FIN6: From POS Skimming to Ransomware and Enterprise Infiltration
- Suspected Origin
- Eastern Europe
- Motivation
- Financial Gain, Extortion
- Aliases
- Magecart Group 6, ITG08, Skeleton Spider, TAAL, Camouflage Tempest
- Target Sectors
- Hospitality, Retail, E-commerce, Financial Services, Healthcare, Manufacturing, Energy, Chemical, Engineering, Human Resources
- Associated Malware
- Trinity, FrameworkPOS, More_eggs, Ryuk, LockerGoga, Stealer One, Anchor, TrickBot, Cobalt Strike, Metasploit, Mimikatz, AdFind, AbaddonPOS, BlackPOS, Grateful POS, JSPSPY, SCRAPMINT, TerraStealer, FlawedAmmyy, Meterpreter, HARDTACK, SHIPBREAD
Overview
FIN6, also tracked as Magecart Group 6, Skeleton Spider, ITG08, TAAL, and Camouflage Tempest, is a highly adaptive and financially motivated cybercrime group active since at least 2015. Initially, their focus was squarely on compromising Point-of-Sale (PoS) systems within the hospitality and retail sectors to steal payment card data, which they then monetized on underground card shops. Over time, this group has significantly diversified its operations, expanding into e-commerce web skimming, and notably, ransomware deployment, often through partnerships with other prominent cybercriminal entities.
While a definitive state sponsor has not been confirmed, FIN6 is widely believed to originate from Eastern Europe and has documented links to Russian cybercriminal organizations. Their primary objective remains financial gain, but their methods have evolved from direct payment card theft to leveraging initial access for more lucrative ransomware attacks and broader enterprise infiltration. This evolution showcases a pragmatic and opportunistic approach to cybercrime, consistently seeking the most profitable avenues for exploitation. Their targeting has expanded beyond their original retail and hospitality scope to include financial services, healthcare, engineering, manufacturing, and even human resources.
Tactics & Techniques
FIN6 employs a broad array of tactics, techniques, and procedures (TTPs) that demonstrate a blend of custom tools, commodity malware, and living-off-the-land (LotL) binaries. Initial access frequently relies on spear-phishing campaigns, which have varied from malicious attachments and documents to more sophisticated lures involving fake job advertisements. Recently, they’ve been observed posing as job seekers on professional platforms like LinkedIn and Indeed, establishing rapport with recruiters, then sending phishing messages with non-clickable URLs to AWS-hosted fake resume sites to deliver malware.
Once inside a network, FIN6 exhibits significant proficiency in internal reconnaissance, often utilizing publicly available tools like osql.exe, Query Express, AdFind, and ProcDump to map networks and enumerate Active Directory, SQL servers, and user accounts. For privilege escalation and credential access, they routinely deploy tools such as Mimikatz, Windows Credential Editor, and Stealer One, or extract password hashes from ntds.dit. Lateral movement is typically achieved using stolen credentials via Remote Desktop Protocol (RDP), PowerShell, and the PsExec utility, sometimes disguised by renaming its service. They leverage C2 frameworks like Cobalt Strike and Metasploit extensively throughout these phases for command and control, and to execute encoded PowerShell commands or create Windows services for persistence. Defense evasion techniques include using in-memory PowerShell scripts, disabling security tools with scripts like kill.bat, and implementing environmental fingerprinting on their landing pages to block VPNs or non-Windows connections. For data exfiltration, FIN6 compresses and encodes collected data before sending it to remote servers, often via HTTP POSTs, FTP, or cloud services like Google Storage and Pastebin.
Notable Campaigns
FIN6’s operational history can be broadly categorized into several distinct, yet evolving, phases. Their initial campaigns from 2015 to roughly 2018 were characterized by widespread attacks on Point-of-Sale (PoS) systems in retail and hospitality sectors, aiming to steal credit card data using malware such as Trinity (also known as FrameworkPOS). These operations garnered them millions of payment card numbers, which were subsequently sold on “card shop” marketplaces.
Around 2018, the group diversified into targeting e-commerce platforms, injecting malicious JavaScript skimmers (a technique often associated with Magecart groups) into online checkout pages to steal card-not-present (CNP) data. This shift indicated their adaptability in monetizing access even when direct PoS malware deployment was not feasible.
A significant pivot occurred starting in July 2018, when FIN6 expanded its monetization strategy to include ransomware. They began deploying Ryuk and LockerGoga ransomware, signaling a move towards more destructive and financially impactful attacks beyond just data theft. During this period, FireEye noted that the frequency of traditional PoS intrusions declined, suggesting a potential shift in the group’s overall focus. FIN6 has also been observed collaborating with other prominent cybercrime groups, notably the TrickBot gang, to utilize the Anchor malware framework for intrusions in 2020. This partnership underscores their willingness to leverage established malware-as-a-service offerings and access brokers to achieve their objectives.
More recently, in June 2025, FIN6 was observed employing highly sophisticated social engineering tactics, impersonating job seekers on platforms like LinkedIn and Indeed to target recruiters and HR departments. These campaigns utilized convincing fake resumes hosted on trusted cloud infrastructure (AWS) to deliver the More_eggs malware, demonstrating their continued evolution in initial access methods and target scope.
Associated Malware & Tools
FIN6’s toolkit is extensive, featuring both custom-developed malware and a wide array of publicly available or commercial penetration testing tools. Early in their operations, they relied on PoS malware like Trinity (FrameworkPOS) to directly harvest payment card data.
As their operations evolved, they adopted the More_eggs JScript backdoor, also known as Terra Loader or SpicyOmelette, which is available as a malware-as-a-service offering from the Golden Chickens (Venom Spider) cybercrime group. More_eggs serves as a versatile first-stage payload for credential theft, system access, and the deployment of additional payloads, including ransomware. Another credential stealer, Stealer One, has also been observed in their operations, targeting email clients, web browsers, and FTP utilities.
In their ransomware campaigns, FIN6 has been strongly linked to the deployment of Ryuk and LockerGoga ransomware. While the relationship between FIN6 and other ransomware groups can be complex, evidence suggests FIN6 or affiliated parties have been involved in such incidents, sometimes acting as an initial access broker for these ransomware families. They’ve also been associated with the Anchor malware framework, distributed via the TrickBot Trojan, indicating collaboration with other criminal entities.
Beyond bespoke malware, FIN6 extensively uses legitimate administrative and penetration testing tools to blend into network activity. These include Cobalt Strike and Metasploit for post-exploitation, Mimikatz and Windows Credential Editor for credential dumping, and AdFind for Active Directory reconnaissance. They also leverage built-in Windows utilities like osql.exe, PowerShell, Windows Management Instrumentation (WMI), and Remote Desktop Protocol (RDP) for various stages of their attacks, from reconnaissance to lateral movement and persistence. Custom downloaders like HARDTACK and SHIPBREAD have also been noted.
Current Status
FIN6 remains an active and evolving threat actor group. Recent reporting, as late as June 2025, confirms their continued operations and adaptation of new tactics. Their latest observed activity involves sophisticated social engineering campaigns targeting human resources and recruiters through professional networking platforms like LinkedIn and Indeed. By impersonating job seekers and leveraging trusted cloud infrastructure to host malicious “resume” sites, they aim to deliver the More_eggs backdoor, demonstrating a persistent effort to gain initial access to corporate environments.
This shift illustrates FIN6’s ongoing commitment to financially motivated cybercrime and their readiness to adapt their methodologies to overcome defenses and exploit new attack vectors. The group has consistently shown an ability to evolve its tooling, techniques, and partnerships, moving from direct payment card theft via PoS and e-commerce skimming to lucrative ransomware deployment and, now, innovative social engineering tactics for enterprise infiltration. Their continued activity and tactical flexibility mean that organizations, particularly those in retail, hospitality, finance, healthcare, and any sector with active recruitment, should remain vigilant against FIN6’s diverse and sophisticated attack methodologies.
Related content
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call