{
  "name": "New FIN7-Linked Infrastructure, PowerNet Loader, and Fake Update Attacks",
  "slug": "new-fin7-linked-infrastructure-powernet-loader-and-fake-update-attacks",
  "description": "Insikt Group uncovered new infrastructure linked to GrayAlpha, a threat actor associated with FIN7. They identified a custom PowerShell loader named PowerNet that deploys NetSupport RAT, and another loader called MaskBat. Three main infection vectors were discovered: fake browser updates, fake 7-Zip download sites, and the TAG-124 traffic distribution system. While all three methods were used simultaneously, only the fake 7-Zip sites remained active at the time of writing. The analysis also led to the identification of a potential individual involved in GrayAlpha operations. The group's sophisticated tactics highlight the need for comprehensive security measures, including application allow-listing, employee training, and advanced detection techniques.",
  "published": "2025-06-13T18:55:44+00:00",
  "created_at": "2025-06-13T18:55:44+00:00",
  "modified_at": "2025-06-18T11:00:39+00:00",
  "created_at_opencti": "2025-06-13T18:55:44+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-06-13",
    "7-zip",
    "fake updates",
    "fin7",
    "infrastructure",
    "maskbat",
    "netsupport rat",
    "powernet",
    "tag-124"
  ],
  "related_entities": {
    "malware": [
      {
        "id": "e63a1a3d-dea4-47b7-8911-f7f1c66ccb55",
        "name": "MaskBat",
        "slug": "maskbat"
      },
      {
        "id": "94b39dfe-5a1b-4633-9751-97b06d604a16",
        "name": "PowerNet",
        "slug": "powernet"
      },
      {
        "id": "4b31677e-de15-4b9e-a87a-e6e1c18883d4",
        "name": "NetSupport RAT",
        "slug": "netsupport-rat"
      }
    ],
    "intrusion_sets": [
      {
        "id": "7b86edaa-e12b-4391-b6e3-3214dabb4c32",
        "name": "GrayAlpha",
        "slug": "grayalpha"
      }
    ],
    "attack_patterns": [
      {
        "id": "21fd9920-9bc7-4ba5-8cdd-3022c0ef4e9d",
        "name": "T1584.001"
      },
      {
        "id": "d19f56ca-5ce8-4bd1-af90-7d83e394470c",
        "name": "T1583.001"
      },
      {
        "id": "de38dd3a-41d7-4621-8a00-a32d7f0ff420",
        "name": "T1102.002"
      },
      {
        "id": "16e4fc82-7c0b-4d1a-b784-b804b4df26dc",
        "name": "T1204.001"
      },
      {
        "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46",
        "name": "T1059.003"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Retail"
      },
      {
        "id": "",
        "name": "Hospitality"
      },
      {
        "id": "",
        "name": "Finance"
      }
    ]
  },
  "external_refs": [
    "https://cms.recordedfuture.com/uploads/format_webp/recordedfuture_insikt_cover_gray_alpha_1600x600_e9dc818048.jpg",
    "https://www.recordedfuture.com/research/grayalpha-uses-diverse-infection-vectors-deploy-powernet-loader-netsupport-rat",
    "https://otx.alienvault.com/pulse/684c90509889eb77ff43d758"
  ]
}