216.73.217.22

FIN7

· Published 16/12/2025 19:39 · Modified 27/03/2026 01:13 · Source: The MITRE Corporation

Essential information

Confidence
100/100
Published
16/12/2025 19:39
Modified
27/03/2026 01:13
Updated at
27/03/2026 01:13
Revoked
No
Author / Source
The MITRE Corporation
Resource level
Primary motivation
Related entities
6 reports, 25 attack patterns (mitre), 25 malware, 10 sectors, 1 countries, 25 indicators, 8 vulnerabilities (cve), 4 tool

Aliases

GOLD NIAGARA ITG14 Carbon Spider ELBRUS Sangria Tempest

Description

[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, pharmaceutical, and utilities industries in the United States. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was operated out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to big game hunting (BGH), including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware-as-a-Service (RaaS), Darkside. FIN7 may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but multiple threat groups have been observed using [Carbanak](https://attack.mitre.org/software/S0030), leading these groups to be tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)(Citation: Mandiant FIN7 Apr 2022)(Citation: BiZone Lizar May 2021)

Marking (TLP)

TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references

Related entities

Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.

Reports (6)

Attack patterns (MITRE) (25 / 127)

Malware (25 / 28)

  • SystemBC uses
    Family
    Published 12/06/2026 21:29 · Modified 12/06/2026 21:29
  • BOOSTWRITE
  • RDFSNIFFER
  • Lizar
  • Eamfo
  • Black Basta uses
    Family The MITRE Corporation Confidence 100

    [Black Basta](https://attack.mitre.org/software/S1070) is ransomware written in C++ that has been offered within the ransomware-as-a-service (RaaS) model since at least April 2022; there are variants that target Windows and …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 08/03/2023 20:14 · Modified 27/03/2026 01:05
  • EugenLoader uses
    Family
    Published 11/07/2024 11:51 · Modified 11/07/2024 11:51
  • Gracewire uses
    Family
    Published 11/07/2024 11:51 · Modified 11/07/2024 11:51
  • Core Impact uses
    Family
    Published 17/07/2024 13:57 · Modified 17/07/2024 13:57
  • AnubisBackdoor uses
    Family
    Published 20/03/2025 19:04 · Modified 20/03/2025 19:04
  • SQLRat uses
    Family The MITRE Corporation Confidence 100

    [SQLRat](https://attack.mitre.org/software/S0390) is malware that executes SQL scripts to avoid leaving traditional host artifacts. [FIN7](https://attack.mitre.org/groups/G0046) has been observed using it.(Citation: Flashpoint FIN 7 March 2019)

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:37 · Modified 27/03/2026 01:05
  • GRIFFON
  • Carbanak - S0030 uses
    Family
    Published 11/07/2024 11:51 · Modified 11/07/2024 11:51
  • Maze
  • TEXTMATE
  • Carbanak
  • Powertrash uses
    Family
    Published 17/07/2024 13:57 · Modified 17/07/2024 13:57
  • XMRig uses
    Family
    Published 28/05/2026 10:56 · Modified 28/05/2026 10:56
  • HALFBAKED
  • r77 rootkit uses
    Family
    Published 13/04/2025 10:37 · Modified 13/04/2025 10:37
  • AvNeutralizer uses
    Family
    Published 17/09/2024 11:19 · Modified 17/09/2024 11:19
  • BlackCat
  • Pillowmint
  • REvil
  • Cobalt Strike uses
    Family
    Published 16/12/2024 14:25 · Modified 16/12/2024 14:25

Sectors (10)

  • Consulting targets
  • Technology targets
  • Healthcare targets
  • Banking institutions targets
  • Finance targets
  • Retail targets
  • Media targets
  • Transportation targets
  • Hospitality targets
  • Manufacturing targets

Countries (1)

  • United States of America targets

Indicators (25 / 100)

  • 8f55483eeaf397df04fbca11f84c1e6b0f9248c62d78f072d25bb37501651510 indicates
  • 8a24b6f83761561d8b71429f586248f264139aee2d8349f375ccbba702e4ecb2 indicates
  • gogogogogotests.xyz indicates
  • d44c4247b7516b030f5c3b5c6f18246933700447a6462531d31b06c4f0ab9112 indicates
  • mozillaupdate.com indicates
  • [email protected] indicates
  • fafbf0870568dae2e02913cbe158011c867098bda883c8f85a13d1f83a4aa937 indicates
  • sapconcur.top indicates
  • 029dde7c2ec880fb3d3e95e6a8376739b4bc46a0ce24012e064b904e6ecb672c indicates
  • otpdank24.top indicates
  • 894c0129123266fbd2b2c4db1648c0c699a6694312a446697c8b2519da9a10e8 indicates
  • 0506372e2c2b6646c539ac5a08265dd66d0da58a25545e444c25b9a02f8d9a44 indicates
  • 1250e7bb1f6293dbf3ea3d6d83fdb52edfb5dc1ab006806c0ebcaaaca120f538 indicates
  • 73f98bba5806d612c8618fba09b69bf30c4004c509b3584302c8a580f8c4a241 indicates
  • 7a234d1a2415834290a3a9c7274aadb7253dcfe24edb10b22f1a4a33fd027a08 indicates
  • 997670338de96f922dbceb15c67fd114400562291b05781875bfd83dc4ae63b6 indicates
  • a5c85435d59c10c59f719017d578e616953d36881c5f8d8c2b09ff307ff731af indicates
  • fd638aa195d9c92f40b64175a68e6b037c07d29ddcef7c5033edbe57c1b91c56 indicates
  • 4992e7f9da4343d8b9136db3b5c4640cb39196b336787bfb7651839c765a04a0 indicates
  • go-ia.site indicates
  • redfinneat.com indicates
  • 57c01dc2df1ab06b361a47c9377b6495f5088697d973854bc8bc9224e97f0f8b indicates
  • c2b5fe6600757f1c4ac9ec89cd7333bc69333f1d5d585d44a898e777f1a33c90 related
  • d484ed62c67a46a2ddc9a6d41b76493818489ec2f697a743681f23f8b35bd94f related
  • ccf5f274e5930df4bf9bda2de3e8279fbcfd6679e44fd797d9e42d41f3814981 related

Vulnerabilities (CVE) (8)

CVE-2020-1472 KEV
5.5 Medium

Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a …

Attack vector
Local
Published
03/11/2021
Modified
27/05/2026
CVE-2021-42278 KEV

Microsoft Active Directory Domain Services contains an unspecified vulnerability that allows for privilege escalation.

Published
11/04/2022
Modified
20/12/2025
CVE-2021-34473 KEV

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution.

Published
03/11/2021
Modified
29/05/2026
CVE-2021-34527 KEV

Microsoft Windows Print Spooler contains an unspecified vulnerability due to the Windows Print Spooler service improperly performing privileged file operations. Successful exploitation …

Published
03/11/2021
Modified
20/12/2025
CVE-2021-31207 KEV

Microsoft Exchange Server contains an unspecified vulnerability that allows for security feature bypass.

Published
03/11/2021
Modified
20/12/2025
CVE-2021-42287 KEV

Microsoft Active Directory Domain Services contains an unspecified vulnerability that allows for privilege escalation.

Published
11/04/2022
Modified
20/12/2025
CVE-2022-30190 KEV

A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An …

Published
14/06/2022
Modified
27/05/2026
CVE-2021-34523 KEV

Microsoft Exchange Server contains an unspecified vulnerability that allows for privilege escalation.

Published
03/11/2021
Modified
20/12/2025

Tool (4)

  • CrackMapExec uses
    The MITRE Corporation Confidence 100

    [CrackMapExec](https://attack.mitre.org/software/S0488), or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. [CrackMapExec](https://attack.mitre.org/software/S0488) collects Active Directory information to conduct lateral movement through targeted …

    Published 17/07/2020 16:23 · Modified 27/03/2026 01:07
  • Mimikatz uses
    The MITRE Corporation Confidence 100

    [Mimikatz](https://attack.mitre.org/software/S0002) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of …

    Published 31/05/2017 23:32 · Modified 27/03/2026 01:07
  • PowerSploit uses
    The MITRE Corporation Confidence 100

    [PowerSploit](https://attack.mitre.org/software/S0194) is an open source, offensive security framework comprised of [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules and scripts that perform a wide range of tasks related to penetration testing such as code …

    Published 18/04/2018 19:59 · Modified 27/03/2026 01:07
  • AdFind uses
    The MITRE Corporation Confidence 100

    [AdFind](https://attack.mitre.org/software/S0552) is a free command-line query tool that can be used for gathering information from Active Directory.(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: FireEye FIN6 Apr 2019)(Citation: …

    Published 28/12/2020 19:35 · Modified 27/03/2026 01:07