Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to threat actors
Financially Motivated35 malware familiesExploits CVEs in the wild

FIN6

Also known asCamouflage TempestFIN6gold_franklingolden_chickensITG08Magecart Group 6SKELETON SPIDERStorm-0538ta4557TAALVENOM SPIDER

Golden Chickens is a malware-as-a-service (MaaS) provider. The content states it is known to have been used by groups such as FIN6 and Cobalt Group. Reported Golden Chickens tools include More_eggs, TerraPreter, TerraStealer, and TerraTV. The content also links the malware suite to TA4557 activity and notes historical overlap between TA4557 and reporting on FIN6, while the same malware suite has also been observed with Cobalt Group and Evilnum. Since at least October 2023, TA4557 has targeted recruiters with benign initial emails that, after reply, lead to fake resume sites, CAPTCHA-gated ZIP downloads, an LNK-based living-off-the-land execution chain abusing ie4uinit.exe, scriptlet and DLL stages, WMI and MSXSL execution, anti-sandbox and anti-debugging checks, RC4 key retrieval, and ultimately delivery of the More_Eggs backdoor. More_Eggs is described as capable of establishing persistence, profiling the machine, and delivering additional payloads. Aliases present in the content include Camouflage Tempest, FIN6, Gold Franklin, ITG08, Magecart Group 6, Skeleton Spider, Storm-0538, TA4557, TAAL, and Venom Spider.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

55 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

15 of 15 tactics78 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
1 technique
T1595
Active Scanning
TA0042
Resource Development
1 technique
T1588
Obtain Capabilities
T1588.002
Tool
TA0001
Initial Access
2 techniques
T1190×2
Exploit Public-Facing Application
T1566
Phishing
T1566.001×2
Spearphishing Attachment
T1566.002×2
Spearphishing Link
TA0002
Execution
4 techniques
T1047×2
Windows Management Instrumentation
T1053
Scheduled Task/Job
T1053.005×2
Scheduled Task
T1059×4
Command and Scripting Interpreter
T1059.001×6
PowerShell
T1059.003×3
Windows Command Shell
T1059.007×2
JavaScript
T1204
User Execution
T1204.002×5
Malicious File
TA0003
Persistence
2 techniques
T1053
Scheduled Task/Job
T1053.005×2
Scheduled Task
T1547
Boot or Logon Autostart Execution
T1547.001×5
Registry Run Keys / Startup Folder
T1547.009
Shortcut Modification
TA0004
Privilege Escalation
3 techniques
T1053
Scheduled Task/Job
T1053.005×2
Scheduled Task
T1068×8
Exploitation for Privilege Escalation
T1547
Boot or Logon Autostart Execution
T1547.001×5
Registry Run Keys / Startup Folder
T1547.009
Shortcut Modification
TA0005
Stealth
6 techniques
T1027
Obfuscated Files or Information
T1027.010
Command Obfuscation
T1027.013
Encrypted/Encoded File
T1027.014
Polymorphic Code
T1070
Indicator Removal
T1070.004×3
File Deletion
T1140
Deobfuscate/Decode Files or Information
T1218
System Binary Proxy Execution
T1218.010
Regsvr32
T1497
Virtualization/Sandbox Evasion
T1497.003
Time Based Checks
T1622
Debugger Evasion
TA0112
Defense Impairment
1 technique
T1553
Subvert Trust Controls
T1553.002
Code Signing
TA0006
Credential Access
4 techniques
T1003×2
OS Credential Dumping
T1003.003
NTDS
T1056
Input Capture
T1539
Steal Web Session Cookie
T1555×3
Credentials from Password Stores
T1555.003
Credentials from Web Browsers
TA0007
Discovery
8 techniques
T1012
Query Registry
T1016
System Network Configuration Discovery
T1016.001
Internet Connection Discovery
T1018×3
Remote System Discovery
T1046
Network Service Discovery
T1087
Account Discovery
T1087.002×2
Domain Account
T1497
Virtualization/Sandbox Evasion
T1497.003
Time Based Checks
T1518
Software Discovery
T1518.001
Security Software Discovery
T1622
Debugger Evasion
TA0008
Lateral Movement
1 technique
T1021
Remote Services
T1021.001
Remote Desktop Protocol
TA0009
Collection
6 techniques
T1005×3
Data from Local System
T1056
Input Capture
T1074
Data Staged
T1113
Screen Capture
T1119
Automated Collection
T1560
Archive Collected Data
TA0011
Command and Control
6 techniques
T1071
Application Layer Protocol
T1071.001×2
Web Protocols
T1090
Proxy
T1105×2
Ingress Tool Transfer
T1571
Non-Standard Port
T1572
Protocol Tunneling
T1573
Encrypted Channel
T1573.001
Symmetric Cryptography
TA0010
Exfiltration
1 technique
T1041
Exfiltration Over C2 Channel
TA0040
Impact
2 techniques
T1486×2
Data Encrypted for Impact
T1489
Service Stop
ARSENAL

Associated malware families

35 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
More_eggsThe DLL employs anti-sandbox and anti-analysis techniques. It incorporates a loop specifically designed to retrieve the RC4 key necessary for deciphering the More_Eggs backdoor... The DLL drops the More_Eggs backdoor along with the MSXSL executable... More_Eggs can be used to establish persistence, profile the machine, and drop additional payloads.10Jun 14, 2026
Stealer OneFIN6 has used the Stealer One credential stealer to target web browsers.6May 26, 2026
TerraLoaderVenom Spider, also known as GOLDEN CHICKENS, is a threat actor known for offering Malware-as-a-Service (MaaS) tools like VenomLNK, TerraLoader, TerraStealer, and TerraCryptor.6May 31, 2026
TerraLogger"Unlike its data-sucking counterpart TerraStealerV2, TerraLogger takes a simpler... approach by capturing keystrokes..."6Mar 18, 2026
TerraStealerV2"C. TerraStealerV2 Credential-harvesting malware targeting browsers, FTP clients, and email platforms."6Mar 18, 2026

30 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

6 CVEs this actor has used in observed campaigns. 6 of them exploited in the wild.

CVE-2010-4398Windows win32k.sys RtlQueryRegistryValues Stack Buffer Overflow Privilege EscalationIn the wildEvidence2

Carberp has exploited multiple Windows vulnerabilities (CVE-2010-2743, CVE-2010-3338, CVE-2010-4398, CVE-2008-1084) and a .NET Runtime Optimization vulnerability for privilege escalation.

CVE-2011-2005Ancillary Function Driver Elevation of Privilege in afd.sysIn the wildEvidence2

FIN6 ... targeted CVE-2013-3660, CVE-2011-2005, and CVE-2010-4398, all of which could allow local users to access kernel-level privileges.

CVE-2013-3660Win32k EPATHOBJ::pprFlattenRec local privilege escalationIn the wildEvidence2

FIN6 ... targeted CVE-2013-3660, CVE-2011-2005, and CVE-2010-4398, all of which could allow local users to access kernel-level privileges.

CVE-2025-9491Microsoft Windows LNK File UI Misrepresentation Remote Code Execution VulnerabilityIn the wildEvidence2

This detection identifies instances where Windows Explorer.exe spawns PowerShell or cmd.exe processes, particularly focusing on executions initiated by LNK files. This behavior is associated with the ZDI-CAN-25373 Windows shortcut zero-day vulnerability, where specially crafted LNK files are used to trigger malicious code execution through cmd.exe or powershell.exe. This technique has been actively exploited by multiple APT groups in targeted attacks through both HTTP and SMB delivery methods.

CVE-2026-31431Copy FailIn the wildEvidence1

The following analytic detects when su runs from a page-cache-corrupted binary... This activity is significant because it indicates a possible privilege escalation attempt, allowing a user to gain root access... CVE CVE-2026-31431 ... References ... copy-fail-CVE-2026-31431

1 more CVE tied to this actor tracked in Mallory.

IOCS

Observables

94 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

94 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
splunk researchNews
Jun 14, 2026
Detection: PTC Windchill Gateway Command Execution | Splunk Security Content

Listed as an associated threat actor in the detection annotation for exploitation of the public-facing PTC Windchill vulnerability CVE-2026-4681.

Read more
slideshareNews
May 21, 2026
Hunting for Credentials Dumping in Windows Environment | PDF

Uses Windows Credential Editor and Metasploit PsExec NTDSGRAB to dump credentials and obtain copies of Active Directory databases.

Read more
splunk researchNews
May 20, 2026
Detection: Cisco IOS XE Guestshell Activation and Destroy | Splunk Security Content

Listed in the detection annotations as a threat actor associated with this analytic context.

Read more
malpediaNews
May 14, 2026
Turla (Threat Actor)

Named threat actor referenced in global threat reporting.

Read more
+196 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping55

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal35

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs6

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables94

Domains, IPs, and hashes tied to this actor, refreshed continuously.