FIN7

Also known as: Carbanak, Carbon Spider, ELBRUS, Sangria Tempest, ITG14, Navigator Group, GrayAlpha, Savage Ladybug

ActiveExpertEastern EuropeMITRE G0046

0Campaigns

37Techniques

8IOCs

21Tools

0Matches

6Infrastructure

Overview

FIN7 (Sangria Tempest) is a sophisticated financially-motivated threat actor active since at least 2013, known for targeting point-of-sale systems, payment card data, and deploying ransomware. The group has significantly evolved operations in 2023-2025, shifting to automated attack platforms, enhanced EDR bypasses, and sophisticated phishing infrastructure. FIN7 operates through sub-clusters including GrayAlpha, which deployed custom PowerNet and MaskBat loaders via fake 7-Zip downloads and undocumented TAG-124 TDS network. The group deployed Clop ransomware in April 2023 (first ransomware campaign since late 2021), targeted U.S. automotive industry in late 2023-2024, and expanded to over 4000 typosquatting domains mimicking brands like Google, Microsoft 365, American Express. FIN7 continues developing AvNeutralizer EDR bypass tool and employs Checkmarks platform for automated SQL injection against public-facing servers. The group also utilizes the OpenDir network for malware distribution and maintains operational resilience through compartmentalized teams despite 2018 arrests of key members. Recent campaigns involve sophisticated social engineering using fake job offers, IT support impersonation, and supply chain compromises.

Motivations

Financial GainCybercrime

Target Sectors

Financial ServicesHospitalityRestaurantRetailTechnologyGamingHealthcareAutomotiveDefenseInsuranceTransportationCloud ServicesMediaFood and BeveragePharmaceuticalUtilitiesMedical EquipmentSoftwareConsulting

Activity Timeline

First Seen

Jan 2013

Last Seen

Jan 2025

Quick Facts

OriginEastern Europe

Sophisticationexpert

StatusActive

MITRE GroupG0046

MITRE ATT&CK Techniques

(37)

Initial Access

T1566.001

Spearphishing Attachment

Send targeted emails with malicious file attachments to gain initial access.

T1190

Exploit Public-Facing Application

Exploit vulnerabilities in internet-facing applications to gain access.

T1078

Valid Accounts

Use legitimate credentials to authenticate and gain access.

T1189

Drive-by Compromise

Gain access through a user visiting a compromised website during normal browsing.

T1566.002

Spearphishing Link

Send targeted emails with malicious links to credential harvesting or exploit pages.

Other

Execution

T1059.001

PowerShell

Use PowerShell commands and scripts for execution and automation.

T1059.003

Windows Command Shell

Use cmd.exe to execute commands and batch scripts.

T1047

Windows Management Instrumentation

Use WMI to execute commands and manage systems remotely.

Defense Evasion

T1055

Process Injection

Inject code into running processes to evade defenses and elevate privileges.

T1036

Masquerading

Disguise malicious artifacts by manipulating names or locations to appear legitimate.

Credential Access

T1003.001

LSASS Memory

Access LSASS process memory to extract credential material.

Collection

T1005

Data from Local System

Collect sensitive data stored on the local file system.

Exfiltration

T1041

Exfiltration Over C2 Channel

Exfiltrate stolen data over the existing command and control channel.

Persistence

T1547

Boot or Logon Autostart Execution

Configure code to run automatically during system boot or user logon.

Lateral Movement

T1570

Lateral Tool Transfer

Transfer tools and files between compromised systems within the network.

Impact

T1486

Data Encrypted for Impact

Encrypt victim data to disrupt availability, typically for ransom.

Tools & Malware

(21)

Carbanak

malwareMalicious

Signature backdoor used in billion-dollar bank heists. Provides full remote access to compromised banking systems including screen recording, keylogging, and ability to manipulate ATM/SWIFT transactions.

GRIFFON

malwareMalicious

JavaScript-based backdoor delivered via spear-phishing. Lightweight initial access tool that profiles victims before deploying heavier Carbanak or Cobalt Strike payloads.

HALFBAKED

malwareMalicious

Multi-purpose backdoor with screenshot, keylogging, and file exfiltration capabilities. Used as primary implant in hospitality and restaurant sector attacks.

PILLOWMINT

malwareMalicious

Point-of-sale (POS) RAM scraper that extracts credit card data from memory of payment processing applications. Deployed on POS terminals in restaurant chains.

BOATLAUNCH

malwareMalicious

Utility module that patches PowerShell processes in memory to bypass AMSI (Antimalware Scan Interface), allowing execution of malicious PowerShell scripts undetected.

POWERPLANT

malwareMalicious

PowerShell-based backdoor framework used for persistent access. Supports dynamic module loading and uses multiple layers of obfuscation to evade detection.

BIRDWATCH

malwareMalicious

.NET-based downloader that retrieves and executes secondary payloads. Used as intermediary between initial spear-phishing access and deployment of main backdoors.

Cobalt Strike

frameworkLegitimate

Primary post-exploitation framework. FIN7 uses heavily customized Cobalt Strike with unique malleable C2 profiles to evade network detection signatures.

Metasploit

frameworkLegitimate

Open-source penetration testing framework used alongside Cobalt Strike for exploitation, privilege escalation, and payload delivery.

BadUSB

exploit kitMalicious

Weaponized USB devices mailed to targets disguised as Best Buy gift cards or COVID-19 guidance. Emulate a keyboard to execute PowerShell commands on insertion.

Mimikatz

frameworkLegitimate

Credential harvesting tool used to extract POS terminal credentials, domain admin hashes, and Kerberos tickets for lateral movement within retail networks.

AnyDesk

legitimate toolLegitimate

Legitimate remote desktop software deployed for persistent access to compromised systems. Used as a fallback if primary C2 channels are disrupted.

TeamViewer

legitimate toolLegitimate

Remote access tool deployed on compromised POS management servers. Provides hands-on-keyboard access for manual operations during heist execution.

Advanced IP Scanner

legitimate toolLegitimate

Network discovery tool used to map internal networks after initial compromise, identifying POS terminals, domain controllers, and payment processing servers.

PowerShell

os utilityLegitimate

Central to FIN7 operations — used for fileless execution, AMSI bypass, payload staging, and lateral movement throughout compromised retail/restaurant networks.

Combi Security / Bastion Secure

legitimate toolMalicious

Front companies established by FIN7 to recruit penetration testers who unknowingly developed offensive tools and conducted attacks on real targets.

PowerNet

LoaderMalicious

Custom PowerShell-based loader deployed by GrayAlpha sub-cluster via fake software downloads

MaskBat

LoaderMalicious

Batch file-based loader used by GrayAlpha for initial compromise via trojanized downloads

Checkmarks

ExploitMalicious

Automated platform for SQL injection attacks against public-facing web servers

AvNeutralizer

OtherMalicious

EDR bypass tool designed to disable and evade endpoint detection and response solutions

Termite

BackdoorMalicious

Tunneling tool used for establishing persistent network access and lateral movement

Indicators of Compromise

(8)

IOC values are defanged for safety

Type	Value	Notes
domain	`comfrede[.]com`	C2 domain used in hospitality sector targeting
domain	`julopos[.]com`	C2 infrastructure for GRIFFON malware
ip	`185[.]180[.]197[.]36`	Carbanak C2 server infrastructure
ip	`91[.]219[.]236[.]166`	C2 node linked to POS malware operations
hash	`fcc2e3e2a9a2a2bdd5a5e5c6c0e34f13`	Carbanak backdoor variant (MD5)
domain	`advanced-ip-sccanner[.]com`	Typosquatting domain used in U.S. automotive campaign 2023-2024
domain	`myipscanner[.]com`	Redirect domain in automotive campaign 2023-2024
hash	`2fc8b38d3f40d8151ec717c8a8813cf06df90c10`	AvNeutralizer EDR bypass tool, detected in Black Basta intrusions

Infrastructure

(6)

Domain values are defanged for safety

Domain / Host	Type	Status	Last Checked
`comfrede[.]com` C2 domain used in hospitality sector targeting	c2	offline	Apr 2, 2026
`julopos[.]com` C2 infrastructure for GRIFFON malware	c2	offline	Apr 2, 2026
`185[.]180[.]197[.]36` Carbanak C2 server infrastructure	ip	offline	Apr 2, 2026
`91[.]219[.]236[.]166` C2 node linked to POS malware operations	ip	offline	Apr 2, 2026
`advanced-ip-sccanner[.]com`	domain	offline	Apr 2, 2026
`myipscanner[.]com`	domain	active	Apr 2, 2026

Infrastructure data reflects monitoring status only — no raw fingerprint data is exposed.

References

(13)

MITRE ATT&CK - FIN7

https://attack.mitre.org/groups/G0046/

U.S. DOJ - Three Members of Notorious Cybercrime Group FIN7 Charged

https://www.justice.gov/opa/pr/three-members-notorious-international-cybercrime-group-fin7-custody-role-attacking-over-100

Mandiant - FIN7 Evolution and Ransomware

https://www.mandiant.com/resources/evolution-of-fin7

FIN7 Reboot - Cybercrime Gang Enhances Ops with New EDR Bypasses and Automated Attacks

https://www.sentinelone.com/labs/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks/

GrayAlpha Unmasked: New FIN7-Linked Infrastructure, PowerNet Loader, and Fake Update Attacks

https://www.recordedfuture.com/research/grayalpha-uses-diverse-infection-vectors-deploy-powernet-loader-netsupport-rat

Threat Group FIN7 Targets the U.S. Automotive Industry

https://blogs.blackberry.com/en/2024/04/fin7-targets-the-united-states-automotive-industry

Microsoft: Notorious FIN7 hackers return in Clop ransomware attacks

https://www.bleepingcomputer.com/news/security/microsoft-notorious-fin7-hackers-return-in-clop-ransomware-attacks/

FIN7: Silent Push unearths 4000+ phishing and shell domains

https://www.silentpush.com/blog/fin7/

Threat hunting case study: Uncovering FIN7

https://www.intel471.com/blog/threat-hunting-case-study-uncovering-fin7

Financially motivated threat actors misusing App Installer

https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/

FIN7 Group Attributed to TAG-124 TDS and GrayAlpha Cluster Operations

https://www.sentinelone.com/labs/grayalpha-fin7-deploys-powernet-maskbat/

Microsoft Threat Intelligence: Sangria Tempest Shifts to Automated Attacks

https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/

FIN7 Deploys Clop Ransomware in 2023 Campaign

https://www.bleepingcomputer.com/news/security/fin7-hackers-launch-darkside-ransomware-attacks/