FIN11

FIN11 is a long-running financially motivated cybercrime threat group associated in the provided content with ransomware deployment, data theft, and extortion. The group is repeatedly linked to the Cl0p/CLOP ransomware and extortion brand, and multiple sources in the content describe FIN11 as believed to be part of the broader TA505 umbrella. The content says FIN11 has been connected to both Russia and Ukraine, while other reporting links Cl0p to a Russian-language cybercriminal ecosystem. Microsoft maps FIN11 to Lace Tempest / DEV-0950. According to the content, FIN11 has monetized operations through point-of-sale malware, Clop ransomware, and traditional extortion, and has conducted long-running ransomware distribution campaigns across multiple industries. The group is associated with mass exploitation and extortion activity involving managed file transfer and enterprise application products. In the content, FIN11 or suspected FIN11 clusters are linked to exploitation and extortion activity involving Accellion FTA, GoAnywhere MFT, MOVEit Transfer, Cleo software, and Oracle E-Business Suite. Mandiant states that a suspected FIN11 cluster used the CL0P leak site and the Java-based GOLDVEIN.JAVA downloader in Oracle E-Business Suite exploitation activity in 2025. GTIG also reports strong links between a high-volume Oracle E-Business Suite extortion campaign and FIN11, including use of hundreds of compromised email accounts and at least one account directly tied to prior FIN11 activity. The content links FIN11 closely with Cl0p operations, including use of the CL0P data leak site, Cl0p ransomware deployment, and extortion campaigns that may prioritize data theft over encryption. Mandiant merged UNC4857 into FIN11 based on overlaps in targeting, infrastructure, certificates, and data leak site activity related to MOVEit exploitation. The content also notes that FIN11 appears to have multiple activity clusters, and several reports describe specific campaigns as attributable to an unknown or suspected FIN11 cluster rather than the entire actor set. Tradecraft described in the content includes ransomware distribution, mass exploitation of internet-facing applications, use of compromised accounts for extortion email campaigns, data exfiltration, and use of malware and web shells. For MOVEit exploitation, Mandiant attributed deployment of the LEMURLOOT web shell to activity later merged into FIN11. For Oracle E-Business Suite activity, the content links FIN11 to GOLDVEIN.JAVA and use of the CL0P leak site. FIN11 is also associated with process kill lists deployed alongside Clop ransomware; Mandiant attributed one Clop-associated kill list to FIN11 and noted that some listed processes were OT-related. The content further states that Mandiant emulated FIN11 in a red team engagement against a Europe-based engineering organization and demonstrated movement from a corporate endpoint with regular employee credentials to domain administrator privileges, theft of critical data, and access to OT servers. Mandiant says FIN11 has shown no indication of specialized OT expertise, but its use of kill lists containing OT-related processes raises concern about potential impact to OT environments. The content explicitly notes there is no evidence that FIN11’s OT-related kill list caused significant impacts in victim OT environments. Known aliases and related names directly mentioned in the content include Cl0p/CLOP, TA505, Lace Tempest, DEV-0950, and UNC4857 (merged into FIN11).