>samit_hota
Back to adversary profiles
G0046HighActive

FIN7: From Point-of-Sale Theft to Ransomware Kingpins

Samit Hota·
Suspected Origin
Eastern Europe
Motivation
Financial Gain, Extortion, Payment Card Theft
Aliases
GOLD NIAGARA, ITG14, Carbon Spider, ELBRUS, Sangria Tempest
Target Sectors
Retail, Restaurant, Hospitality, Financial Services, Automotive, Software, Consulting, Medical Equipment, Cloud Services, Media, Food and Beverage, Transportation, Pharmaceutical, Utilities, Insurance, Defense, Casinos, Education, Energy, Government, High-Tech, Telecommunications, Construction
Associated Malware
Carbanak, REvil, DarkSide, BlackMatter, Anunak, NetSupport RAT, POWERTRASH, DICELOADER, POWERPLANT, AvNeutralizer, Cobalt Strike, Meterpreter, Lizar, SQLRat, Griffon, HalfBaked, JSSLoader, Minodo, QakBot, Black Basta, Maze, Ryuk, ALPHV, Cl0p, BadRabbit, Boostwrite, CROWVIEW, FOWLGAZE, LOADOUT, POWERSOURCE, RDFSNIFFER, Sardonic, Spy.Sekur, Tinymet, Astra, STONEBOAT, TERMITE, BEACON, BUGHATCH, Project Nemesis
#threat-actor#g0046

Overview

FIN7 (MITRE ATT&CK ID: G0046), also known by aliases such as GOLD NIAGARA, ITG14, Carbon Spider, ELBRUS, and Sangria Tempest, is a highly sophisticated and resilient cybercrime group with a singular focus on financial gain. Active since at least 2013, the group has consistently demonstrated an ability to adapt its tactics and business model to maximize profits and evade detection. Widely believed to originate from Eastern Europe, particularly Ukraine and Russia, FIN7 operates without direct state sponsorship, making them a purely financially motivated threat. Their organizational structure often mimics that of a legitimate business, complete with developers, administrators, and recruiters, and even performance-based incentives for members.

Initially, FIN7 made its name through extensive point-of-sale (POS) system compromises, primarily targeting retail, restaurant, and hospitality sectors across the United States. These operations involved stealing millions of payment card records, which were then monetized on underground marketplaces. However, since approximately 2020, FIN7 has significantly evolved, shifting its operational focus towards “big game hunting” (BGH) ransomware attacks against larger, higher-value organizations. This pivot has seen them leverage prominent ransomware strains like REvil, and even develop their own Ransomware-as-a-Service (RaaS) operations, including DarkSide and later BlackMatter. Despite law enforcement efforts, including the arrest and indictment of key members in 2018, FIN7 has consistently regrouped and continues its illicit activities, proving its deep operational capacity and decentralized nature.

Tactics & Techniques

FIN7’s attacks are characterized by their multi-stage approach, combining sophisticated social engineering with custom and commercial tools. Initial access is frequently gained through highly tailored spear-phishing campaigns, often using malicious documents or RTF files disguised as legitimate business correspondence. These lures can include typosquatted links, fake IP scanning tools, or even malicious Microsoft Office documents. More recently, FIN7 has also employed “BadUSB” attacks, physically mailing USB drives disguised as gift cards or containing COVID-19 information to unsuspecting employees in IT, executive management, and HR departments. These drives, when plugged in, emulate a keyboard to execute commands and download malware. Other initial access vectors include exploiting public-facing applications via automated SQL injection attacks or ProxyShell vulnerabilities, leveraging software supply chain compromises, and using stolen Remote Desktop Protocol (RDP) credentials.

Once initial access is established, FIN7 employs a variety of techniques for execution and persistence. They are adept at using living-off-the-land binaries, scripts, and libraries (LOLBAS), particularly PowerShell, VBS, and JavaScript for executing payloads and scripts. Persistence is achieved through methods such as creating scheduled tasks, establishing new Windows services, modifying Registry Run/RunOnce keys, or exploiting application shim databases. For defense evasion, FIN7 is known for obfuscating its malware code and has developed custom EDR bypass tools, such as AvNeutralizer (also known as AuKill), which they have also marketed in underground forums.

Lateral movement typically involves RDP, SSH, and abusing Windows admin shares, often facilitated by harvested administrative or compromised credentials. They also conduct extensive discovery, enumerating domain groups and gathering information on network shares. Command and Control (C2) can utilize DNS TXT records, legitimate cloud services like Google Docs, Google Scripts, and Pastebin, or their own sophisticated control panels. FIN7 has even created custom video recording capabilities to monitor victim environments. Finally, for exfiltration, they collect sensitive data like payment card information, financial records, and login credentials, sometimes staging it in Amazon S3 buckets before removal.

Notable Campaigns

FIN7’s history is marked by several high-profile campaigns that underscore their adaptiveness and impact. Between 2017 and 2018, they executed widespread breaches targeting major restaurant and retail chains, including Chipotle, Chili’s, Arby’s, Jason’s Deli, Red Robin, Omni Hotels, Saks Fifth Avenue, and Lord & Taylor. These attacks resulted in the theft of over 15 million customer card records from thousands of POS terminals across 47 U.S. states and internationally.

A significant shift occurred around 2020 when FIN7 pivoted towards “big game hunting” ransomware operations. This new focus involved deploying various ransomware strains, including REvil, Maze, Ryuk, and ALPHV (BlackCat), in addition to developing their own RaaS offerings like DarkSide and BlackMatter. To support these complex operations and recruit unwitting talent, FIN7 notably operated under the guise of legitimate cybersecurity firms such as “Combi Security” and later “Bastion Secure.” These front companies were used to recruit penetration testers and IT specialists who were then unknowingly tasked with supporting FIN7’s criminal endeavors.

Recent campaigns demonstrate their continued evolution. In late 2023 and April 2024, FIN7 targeted a large automotive manufacturer in the United States using spear-phishing emails that lured IT employees with a fake IP scanning utility to deploy the Anunak backdoor and POWERTRASH. Concurrently in April 2024, they were observed using malicious websites impersonating well-known brands, promoted via sponsored Google Ads, to deliver NetSupport RAT through MSIX app installers. These examples highlight FIN7’s continuous adaptation and sophisticated approach to targeting diverse sectors for financial gain.

Associated Malware & Tools

FIN7 possesses a diverse and constantly updated arsenal of malware and legitimate tools, allowing them to execute highly adaptable attacks. Historically, they have heavily relied on adapted versions of the Carbanak malware, often considered a foundational tool for the group, though it’s also used by other threat actors.

As their operations evolved, so did their toolkit. For initial access and persistence, they frequently utilize custom backdoors and loaders such as Anunak, NetSupport RAT, POWERTRASH, DICELOADER (also known as Lizar or IceBot), BIOLOAD, BIRDWATCH (with variants like CROWVIEW and FOWLGAZE), Boostwrite, Griffon, HALFBAKED, JSSLoader, POWERPLANT, POWERSOURCE, RDFSNIFFER, Sardonic, SQLRat, Spy.Sekur, and Tinymet. Since 2021, POWERPLANT, a multifunction backdoor, has notably become a primary first-stage malware in their intrusions.

For command and control and lateral movement, FIN7 frequently integrates legitimate remote access and penetration testing tools like Cobalt Strike (especially the Beacon payload), Atera, and TightVNC. They have also been observed using Mimikatz for credential harvesting and Core Impact for exploitation.

The shift to ransomware operations brought new tools into their arsenal. Beyond leveraging established strains like REvil, Maze, Ryuk, ALPHV (BlackCat), and Cl0p, FIN7 developed and operated their own Ransomware-as-a-Service (RaaS) platforms, most notably DarkSide and its successor, BlackMatter. They’ve also been linked to BadRabbit ransomware.

A more recent and significant addition is AvNeutralizer (also tracked as AuKill), a highly specialized tool designed to disrupt Endpoint Detection and Response (EDR) solutions. This tool demonstrates FIN7’s commitment to developing custom capabilities to bypass modern security defenses and has even been sold on underground forums, making it accessible to other groups like Black Basta. Other recent additions include Dave Loader delivering the Minodo backdoor and the Project Nemesis information stealer, observed in conjunction with former Conti members.

Current Status

FIN7 remains an exceptionally active and formidable threat actor, continually defying law enforcement efforts and adapting its operations. Despite the high-profile arrests of several key members in 2018, the group demonstrated remarkable resilience, continuing to operate and recruit new members.

Their strategic shift to “big game hunting” ransomware has solidified their position as a significant threat to large enterprises across a broad range of industries, far beyond their initial focus on retail and hospitality. Recent reporting, including insights from late 2023 and April 2024, confirms FIN7’s ongoing activity, showcasing campaigns targeting the automotive industry and utilizing novel initial access techniques like MSIX app installers. Furthermore, their continuous development of custom EDR bypass tools like AvNeutralizer underscores their persistent efforts to circumvent security controls.

Security vendors continue to track and report on FIN7’s evolving tactics, with attack emulation tools and threat hunting guides being updated as late as February 2025, reflecting the group’s sustained relevance and active threat posture. FIN7’s ability to maintain a sophisticated organizational structure, adapt its attack vectors, and continuously refine its malware and tooling ensures that it will remain a critical concern for security professionals globally.```json { “TITLE”: “FIN7: From Point-of-Sale Theft to Ransomware Kingpins”, “DESCRIPTION”: “A deep dive into FIN7, a financially motivated cybercrime group known for evolving from POS attacks to sophisticated ransomware operations.”, “THREAT_LEVEL”: “High”, “STATUS”: “Active”, “ORIGIN”: “Eastern Europe”, “MOTIVATION”: “Financial Gain, Extortion, Payment Card Theft”, “SECTORS”: “Retail, Restaurant, Hospitality, Financial Services, Automotive, Software, Consulting, Medical Equipment, Cloud Services, Media, Food and Beverage, Transportation, Pharmaceutical, Utilities, Insurance, Defense, Casinos, Education, Energy, Government, High-Tech, Telecommunications, Construction”, “MALWARE”: “Carbanak, REvil, DarkSide, BlackMatter, Anunak, NetSupport RAT, POWERTRASH, DICELOADER, POWERPLANT, AvNeutralizer, Cobalt Strike, Meterpreter, Lizar, SQLRat, Griffon, HalfBaked, JSSLoader, Minodo, QakBot, Black Basta, Maze, Ryuk, ALPHV, Cl0p, BadRabbit, Boostwrite, CROWVIEW, FOWLGAZE, LOADOUT, POWERSOURCE, RDFSNIFFER, Sardonic, Spy.Sekur, Tinymet, Astra, STONEBOAT, TERMITE, BEACON, BUGHATCH, Project Nemesis”, “BODY”: “## Overview\n\nFIN7 (MITRE ATT&CK ID: G0046), also known by aliases such as GOLD NIAGARA, ITG14, Carbon Spider, ELBRUS, and Sangria Tempest, is a highly sophisticated and resilient cybercrime group with a singular focus on financial gain. Active since at least 2013, the group has consistently demonstrated an ability to adapt its tactics and business model to maximize profits and evade detection. Widely believed to originate from Eastern Europe, particularly Ukraine and Russia, FIN7 operates without direct state sponsorship, making them a purely financially motivated threat. Their organizational structure often mimics that of a legitimate business, complete with developers, administrators, and recruiters, and even performance-based incentives for members.\n\nInitially, FIN7 made its name through extensive point-of-sale (POS) system compromises, primarily targeting retail, restaurant, and hospitality sectors across the United States. These operations involved stealing millions of payment card records, which were then monetized on underground marketplaces. However, since approximately 2020, FIN7 has significantly evolved, shifting its operational focus towards "big game hunting" (BGH) ransomware attacks against larger, higher-value organizations. This pivot has seen them leverage prominent ransomware strains like REvil, and even develop their own Ransomware-as-a-Service (RaaS) operations, including DarkSide and later BlackMatter. Despite law enforcement efforts, including the arrest and indictment of key members in 2018, FIN7 has consistently regrouped and continues its illicit activities, proving its deep operational capacity and decentralized nature.\n\n## Tactics & Techniques\n\nFIN7’s attacks are characterized by their multi-stage approach, combining sophisticated social engineering with custom and commercial tools. Initial access is frequently gained through highly tailored spear-phishing campaigns, often using malicious documents or RTF files disguised as legitimate business correspondence. These lures can include typosquatted links, fake IP scanning tools, or even malicious Microsoft Office documents. More recently, FIN7 has also employed "BadUSB" attacks, physically mailing USB drives disguised as gift cards or containing COVID-19 information to unsuspecting employees in IT, executive management, and HR departments. These drives, when plugged in, emulate a keyboard to execute commands and download malware. Other initial access vectors include exploiting public-facing applications via automated SQL injection attacks or ProxyShell vulnerabilities, leveraging software supply chain compromises, and using stolen Remote Desktop Protocol (RDP) credentials.\n\nOnce initial access is established, FIN7 employs a variety of techniques for execution and persistence. They are adept at using living-off-the-land binaries, scripts, and libraries (LOLBAS), particularly PowerShell, VBS, and JavaScript for executing payloads and scripts. Persistence is achieved through methods such as creating scheduled tasks, establishing new Windows services, modifying Registry Run/RunOnce keys, or exploiting application shim databases. For defense evasion, FIN7 is known for obfuscating its malware code and has developed custom EDR bypass tools, such as AvNeutralizer (also known as AuKill), which they have also marketed in underground forums. \n\nLateral movement typically involves RDP, SSH, and abusing Windows admin shares, often facilitated by harvested administrative or compromised credentials. They also conduct extensive discovery, enumerating domain groups and gathering information on network shares. Command and Control (C2) can utilize DNS TXT records, legitimate cloud services like Google Docs, Google Scripts, and Pastebin, or their own sophisticated control panels. FIN7 has even created custom video recording capabilities to monitor victim environments. Finally, for exfiltration, they collect sensitive data like payment card information, financial records, and login credentials, sometimes staging it in Amazon S3 buckets before removal.\n\n## Notable Campaigns\n\nFIN7’s history is marked by several high-profile campaigns that underscore their adaptiveness and impact. Between 2017 and 2018, they executed widespread breaches targeting major restaurant and retail chains, including Chipotle, Chili’s, Arby’s, Jason’s Deli, Red Robin, Omni Hotels, Saks Fifth Avenue, and Lord & Taylor. These attacks resulted in the theft of over 15 million customer card records from thousands of POS terminals across 47 U.S. states and internationally.\n\nA significant shift occurred around 2020 when FIN7 pivoted towards "big game hunting" ransomware operations. This new focus involved deploying various ransomware strains, including REvil, Maze, Ryuk, and ALPHV (BlackCat), in addition to developing their own Ransomware-as-a-Service (RaaS) platforms, most notably DarkSide and its successor, BlackMatter. To support these complex operations and recruit unwitting talent, FIN7 notably operated under the guise of legitimate cybersecurity firms such as "Combi Security" and later "Bastion Secure." These front companies were used to recruit penetration testers and IT specialists who were then unknowingly tasked with supporting FIN7’s criminal endeavors.\n\nRecent campaigns demonstrate their continued evolution. In late 2023 and April 2024, FIN7 targeted a large automotive manufacturer in the United States using spear-phishing emails that lured IT employees with a fake IP scanning utility to deploy the Anunak backdoor and POWERTRASH. Concurrently in April 2024, they were observed using malicious websites impersonating well-known brands, promoted via sponsored Google Ads, to deliver NetSupport RAT through MSIX app installers. These examples highlight FIN7’s continuous adaptation and sophisticated approach to targeting diverse sectors for financial gain.\n\n## Associated Malware & Tools\n\nFIN7 possesses a diverse and constantly updated arsenal of malware and legitimate tools, allowing them to execute highly adaptable attacks. Historically, they have heavily relied on adapted versions of the Carbanak malware, often considered a foundational tool for the group, though it’s also used by other threat actors.\n\nAs their operations evolved, so did their toolkit. For initial access and persistence, they frequently utilize custom backdoors and loaders such as Anunak, NetSupport RAT, POWERTRASH, DICELOADER (also known as Lizar or IceBot), BIOLOAD, BIRDWATCH (with variants like CROWVIEW and FOWLGAZE), Boostwrite, Griffon, HALFBAKED, JSSLoader, POWERPLANT, POWERSOURCE, RDFSNIFFER, Sardonic, SQLRat, Spy.Sekur, and Tinymet. Since 2021, POWERPLANT, a multifunction backdoor, has notably become a primary first-stage malware in their intrusions.\n\nFor command and control and lateral movement, FIN7 frequently integrates legitimate remote access and penetration testing tools like Cobalt Strike (especially the Beacon payload), Atera, and TightVNC. They have also been observed using Mimikatz for credential harvesting and Core Impact for exploitation.\n\nThe shift to ransomware operations brought new tools into their arsenal. Beyond leveraging established strains like REvil, Maze, Ryuk, ALPHV (BlackCat), and Cl0p, FIN7 developed and operated their own Ransomware-as-a-Service (RaaS) platforms, most notably DarkSide and its successor, BlackMatter. They’ve also been linked to BadRabbit ransomware.\n\nA more recent and significant addition is AvNeutralizer (also tracked as AuKill), a highly specialized tool designed to disrupt Endpoint Detection and Response (EDR) solutions. This tool demonstrates FIN7’s commitment to developing custom capabilities to bypass modern security defenses and has even been sold on underground forums, making it accessible to other groups like Black Basta. Other recent additions include Dave Loader delivering the Minodo backdoor and the Project Nemesis information stealer, observed in conjunction with former Conti members.\n\n## Current Status\n\nFIN7 remains an exceptionally active and formidable threat actor, continually defying law enforcement efforts and adapting its operations. Despite the high-profile arrests of several key members in 2018, the group demonstrated remarkable resilience, continuing to operate and recruit new members.\n\nTheir strategic shift to "big game hunting" ransomware has solidified their position as a significant threat to large enterprises across a broad range of industries, far beyond their initial focus on retail and hospitality. Recent reporting, including insights from late 2023 and April 2024, confirms FIN7’s ongoing activity, showcasing campaigns targeting the automotive industry and utilizing novel initial access techniques like MSIX app installers. Furthermore, their continuous development of custom EDR bypass tools like AvNeutralizer underscores their persistent efforts to circumvent security controls.\n\nSecurity vendors continue to track and report on FIN7’s evolving tactics, with attack emulation tools and threat hunting guides being updated as late as February 2025, reflecting the group’s sustained relevance and active threat posture. FIN7’s ability to maintain a sophisticated organizational structure, adapt its attack vectors, and continuously refine its malware and tooling ensures that it will remain a critical concern for security professionals globally.” }

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call