FIN7

FIN7 is a financially motivated cybercriminal threat group active since at least 2012/2013. It is also referred to in the provided content as Carbon Spider, ELBRUS, G0046, Gold Niagara, ITG14, Sangria Tempest, and Carbanak; GrayAlpha is described as an overlapping cluster sharing infrastructure, tooling, and tradecraft with FIN7. The group is described as Russia-linked or purportedly based in Russia in the cited reporting. The content states that FIN7 has targeted organizations across hospitality, retail, finance, energy, high-tech, and banking, and has also been observed targeting U.S.-based chain restaurants and other sectors. Earlier activity focused on payment-card theft and point-of-sale intrusions, including use of Carbanak and customized malware, with U.S. DOJ reporting cited in the content describing operations across 47 U.S. states and multiple countries. Since 2020, the group is described as having shifted toward ransomware operations, affiliating with REvil and Conti and conducting operations under Darkside and later BlackMatter. The provided material attributes a broad toolset and malware ecosystem to FIN7. This includes Carbanak, DiceLoader/Lizar/IceBot, POWERTRASH, Bateleur, NetSupport RAT, RPivot-linked Python tooling in activity assessed with medium confidence, and AvNeutralizer/AuKill. SentinelOne reporting in the content says FIN7 advertised and sold AvNeutralizer on underground forums using personas including goodsoft, lefroggy, killerAV, and Stupor, customizing the tool to disable or bypass endpoint security products for buyers. The content also states FIN7 staged trojanized legitimate software containing an Atera agent installer on Amazon S3, used NetSupport RAT in malicious campaigns, and that GrayAlpha-linked activity used custom loaders PowerNet and MaskBat to deliver NetSupport RAT via fake browser updates, fake 7-Zip sites, and TAG-124. Tactics and techniques directly mentioned in the content include use of batch scripts and command interpreters, PowerShell including Invoke-WebRequest and ExecutionPolicy Bypass, scheduled tasks, creation of new Windows services and startup persistence, use of PsExec across banking networks, credential theft and LSASS dumping via ProcDump, user/session discovery with cmd.exe /C quser, phishing attachments that trick users into executing hidden LNK files, and staging payloads on cloud infrastructure. Proofpoint reporting in the content says FIN7 used macro-enabled Word documents and scheduled tasks to deploy the Bateleur JScript backdoor, which supports host reconnaissance, process listing, command and PowerShell execution, EXE and DLL loading, screenshot capture, self-update, uninstall, and password theft via an additional module. The content also states FIN7 created a custom video-recording capability to monitor victim operations. The content further describes FIN7 as using social engineering and remote access software in more recent intrusion patterns. Sophos reporting cited in the content links STAC5143 with medium confidence to FIN7/Sangria Tempest/Carbon Spider based on matching obfuscation methods and prior FIN7 use of RPivot; that cluster used email bombing, fake IT support contact over Microsoft Teams, Teams remote screen control, Java and Python payloads, ProtonVPN sideloading, and reconnaissance commands such as whoami.exe, net user /domain, nltest.exe, ping.exe, and ipconfig.exe. The content also notes sham company fronts associated with FIN7, including Combi Security and Bastion Secure.