FIN8
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 27/03/2026 01:14
- Updated at
- 27/03/2026 01:14
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 37 attack patterns (mitre), 5 malware, 9 indicators, 5 vulnerabilities (cve), 6 tool
Aliases
Syssphinx
Description
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Attack patterns (MITRE) (37)
-
T1134.001 usesToken Impersonation/Theft MITRE
-
T1059.003 usesWindows Command Shell MITRE
-
T1033 usesSystem Owner/User Discovery MITRE
-
T1018 usesRemote System Discovery MITRE
-
T1016.001 MITRE
-
T1082 usesSystem Information Discovery MITRE
-
T1482 usesDomain Trust Discovery MITRE
-
T1204.001 usesMalicious Link MITRE
-
T1573.002 usesAsymmetric Cryptography MITRE
-
T1055.004 usesAsynchronous Procedure Call MITRE
-
T1112 usesModify Registry MITRE
-
T1048.003 usesExfiltration Over Unencrypted Non-C2 Protocol MITRE
Malware (5)
-
BADHATCH uses
-
Ragnar Locker uses
-
PUNCHBUGGY uses
-
PUNCHTRACK usesFamily The MITRE Corporation Confidence 100
[PUNCHTRACK](https://attack.mitre.org/software/S0197) is non-persistent point of sale (POS) system malware utilized by [FIN8](https://attack.mitre.org/groups/G0061) to scrape payment card data. (Citation: FireEye Fin8 May 2016) (Citation: FireEye Know Your Enemy FIN8…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Sardonic usesFamily The MITRE Corporation Confidence 100
[Sardonic](https://attack.mitre.org/software/S1085) is a backdoor written in C and C++ that is known to be used by [FIN8](https://attack.mitre.org/groups/G0061), as early as August 2021 to target a financial institution in…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Indicators (9)
-
stix 100/100 Revoked· Valid until 11/01/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 11/01/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 11/01/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 11/01/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 11/01/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 11/01/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 11/01/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 11/01/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 11/01/2025 · Source: AlienVault
Vulnerabilities (CVE) (5)
A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An …
- Published
- 14/06/2022
- Modified
- 27/05/2026
Citrix NetScaler ADC and NetScaler Gateway contains a code injection vulnerability that allows for unauthenticated remote code execution.
- Attack vector
- Network
- Published
- 19/07/2023
- Modified
- 27/05/2026
A code injection vulnerability in the User Portal and Webadmin of Sophos Firewall allows for remote code execution.
- Attack vector
- Network
- Published
- 23/09/2022
- Modified
- 27/05/2026
Atlassian Confluence Server and Data Center contain a remote code execution vulnerability that allows for an unauthenticated attacker to perform remote code …
- Published
- 02/06/2022
- Modified
- 27/05/2026
Microsoft Office contains a memory corruption vulnerability due to the way objects are handled in memory. Successful exploitation allows for remote code …
- Published
- 03/11/2021
- Modified
- 27/05/2026
Tool (6)
-
Impacket usesThe MITRE Corporation Confidence 100
[Impacket](https://attack.mitre.org/software/S0357) is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. [Impacket](https://attack.mitre.org/software/S0357) contains several tools for remote service execution, Kerberos manipulation,…
-
PsExec usesThe MITRE Corporation Confidence 100
[PsExec](https://attack.mitre.org/software/S0029) is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.(Citation: Russinovich Sysinternals)(Citation: SANS…
-
dsquery usesThe MITRE Corporation Confidence 100
[dsquery](https://attack.mitre.org/software/S0105) is a command-line utility that can be used to query Active Directory for information from a system within a domain. (Citation: TechNet Dsquery) It is typically installed…
-
Net usesThe MITRE Corporation Confidence 100
The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft…
-
Nltest usesThe MITRE Corporation Confidence 100
[Nltest](https://attack.mitre.org/software/S0359) is a Windows command-line utility used to list domain controllers and enumerate domain trusts.(Citation: Nltest Manual)
-
Ping usesThe MITRE Corporation Confidence 100
[Ping](https://attack.mitre.org/software/S0097) is an operating system utility commonly used to troubleshoot and verify network connections. (Citation: TechNet Ping)