0061" ], "source_name": "MISPGALAXY:FIN8", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "72d09c17-e33e-4c2f-95db-f204848cc797", "created_at": "2022-10-25T15:50:23.832551Z", "updated_at": "2026-04-10T02:00:05.336787Z", "deleted_at": null, "main_name": "FIN8", "aliases": [ "FIN8", "Syssphinx" ], "source_name": "MITRE:FIN8", "tools": [ "BADHATCH", "PUNCHBUGGY", "Ragnar Locker", "PUNCHTRACK", "dsquery", "Nltest", "Sardonic", "PsExec", "Impacket" ], "source_id": "MITRE", "reports": null }, { "id": "fc80a724-e567-457c-82bb-70147435e129", "created_at": "2022-10-25T16:07:23.624289Z", "updated_at": "2026-04-10T02:00:04.691643Z", "deleted_at": null, "main_name": "FIN8", "aliases": [ "ATK 113", "G0061", "Storm-0288", "Syssphinx" ], "source_name": "ETDA:FIN8", "tools": [ "ALPHV", "ALPHVM", "BadHatch", "BlackCat", "Noberus", "PSVC", "PUNCHTRACK", "PoSlurp", "Powersniff", "PunchBuggy", "Ragnar Loader", "Ragnar Locker", "RagnarLocker", "Sardonic", "ShellTea" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434315, "ts_updated_at": 1775792064, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d0a844e2945ef77e7a6c68c23e2e5ac9667eca89.pdf", "text": "https://archive.orkl.eu/d0a844e2945ef77e7a6c68c23e2e5ac9667eca89.txt", "img": "https://archive.orkl.eu/d0a844e2945ef77e7a6c68c23e2e5ac9667eca89.jpg" } }