FIN6
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 27/03/2026 01:13
- Updated at
- 27/03/2026 01:13
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 2 reports, 63 attack patterns (mitre), 9 malware, 3 sectors, 1 countries, 33 indicators, 4 tool
Aliases
Magecart Group 6 ITG08 Skeleton Spider TAAL Camouflage Tempest
Description
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Reports (2)
-
23 MITREs 4 Malwares 24 Observables 1 APT
-
13 MITREs 4 Malwares 10 Observables 1 APT
Attack patterns (MITRE) (63)
-
T1204 usesUser Execution MITRE
-
T1078.001 usesDefault Accounts MITRE
-
T1059.001 usesPowerShell MITRE
-
T1087.002 usesDomain Account MITRE
-
T1053.005 usesScheduled Task MITRE
-
T1074.002 usesRemote Data Staging MITRE
-
T1566.002 usesSpearphishing Link MITRE
-
T1566 usesPhishing MITRE
-
T1027.002 usesSoftware Packing MITRE
-
T1140 usesDeobfuscate/Decode Files or Information MITRE
-
T1018 usesRemote System Discovery MITRE
-
Command Obfuscation uses
Malware (9)
-
More_eggs - S0284 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
More_eggs usesFamily The MITRE Corporation Confidence 100
[More_eggs](https://attack.mitre.org/software/S0284) is a JScript backdoor used by [Cobalt Group](https://attack.mitre.org/groups/G0080) and [FIN6](https://attack.mitre.org/groups/G0037). Its name was given based on the variable "More_eggs" being present in its code. There are at…
First seen 01/01/1970 · Last seen 16/11/5138 · -
FlawedAmmyy usesFamily The MITRE Corporation Confidence 100
[FlawedAmmyy](https://attack.mitre.org/software/S0381) is a remote access tool (RAT) that was first seen in early 2016. The code for [FlawedAmmyy](https://attack.mitre.org/software/S0381) was based on leaked source code for a version of…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Ryuk usesFamily The MITRE Corporation Confidence 100
[Ryuk](https://attack.mitre.org/software/S0446) is a ransomware designed to target enterprise environments that has been used in attacks since at least 2018. [Ryuk](https://attack.mitre.org/software/S0446) shares code similarities with Hermes ransomware.(Citation: CrowdStrike Ryuk…
First seen 01/01/1970 · Last seen 16/11/5138 · -
GrimAgent usesFamily The MITRE Corporation Confidence 100
[GrimAgent](https://attack.mitre.org/software/S0632) is a backdoor that has been used before the deployment of [Ryuk](https://attack.mitre.org/software/S0446) ransomware since at least 2020; it is likely used by [FIN6](https://attack.mitre.org/groups/G0037) and [Wizard Spider](https://attack.mitre.org/groups/G0102).(Citation: Group…
First seen 01/01/1970 · Last seen 16/11/5138 · -
FrameworkPOS usesFamily The MITRE Corporation Confidence 100
[FrameworkPOS](https://attack.mitre.org/software/S0503) is a point of sale (POS) malware used by [FIN6](https://attack.mitre.org/groups/G0037) to steal payment card data from sytems that run physical POS devices.(Citation: SentinelOne FrameworkPOS September 2019)
First seen 01/01/1970 · Last seen 16/11/5138 · -
Maze usesFamily The MITRE Corporation Confidence 100
[Maze](https://attack.mitre.org/software/S0449) ransomware, previously known as "ChaCha", was discovered in May 2019. In addition to encrypting files on victim machines for impact, [Maze](https://attack.mitre.org/software/S0449) operators conduct information stealing campaigns prior…
First seen 01/01/1970 · Last seen 16/11/5138 · -
LockerGoga usesFamily The MITRE Corporation Confidence 100
[LockerGoga](https://attack.mitre.org/software/S0372) is ransomware that was first reported in January 2019, and has been tied to various attacks on European companies, including industrial and manufacturing firms.(Citation: Unit42 LockerGoga 2019)(Citation:…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Cobalt Strike usesFamily The MITRE Corporation Confidence 100
[Cobalt Strike](https://attack.mitre.org/software/S0154) is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Sectors (3)
-
Finance targets
-
Engineering consulting targets
-
Hospitality targets
Countries (1)
-
Russian Federation targets
Indicators (33)
-
http://bobbyweisman.comindicatesstix 100/100 Revoked· Valid until 28/07/2025 · Source: AlienVault -
1212055764.johncboins.comindicatesstix 100/100 Revoked· Valid until 05/09/2025 · Source: AlienVault -
stix 100/100 Revoked· Valid until 07/06/2026 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 27/09/2025 · Source: AlienVault
-
6f4922f4.bobbyweisman.comindicatesstix 100/100 Revoked· Valid until 16/05/2026 · Source: AlienVault -
http://36hbhv.johncboins.com/fjkabrhhg.indicatesstix 100/100 Revoked· Valid until 17/11/2024 · Source: AlienVault -
http://bobbyweisman.com/index.htmlindicatesstix 100/100 Revoked· Valid until 28/07/2025 · Source: AlienVault -
stix 100/100 Revoked· Valid until 07/06/2026 · Source: AlienVault
-
https://tool.municipiodechepo.org/id/indicatesstix 100/100 Revoked· Valid until 28/07/2025 · Source: AlienVault
Tool (4)
-
Mimikatz usesThe MITRE Corporation Confidence 100
[Mimikatz](https://attack.mitre.org/software/S0002) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of…
-
AdFind usesThe MITRE Corporation Confidence 100
[AdFind](https://attack.mitre.org/software/S0552) is a free command-line query tool that can be used for gathering information from Active Directory.(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: FireEye FIN6 Apr 2019)(Citation:…
-
The MITRE Corporation Confidence 100
[Windows Credential Editor](https://attack.mitre.org/software/S0005) is a password dumping tool. (Citation: Amplia WCE)
-
PsExec usesThe MITRE Corporation Confidence 100
[PsExec](https://attack.mitre.org/software/S0029) is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.(Citation: Russinovich Sysinternals)(Citation: SANS…