>samit_hota
Back to adversary profiles
G1016HighActive

FIN13 (Elephant Beetle): Mexico-Focused Financial Threat Group

Samit Hota·
Suspected Origin
Unknown
Motivation
Financial Gain
Aliases
Elephant Beetle
Target Sectors
Financial, Retail, Hospitality, Commercial
Associated Malware
BLUEAGAVE, SIXPACK, SWEARJAR, JSPRAT, PORTHOLE, DRAWSTRING, CLOSEWATCH, SPINOFF, MAILSLOT, Mimikatz, Impacket, ProcDump, Nmap, Incognito V2, JspSpy, reGeorg, MiniWebCmdShell, Vonloesch Jsp File Browser
#threat-actor#g1016

Overview

FIN13, also tracked as Elephant Beetle, SQUAB SPIDER, and TG2003, is a persistent and resourceful cybercriminal group that has focused its operations on financial gain since at least 2016. Unlike many contemporary “smash-and-grab” ransomware operations, FIN13 is characterized by its methodical, long-term approach to intrusions, often maintaining a presence within victim networks for extended periods—Mandiant reports a median dwell time of 913 days, or approximately 2.5 years. This lengthy dwell time allows them to thoroughly understand target environments before executing their financial objectives.

While their precise country of origin remains unconfirmed, observed Command and Control (C2) infrastructure and highly localized targeting suggest a strong operational nexus with Mexico and the broader Latin American region. Their primary motivation is financial, achieved through the theft of intellectual property, sensitive financial data, mergers and acquisition information, and personally identifiable information (PII), often culminating in the injection of fraudulent transactions to siphon off funds. The group primarily targets large organizations within the financial, retail, and hospitality sectors.

FIN13 demonstrates a sophisticated operational capability, leveraging a blend of custom malware and widely available legitimate tools. They have a notable proficiency in Java-based attacks, frequently exploiting vulnerabilities in legacy Java applications running on Linux-based systems for initial access. This focus on stealth and detailed reconnaissance differentiates them from many other financially motivated threat actors.

Tactics & Techniques

FIN13’s operational methodology involves a comprehensive series of steps, beginning with initial access and extending to meticulous financial fraud.

Initial access frequently involves exploiting externally facing servers, particularly legacy Java applications on Linux, to deploy web shells and custom backdoors. They have successfully leveraged vulnerabilities such as Primefaces Application Expression Language Injection (CVE-2017-1000486), WebSphere Application Server SOAP Deserialization Exploit (CVE-2015-7450), SAP NetWeaver Invoker Servlet Exploit (CVE-2010-5326), SAP NetWeaver ConfigServlet Remote Code Execution (EDB-ID-24963), Oracle WebLogic Server Deserialization RCE (CVE-2019-2729), and even the Log4j vulnerability (CVE-2021-44228). Remote access services like corporate VPNs have also served as an entry point.

Once inside, the group conducts extensive internal reconnaissance to map the network and understand the victim’s financial systems. They use standard Windows commands like whoami, systeminfo, fsutil, and net view, alongside tools like Nmap for scanning, and PowerShell scripts to gather DNS data or extract login events. They also leverage compromised administrative consoles, such as Symantec Altiris and LanDesk, to gather host and network information. A key aspect of their reconnaissance is identifying user accounts for potential Kerberoasting attacks using scripts like GetUserSPNs.vbs and querySpn.vbs. Critically, FIN13 often spends months observing legitimate financial transaction processes to understand how to best inject fraudulent activity undetected.

For persistence, FIN13 relies on custom malware and various stealthy methods, including creating scheduled tasks in C:\Windows, utilizing Windows Registry run keys, and establishing MS-SQL local accounts with sysadmin privileges. They also employ web shells, sometimes chained together, to maintain access and proxy traffic.

Lateral movement is achieved through common protocols and services such as Remote Desktop Services (RDS), Secure Shell (SSH), SMB, and WMI. They also use proxy tools and techniques like pass-the-hash via PowerShell’s Invoke-SMBExec to move across the network.

Credential access is a significant focus, with techniques including dumping LSASS process memory with ProcDump and Mimikatz, extracting SAM and SYSTEM registry hives, harvesting NTDS.DIT files with Impacket, and even logging keystrokes.

To evade detection, FIN13 utilizes custom passive backdoors and disguises web shells as benign files like fonts, CSS, or images. They have also been observed replacing legitimate KeePass binaries with trojanized versions and attempting to disable or tamper with Sysmon logging.

The ultimate objective of FIN13 is data collection and exfiltration, which includes credentials, point-of-sale (POS) and ATM data, intellectual property, financial records, and PII. Collected data is often compressed using 7zip and staged in temporary folders before being exfiltrated via HTTP requests to actor-controlled C2 servers. Finally, the group injects fraudulent transactions into compromised financial systems, carefully mimicking legitimate behavior to avoid immediate detection and steal millions of dollars over time.

Notable Campaigns

While FIN13 is not typically associated with widely publicized, named campaigns in the same vein as some nation-state actors, their activity is characterized by a consistent and long-running series of intrusions. Mandiant began tracking FIN13’s financially motivated intrusions in Mexico as early as 2016, noting their sustained operations through the present day. Sygnia, tracking them as Elephant Beetle, similarly identified their organized financial-theft operations targeting Latin American financial and commerce sectors, having observed them for at least two years prior to their January 2022 report.

These campaigns consistently demonstrate FIN13’s patience and deep understanding of victim financial systems. One notable characteristic is their localized targeting, predominantly against organizations in Mexico, though they have also breached Latin American operations of U.S.-based companies, indicating potential for broader reach. Their engagements involve meticulously studying victim networks for months, sometimes planting over 80 unique tools and scripts, before executing fraudulent money transfers that blend with legitimate transactions.

Associated Malware & Tools

FIN13 utilizes a diverse toolkit comprising both custom-developed malware and commonly available penetration testing tools.

Key custom malware families include:

  • BLUEAGAVE: A PowerShell passive backdoor that establishes a local HTTP server for command and control.
  • SIXPACK: An ASPX web shell written in C# used for tunneling network traffic.
  • SWEARJAR: A backdoor that retrieves commands via DNS TXT records, providing a stealthy C2 channel.
  • JSPRAT: A Java-based tool enabling local command execution, file transfer, and network traffic proxying.
  • PORTHOLE: A Java-based multi-threaded port scanner for rapid network reconnaissance.
  • DRAWSTRING: Malware that gathers system information and communicates via HTTP POST requests for C2.
  • CLOSEWATCH: An earlier FIN13 scanning tool capable of scanning IP and port ranges.
  • SPINOFF: A JSP web shell employed specifically for SQL database research.
  • MAILSLOT: A backdoor that notably uses SMTP/POP over SSL for command and control, a rare technique for C2.
  • Other custom tools mentioned include BUSTEDPIPE, HOTLANE, LATCHKEY, NIGHTJAR, SHELLSWEEP, and Tiny SHell.

In addition to their custom arsenal, FIN13 extensively uses public and open-source tools:

  • Credential Access: Mimikatz, Impacket, PWdump7, ProcDump, Incognito V2.
  • Reconnaissance: Nmap, GetUserSPNS.vbs, querySpn.vbs, osql utility, and various native Windows commands like whoami, systeminfo, fsutil, fsinfo, net view, nslookup, ipconfig, ping, tracert, netstat, dir, and reg.exe.
  • Web Shells: JspSpy, reGeorg, MiniWebCmdShell, Vonloesch Jsp File Browser 1.2, and the widely used WSO web shell.
  • Utilities: 7zip for compression, certutil for decoding and masquerading data, PowerSploit, and RawCap.

Current Status

FIN13 remains an active threat actor. Reports from Mandiant in late 2021 indicated their operations were continuing through “the present day”. Sygnia’s January 2022 report highlighted their ongoing activities. More recent intelligence from MITRE ATT&CK shows updates to their profile as recently as January 20, 2026, and Tidal Cyber’s profile was last updated in November 2023. Additionally, a report from April 2024 by Cyber Poking also refers to FIN13’s ongoing use of custom tooling, including MAILSLOT.

The group’s pattern of activity suggests resilience; when detected and disrupted, they tend to lay low for a period before resurfacing with potentially altered tactics or targeting new systems. This consistent, stealthy, and patient operational model ensures their continued efficacy in financially motivated cybercrime, particularly in Latin America. Their adaptive use of both bespoke and public tools, combined with a deep understanding of financial systems, means they continue to pose a significant threat to their target sectors.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call