{
	"id": "1d54b70d-8657-4767-8ab0-d4b0427ee2c8",
	"created_at": "2026-04-06T00:21:49.949358Z",
	"updated_at": "2026-04-10T13:12:09.29075Z",
	"deleted_at": null,
	"sha1_hash": "d87ad4f477186057c7943cc45ad163cfd45f6ba2",
	"title": "Fin7 hacking group targets more than 130 companies after leaders’ arrest",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 51644,
	"plain_text": "Fin7 hacking group targets more than 130 companies after leaders’\r\narrest\r\nBy Kaspersky\r\nPublished: 2019-05-08 · Archived: 2026-04-05 18:47:24 UTC\r\nFollowing the arrest in 2018 of a number of suspected leaders of the notorious Fin7/Carbanak cyber-gang,\r\nthe group was believed to have disbanded. But Kaspersky Lab researchers have detected a number of new\r\nattacks by the same groups using GRIFFON malware.\r\nAccording to the company’s experts, Fin7 might have extended the number of groups operating under its\r\numbrella; increased the sophistication of its methods; and even positioned itself as a legitimate security\r\nvendor to recruit professional employees and dupe them into helping it steal financial assets.\r\nFin7 is believed to be behind attacks targeting the U.S. retail, restaurant, and hospitality sectors since mid-2015,\r\nworking in close collaboration and sharing tools and methods with the infamous Carbanak group. While Carbanak\r\nfocused primarily on banks, Fin7 targeted mostly businesses, potentially making off with millions of dollars in\r\nfinancial assets, such as payment card credentials or account information on the computers of financial\r\ndepartments. Once the threat actors got what they needed, they wired money to offshore accounts.\r\nAccording to Kaspersky Lab’s new investigation, the group has continued its activity - despite the arrest last year\r\nof alleged group leaders - implementing sophisticated spear-phishing campaigns throughout 2018 and distributing\r\nmalware to each target through specially tailored emails. In different cases, the operators exchanged messages\r\nwith their intended victims over a period of weeks before finally sending the malicious documents as attachments.\r\nKaspersky Lab estimates that by the end of 2018, more than 130 companies might have been targeted in this way.\r\n \r\nThe researchers also discovered other criminal teams operating under the Fin7 umbrella. The use of shared\r\ninfrastructure and the same tactics techniques and procedures (TTPs), shows that Fin7 is likely to be collaborating\r\nwith the AveMaria botnet and groups known as CobaltGoblin/EmpireMonkey, believed to be behind bank\r\nrobberies in Europe and Central America.\r\nKaspersky Lab also found that Fin7 has created a fake company that claims to be a legitimate cybersecurity\r\nvendor with offices across Russia. The company website is registered to the server that Fin7 uses as a Command\r\nand Control center (C\u0026C). The fake business has been used to recruit unsuspecting freelance vulnerability\r\nresearchers, program developers and interpreters through legitimate online job sites. It seems that some of the\r\nindividuals working in these fake companies did not suspect that they were involved in a cybercrime business,\r\nwith many including the experience of working in the organizations in their CVs.\r\n“Modern cyberthreats can be compared to the mythical creature Hydra of Lerna – you cut off one of its heads and\r\nit grows two new ones. Therefore, the best way to protect yourself from such actors is to implement advanced,\r\nhttps://www.kaspersky.com/about/press-releases/2019_fin7-hacking-group-targets-more-than-130-companies-after-leaders-arrest\r\nPage 1 of 2\n\nmulti-layered protection: install all software patches as soon as they are released and do regular security analysis\r\nacross all networks, systems and devices,” said Yury Namestnikov, security researcher at Kaspersky Lab.\r\nTo reduce the risk of infection, users are advised to:\r\nUse security solutions with dedicated functionality aimed at detecting and blocking phishing attempts.\r\nBusinesses can protect their on-premise email systems with targeted applications inside the Kaspersky\r\nEndpoint Security for BusinessKaspersky Security for Microsoft Office 365 helps to protect the cloud-based mail service Exchange Online inside the Microsoft Office 365 suite.\r\nIntroduce security awareness training and teach practical skills. Programs such as Kaspersky Automated\r\nSecurity Awareness Platform will help to reinforce skills and conduct simulated phishing attacks.\r\nProvide your security team with access to up to date threat intelligence data, to keep pace with the latest\r\ntactics and tools used by cybercriminals.\r\nRead the full version of the report on Securelist.com.\r\nSource: https://www.kaspersky.com/about/press-releases/2019_fin7-hacking-group-targets-more-than-130-companies-after-leaders-arrest\r\nhttps://www.kaspersky.com/about/press-releases/2019_fin7-hacking-group-targets-more-than-130-companies-after-leaders-arrest\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.kaspersky.com/about/press-releases/2019_fin7-hacking-group-targets-more-than-130-companies-after-leaders-arrest"
	],
	"report_names": [
		"2019_fin7-hacking-group-targets-more-than-130-companies-after-leaders-arrest"
	],
	"threat_actors": [
		{
			"id": "c9617bb6-45c8-495e-9759-2177e61a8e91",
			"created_at": "2022-10-25T15:50:23.405039Z",
			"updated_at": "2026-04-10T02:00:05.387643Z",
			"deleted_at": null,
			"main_name": "Carbanak",
			"aliases": [
				"Carbanak",
				"Anunak"
			],
			"source_name": "MITRE:Carbanak",
			"tools": [
				"Carbanak",
				"Mimikatz",
				"PsExec",
				"netsh"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "56daf304-dd2c-4fa1-a01f-8c0a7e5e5c30",
			"created_at": "2022-10-25T16:07:23.586985Z",
			"updated_at": "2026-04-10T02:00:04.676803Z",
			"deleted_at": null,
			"main_name": "EmpireMonkey",
			"aliases": [
				"Anthropoid Spider",
				"CobaltGoblin",
				"EmpireMonkey"
			],
			"source_name": "ETDA:EmpireMonkey",
			"tools": [
				"AKO Doxware",
				"AKO Ransomware",
				"MedusaLocker",
				"MedusaReborn"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "9de1979b-40fc-44dc-855d-193edda4f3b8",
			"created_at": "2025-08-07T02:03:24.92723Z",
			"updated_at": "2026-04-10T02:00:03.755516Z",
			"deleted_at": null,
			"main_name": "GOLD LOCUST",
			"aliases": [
				"Anunak",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Silicon "
			],
			"source_name": "Secureworks:GOLD LOCUST",
			"tools": [
				"Carbanak"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf",
			"created_at": "2023-01-06T13:46:38.405479Z",
			"updated_at": "2026-04-10T02:00:02.961112Z",
			"deleted_at": null,
			"main_name": "FIN7",
			"aliases": [
				"ATK32",
				"G0046",
				"G0008",
				"Sangria Tempest",
				"ELBRUS",
				"GOLD NIAGARA",
				"Coreid",
				"Carbanak",
				"Carbon Spider",
				"JokerStash",
				"CARBON SPIDER"
			],
			"source_name": "MISPGALAXY:FIN7",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ed3810b7-141a-4ed0-8a01-6a972b80458d",
			"created_at": "2022-10-25T16:07:23.443259Z",
			"updated_at": "2026-04-10T02:00:04.602946Z",
			"deleted_at": null,
			"main_name": "Carbanak",
			"aliases": [
				"Anunak",
				"Carbanak",
				"Carbon Spider",
				"ELBRUS",
				"G0008",
				"Gold Waterfall",
				"Sangria Tempest"
			],
			"source_name": "ETDA:Carbanak",
			"tools": [
				"AVE_MARIA",
				"Agentemis",
				"AmmyyRAT",
				"Antak",
				"Anunak",
				"Ave Maria",
				"AveMariaRAT",
				"BABYMETAL",
				"BIRDDOG",
				"Backdoor Batel",
				"Batel",
				"Bateleur",
				"BlackMatter",
				"Boostwrite",
				"Cain \u0026 Abel",
				"Carbanak",
				"Cl0p",
				"Cobalt Strike",
				"CobaltStrike",
				"DNSMessenger",
				"DNSRat",
				"DNSbot",
				"DRIFTPIN",
				"DarkSide",
				"FOXGRABBER",
				"FlawedAmmyy",
				"HALFBAKED",
				"JS Flash",
				"KLRD",
				"MBR Eraser",
				"Mimikatz",
				"Nadrac",
				"Odinaff",
				"POWERPIPE",
				"POWERSOURCE",
				"PsExec",
				"SQLRAT",
				"Sekur",
				"Sekur RAT",
				"SocksBot",
				"SoftPerfect Network Scanner",
				"Spy.Agent.ORM",
				"TEXTMATE",
				"TeamViewer",
				"TiniMet",
				"TinyMet",
				"Toshliph",
				"VB Flash",
				"WARPRISM",
				"avemaria",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f4f16213-7a22-4527-aecb-b964c64c2c46",
			"created_at": "2024-06-19T02:03:08.090932Z",
			"updated_at": "2026-04-10T02:00:03.6289Z",
			"deleted_at": null,
			"main_name": "GOLD NIAGARA",
			"aliases": [
				"Calcium ",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Navigator ",
				"Sangria Tempest ",
				"TelePort Crew "
			],
			"source_name": "Secureworks:GOLD NIAGARA",
			"tools": [
				"Bateleur",
				"Carbanak",
				"Cobalt Strike",
				"DICELOADER",
				"DRIFTPIN",
				"GGLDR",
				"GRIFFON",
				"JSSLoader",
				"Meterpreter",
				"OFFTRACK",
				"PILLOWMINT",
				"POWERTRASH",
				"SUPERSOFT",
				"TAKEOUT",
				"TinyMet"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "186f3cc2-500c-4233-b688-8b6d6e08e2a3",
			"created_at": "2023-01-06T13:46:39.098169Z",
			"updated_at": "2026-04-10T02:00:03.212492Z",
			"deleted_at": null,
			"main_name": "ANTHROPOID SPIDER",
			"aliases": [
				"Empire Monkey",
				"CobaltGoblin"
			],
			"source_name": "MISPGALAXY:ANTHROPOID SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "bfded1cf-be73-44f9-a391-0751c9996f9a",
			"created_at": "2022-10-25T15:50:23.337107Z",
			"updated_at": "2026-04-10T02:00:05.252413Z",
			"deleted_at": null,
			"main_name": "FIN7",
			"aliases": [
				"FIN7",
				"GOLD NIAGARA",
				"ITG14",
				"Carbon Spider",
				"ELBRUS",
				"Sangria Tempest"
			],
			"source_name": "MITRE:FIN7",
			"tools": [
				"Mimikatz",
				"AdFind",
				"JSS Loader",
				"HALFBAKED",
				"REvil",
				"PowerSploit",
				"CrackMapExec",
				"Carbanak",
				"Pillowmint",
				"Cobalt Strike",
				"POWERSOURCE",
				"RDFSNIFFER",
				"SQLRat",
				"Lizar",
				"TEXTMATE",
				"BOOSTWRITE"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82",
			"created_at": "2022-10-25T16:07:23.619566Z",
			"updated_at": "2026-04-10T02:00:04.690061Z",
			"deleted_at": null,
			"main_name": "FIN7",
			"aliases": [
				"APT-C-11",
				"ATK 32",
				"G0046",
				"Gold Niagara",
				"GrayAlpha",
				"ITG14",
				"TAG-CR1"
			],
			"source_name": "ETDA:FIN7",
			"tools": [
				"7Logger",
				"Agentemis",
				"Anubis Backdoor",
				"Anunak",
				"Astra",
				"BIOLOAD",
				"BIRDWATCH",
				"Bateleur",
				"Boostwrite",
				"CROWVIEW",
				"Carbanak",
				"Cobalt Strike",
				"CobaltStrike",
				"DICELOADER",
				"DNSMessenger",
				"FOWLGAZE",
				"HALFBAKED",
				"JSSLoader",
				"KillACK",
				"LOADOUT",
				"Lizar",
				"Meterpreter",
				"Mimikatz",
				"NetSupport",
				"NetSupport Manager",
				"NetSupport Manager RAT",
				"NetSupport RAT",
				"NetSupportManager RAT",
				"POWERPLANT",
				"POWERSOURCE",
				"RDFSNIFFER",
				"Ragnar Loader",
				"SQLRAT",
				"Sardonic",
				"Sekur",
				"Sekur RAT",
				"TEXTMATE",
				"Tirion",
				"VB Flash",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434909,
	"ts_updated_at": 1775826729,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d87ad4f477186057c7943cc45ad163cfd45f6ba2.pdf",
		"text": "https://archive.orkl.eu/d87ad4f477186057c7943cc45ad163cfd45f6ba2.txt",
		"img": "https://archive.orkl.eu/d87ad4f477186057c7943cc45ad163cfd45f6ba2.jpg"
	}
}