>samit_hota
Back to adversary profiles
G0053HighUnknown

FIN5 Threat Actor Profile: Persistent Point-of-Sale Scraper

Samit Hota·
Suspected Origin
Eastern Europe (likely Russian-speaking)
Motivation
Financial Gain
Aliases
None documented
Target Sectors
Restaurant, Gaming, Hotel, Hospitality
Associated Malware
RawPOS, Tornhull, FLIPSIDE, GET2 Penetrator, Essential NetTools, PsExec, pwdump, SDelete, Windows Credential Editor
#threat-actor#g0053

Overview

FIN5 (MITRE ATT&CK ID: G0053) is a financially motivated threat group that has primarily targeted organizations within the restaurant, gaming, and hotel industries since at least 2008. Their main objective is the exfiltration of personally identifiable information (PII) and, more critically, payment card information (PCI) from point-of-sale (POS) systems. The group is composed of actors who are believed to be Russian-speaking, suggesting a likely origin in Eastern Europe, although a definitive country of origin remains unconfirmed. FIN5’s operational focus has predominantly been on targets located in the United States and Europe.

Unlike some sophisticated advanced persistent threat groups, FIN5 typically does not rely on zero-day exploits or intricate spear-phishing campaigns for initial access. Instead, a hallmark of their operations involves leveraging legitimate, albeit stolen, credentials to gain entry into victim networks. This approach highlights their pragmatic and persistent nature, focusing on exploiting common vulnerabilities in security practices rather than developing complex attack tools. Their activities have often resulted in significant data breaches, impacting large numbers of credit cards, as seen in notable incidents within the casino sector.

Tactics & Techniques

FIN5’s operational methodology often begins with gaining initial access through valid user credentials. These credentials, acquired through unknown means but sometimes linked to third-party POS system providers, enable the group to log into victim networks via legitimate external remote services such as VPN, Remote Desktop Protocol (RDP), Citrix, or VNC. This method allows them to bypass many traditional perimeter defenses that might detect malicious executables or phishing attempts.

Once inside, FIN5 engages in extensive network discovery and credential access activities. They employ tools like GET2 Penetrator for brute-force scanning to uncover remote login credentials and hard-coded passwords. They also utilize pwdump and Windows Credential Editor to extract password hashes and credentials from compromised systems. To understand the network topology and identify further targets, especially payment card environments, FIN5 has been observed using open-source tools such as Essential NetTools for network mapping. They automate system reconnaissance, including scanning processes on all victim systems to gather information.

Persistence is maintained through various means, including deploying the FLIPSIDE tool to establish a proxy for backup RDP tunnels. In some cases, FIN5 has maintained access to victim environments for over a year without detection, indicating effective stealth and operational security practices. For data collection, their primary method involves memory scraping. They deploy custom scripts to save memory dump data into specific directories on compromised hosts. The specialized RawPOS malware is central to their data exfiltration, designed to scrape credit card data directly from the memory of POS systems.

Defense evasion is also a key part of their strategy. FIN5 is known to clear event logs to remove traces of their activity and uses tools like SDelete to securely delete files, making forensic recovery more challenging. They also disguise their tools, files, and processes as legitimate software to blend in with normal system activity.

Notable Campaigns

FIN5 has been linked to numerous payment card breaches affecting retail and hospitality organizations. One particularly notable incident involved the breach of a major, unnamed casino, where the group successfully exfiltrated data associated with over 150,000 credit cards. This specific campaign highlighted critical security weaknesses at the victim organization, including a lack of firewalls isolating payment systems and inadequate logging, which allowed FIN5 to operate undetected for an extended period. The group’s success in this instance underscored their ability to exploit weaknesses in basic security hygiene.

Another widely reported association for FIN5 is with the RawPOS malware, which achieved “epidemic proportions” in the lodging industry for its effectiveness in scraping payment card data from POS systems. This malware and its associated campaigns have been the subject of multiple security alerts from card brands like Visa, signaling the widespread impact of FIN5’s operations on merchants.

Associated Malware & Tools

FIN5 leverages a combination of custom-developed malware and legitimate or publicly available tools to achieve their objectives:

  • RawPOS: This is a memory-scraping malware designed specifically to target Point-of-Sale (POS) systems. It extracts payment card information from the memory where it is temporarily stored during transactions.
  • Tornhull: A backdoor used by FIN5 to maintain covert access to compromised systems.
  • FLIPSIDE: A VPN or proxy tool that FIN5 utilizes to establish backup RDP tunnels, ensuring persistent access to victim networks.
  • GET2 Penetrator: A brute-force scanning tool employed to discover remote login credentials and hard-coded passwords within target environments.
  • Essential NetTools: An open-source utility used for network mapping and discovering potential targets within a compromised infrastructure.
  • PsExec: FIN5 has been observed using a customized version of this legitimate administration tool, likely for remote execution of commands.
  • pwdump: A tool for extracting password hashes from Windows systems, aiding in credential access.
  • SDelete: Used to securely delete files and directories, hindering forensic analysis and detection.
  • Windows Credential Editor: Another tool for credential access, allowing FIN5 to retrieve authentication data from memory.

Current Status

While FIN5 has a documented history of activity dating back to at least 2008, and their MITRE ATT&CK profile (G0053) was last modified in April 2025, public reporting of new, distinct FIN5 campaigns has significantly diminished in recent years. The detailed analyses and incident reports concerning FIN5’s operations and specific breaches largely date from 2018 and earlier. Although the MITRE update suggests their tactics and techniques remain relevant for tracking purposes, there is a current lack of widely publicized, confirmed attacks specifically attributed to FIN5 beyond that timeframe. This does not definitively mean the group is inactive or disbanded, but rather that their recent activities, if any, have not generated significant public reporting under the FIN5 moniker. The absence of specific incident details in current threat intelligence feeds suggests their operational status is currently unknown, rather than actively engaged in widespread, identifiable campaigns.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call