GRIFFON
GRIFFON is a JavaScript backdoor/custom malware family associated with FIN7, also known as Carbanak and tracked by Microsoft as ELBRUS. The content states ELBRUS/FIN7 developed and distributed Griffon and used it alongside other tooling including JSSLoader, Carbanak, DICELOADER, TIRION, Metasploit, Cobalt Strike, and PowerShell scripts. GRIFFON has been described as targeting restaurant chains, and FIN7 activity involving the malware has targeted U.S.-based retail, restaurant, hospitality, hotel, transportation, insurance, defense, and related sectors in reported campaigns.
The malware is written in and executed as JavaScript. Reported delivery and execution chains include JSSLoader loading a Griffon payload, and FIN7 mailed malicious USB devices that enumerated as HID keyboards and launched cmd.exe/PowerShell to download a remotely hosted script that launched the GRIFFON backdoor. Another described chain involved a PowerShell command crafted to download a remotely hosted PowerShell script designed to launch an instance of the GRIFFON backdoor. GRIFFON has also used PowerShell to execute the Meterpreter downloader TinyMet.
Capabilities directly mentioned in the content include persistence via scheduled tasks (schtasks), reconnaissance modules that retrieve Windows domain membership information and the system date/time, and a screenshot module that captures the remote system screen. The content also notes that after installation in one FIN7 USB campaign, the JavaScript payload generated a unique host identifier, registered to command-and-control infrastructure, retrieved additional obfuscated JavaScript from C2, performed host reconnaissance including privilege, domain, timezone, language, OS/hardware, running processes, and software presence, and then periodically checked in for commands. High-confidence associations in the content link GRIFFON to FIN7/Carbanak/ELBRUS and to historical FIN7 campaigns using physical USB lures and JSSLoader-based delivery.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
ELBRUS is responsible for developing and distributing multiple custom malware families used for persistence, including JSSLoader and Griffon.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
During our analysis of JSSLoader, it additionally loaded a Griffon payload which is historically associated with another actor, TA3546, also known as FIN7 or Carbanak.
During our analysis of JSSLoader, it additionally loaded a Griffon payload which is historically associated with another actor, TA3546, also known as FIN7 or Carbanak.
During our analysis of JSSLoader, it additionally loaded a Griffon payload which is historically associated with another actor, TA3546, also known as FIN7 or Carbanak.
Techniques & procedures
12 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
4 techniques
Execution
“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
The content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."
Persistence
3 techniques
Persistence
“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Privilege Escalation
3 techniques
Privilege Escalation
“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Discovery
4 techniques
Discovery
Multiple tools/actors are described using Active Directory/domain group enumeration, e.g., “AdFind can enumerate domain groups”, “net group "domain admins" /domain to enumerate domain groups”, “BloodHound can collect information about domain groups and members”, and “AD Explorer tool to enumerate groups on a victim's network.”
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
Multiple malware and threat groups are described as collecting/deriving local system time, date, timestamp, tick count, or time zone (e.g., "used time /t and net time \ip/hostname for system time discovery"; "collects the timestamp from the victim’s machine"; "can collect the time zone information from the system").
Examples include: “Gootloader can determine if a targeted system is part of an Active Directory domain by expanding the %USERDNSDOMAIN% environment variable”, “GRIFFON…retrieve Windows domain membership information”, “Inception…gather domain membership”, and “REvil can identify the domain membership of a compromised host.”
Collection
1 technique
Collection
"Agent Tesla can capture screenshots of the victim’s desktop"; "AppleSeed can take screenshots on a compromised host"; "APT28 has used tools to take screenshots from victims"; "Cobalt Strike's Beacon payload is capable of capturing screenshots"; "PowerSploit's Get-TimedScreenshot Exfiltration module can take screenshots at regular intervals"; "Hydraq includes a component based on the code of VNC that can stream a live feed of the desktop"
Recent activity
19 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Backdoor/RAT referenced as part of FIN7’s toolset used after initial access to maintain control of compromised environments.
Custom backdoor/persistence malware used by ELBRUS/FIN7 in intrusions that can culminate in ransomware/extortion operations.
Custom malware family used by ELBRUS for persistence and intrusion support in financially motivated campaigns.
Backdoor cited as part of FIN7’s toolkit used to maintain access and facilitate follow-on activity including ransomware deployment.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.