FIN7

Also known as: Carbanak, Carbon Spider, ELBRUS, Sangria Tempest, ITG14, Navigator Group, GrayAlpha, Savage Ladybug, Storm-0324, Storm-1674, Storm-1811, STAC5143, WaterSeed, UNC3319, Gold Niagara

ActiveExpertEastern EuropeMITRE G0046

0Campaigns

45Techniques

42IOCs

50Tools

0Matches

6Infrastructure

Overview

FIN7 (Sangria Tempest) is a sophisticated financially-motivated threat actor active since at least 2013, known for targeting point-of-sale systems, payment card data, and deploying ransomware. The group has significantly evolved operations in 2023-2025, shifting to automated attack platforms, enhanced EDR bypasses, and sophisticated phishing infrastructure. FIN7 operates through sub-clusters including GrayAlpha, which deployed custom PowerNet and MaskBat loaders via fake 7-Zip downloads and undocumented TAG-124 TDS network. The group deployed Clop ransomware in April 2023 (first ransomware campaign since late 2021), targeted U.S. automotive industry in late 2023-2024, and expanded to over 4000 typosquatting domains mimicking brands like Google, Microsoft 365, American Express. FIN7 continues developing AvNeutralizer EDR bypass tool and employs Checkmarks platform for automated SQL injection against public-facing servers. The group also utilizes the OpenDir network for malware distribution and maintains operational resilience through compartmentalized teams despite 2018 arrests of key members. Recent campaigns involve sophisticated social engineering using fake job offers, IT support impersonation, and supply chain compromises.

Motivations

Financial GainCybercrime

Target Sectors

Financial ServicesHospitalityRestaurantRetailTechnologyGamingHealthcareAutomotiveDefenseInsuranceTransportationCloud ServicesMediaFood and BeveragePharmaceuticalUtilitiesMedical EquipmentSoftwareConsultingTelecommunicationsRestaurantsAerospaceManufacturingLegalProfessional ServicesCasinosLegal ServicesDefense Industrial BaseInformation TechnologyCasino

Activity Timeline

First Seen

Jan 2013

Last Seen

Jan 2024

Quick Facts

OriginEastern Europe

Sophisticationexpert

StatusActive

MITRE GroupG0046

MITRE ATT&CK Techniques

(45)

Initial Access

T1566.001

Spearphishing Attachment

Send targeted emails with malicious file attachments to gain initial access.

T1190

Exploit Public-Facing Application

Exploit vulnerabilities in internet-facing applications to gain access.

T1078

Valid Accounts

Use legitimate credentials to authenticate and gain access.

T1189

Drive-by Compromise

Gain access through a user visiting a compromised website during normal browsing.

T1566.002

Spearphishing Link

Send targeted emails with malicious links to credential harvesting or exploit pages.

Other

Execution

T1059.001

PowerShell

Use PowerShell commands and scripts for execution and automation.

T1059.003

Windows Command Shell

Use cmd.exe to execute commands and batch scripts.

T1047

Windows Management Instrumentation

Use WMI to execute commands and manage systems remotely.

Defense Evasion

T1055

Process Injection

Inject code into running processes to evade defenses and elevate privileges.

T1036

Masquerading

Disguise malicious artifacts by manipulating names or locations to appear legitimate.

Credential Access

T1003.001

LSASS Memory

Access LSASS process memory to extract credential material.

Collection

T1005

Data from Local System

Collect sensitive data stored on the local file system.

Exfiltration

T1041

Exfiltration Over C2 Channel

Exfiltrate stolen data over the existing command and control channel.

Persistence

T1547

Boot or Logon Autostart Execution

Configure code to run automatically during system boot or user logon.

Lateral Movement

T1570

Lateral Tool Transfer

Transfer tools and files between compromised systems within the network.

T1021.001

Remote Desktop Protocol

Use RDP to connect to and control remote systems.

Impact

T1486

Data Encrypted for Impact

Encrypt victim data to disrupt availability, typically for ransom.

Command and Control

T1090

Proxy

Route C2 traffic through intermediary proxies to obscure the source.

Tools & Malware

(50)

Carbanak

malwareMalicious

Signature backdoor used in billion-dollar bank heists. Provides full remote access to compromised banking systems including screen recording, keylogging, and ability to manipulate ATM/SWIFT transactions.

GRIFFON

malwareMalicious

JavaScript-based backdoor delivered via spear-phishing. Lightweight initial access tool that profiles victims before deploying heavier Carbanak or Cobalt Strike payloads.

HALFBAKED

malwareMalicious

Multi-purpose backdoor with screenshot, keylogging, and file exfiltration capabilities. Used as primary implant in hospitality and restaurant sector attacks.

PILLOWMINT

malwareMalicious

Point-of-sale (POS) RAM scraper that extracts credit card data from memory of payment processing applications. Deployed on POS terminals in restaurant chains.

BOATLAUNCH

malwareMalicious

Utility module that patches PowerShell processes in memory to bypass AMSI (Antimalware Scan Interface), allowing execution of malicious PowerShell scripts undetected.

POWERPLANT

malwareMalicious

PowerShell-based backdoor framework used for persistent access. Supports dynamic module loading and uses multiple layers of obfuscation to evade detection.

BIRDWATCH

malwareMalicious

.NET-based downloader that retrieves and executes secondary payloads. Used as intermediary between initial spear-phishing access and deployment of main backdoors.

Cobalt Strike

frameworkLegitimate

Primary post-exploitation framework. FIN7 uses heavily customized Cobalt Strike with unique malleable C2 profiles to evade network detection signatures.

Metasploit

frameworkLegitimate

Open-source penetration testing framework used alongside Cobalt Strike for exploitation, privilege escalation, and payload delivery.

BadUSB

exploit kitMalicious

Weaponized USB devices mailed to targets disguised as Best Buy gift cards or COVID-19 guidance. Emulate a keyboard to execute PowerShell commands on insertion.

Mimikatz

frameworkLegitimate

Credential harvesting tool used to extract POS terminal credentials, domain admin hashes, and Kerberos tickets for lateral movement within retail networks.

AnyDesk

legitimate toolLegitimate

Legitimate remote desktop software deployed for persistent access to compromised systems. Used as a fallback if primary C2 channels are disrupted.

TeamViewer

legitimate toolLegitimate

Remote access tool deployed on compromised POS management servers. Provides hands-on-keyboard access for manual operations during heist execution.

Advanced IP Scanner

legitimate toolLegitimate

Network discovery tool used to map internal networks after initial compromise, identifying POS terminals, domain controllers, and payment processing servers.

PowerShell

os utilityLegitimate

Central to FIN7 operations — used for fileless execution, AMSI bypass, payload staging, and lateral movement throughout compromised retail/restaurant networks.

Combi Security / Bastion Secure

legitimate toolMalicious

Front companies established by FIN7 to recruit penetration testers who unknowingly developed offensive tools and conducted attacks on real targets.

PowerNet

LoaderMalicious

Custom PowerShell-based loader deployed by GrayAlpha sub-cluster via fake software downloads

MaskBat

LoaderMalicious

Batch file-based loader used by GrayAlpha for initial compromise via trojanized downloads

Checkmarks

ExploitMalicious

Automated platform for SQL injection attacks against public-facing web servers

AvNeutralizer

OtherMalicious

EDR bypass tool designed to disable and evade endpoint detection and response solutions

Termite

BackdoorMalicious

Tunneling tool used for establishing persistent network access and lateral movement

DICELOADER

LoaderMalicious

Malware loader used to deploy additional payloads and maintain persistence

BIRDDOG

BackdoorMalicious

JavaScript-based backdoor providing remote access capabilities

SQLRat

BackdoorMalicious

Backdoor that uses SQL Server for command and control communications

Astra

StealerMalicious

Information stealer targeting credentials and sensitive data

Lizar

BackdoorMalicious

Modular backdoor also known as Tirion, used for reconnaissance and data theft

Bateleur

BackdoorMalicious

JScript-based backdoor deployed via malicious LNK files in phishing campaigns

Meterpreter

RATLegitimate

Legitimate Metasploit payload used by FIN7 for post-exploitation

DNSMessenger

BackdoorMalicious

Fileless backdoor that uses DNS queries for command and control communications

BOOSTWRITE

LoaderMalicious

Custom loader used to execute shellcode and deploy additional malware

POWERSOURCE

BackdoorMalicious

PowerShell-based backdoor for persistent access and command execution

BABYMETAL

BackdoorMalicious

Lightweight reconnaissance and execution backdoor deployed in initial compromise stages

POWERTRASH

BackdoorMalicious

PowerShell backdoor used for establishing persistence and executing commands

DNSBot

BackdoorMalicious

DNS tunneling backdoor used by FIN7 for covert command and control communications

Black Basta

OtherMalicious

Ransomware deployed by FIN7 in campaigns starting 2022

NetSupport RAT

RATLegitimate

Legitimate remote administration tool abused for unauthorized access

AuroraStealer

StealerMalicious

Information stealer targeting credentials and sensitive data

Loadout

LoaderMalicious

Multi-stage loader used to deploy final payloads while evading detection

SQLMaggie

OtherMalicious

Database manipulation tool used for SQL injection and data extraction from compromised databases

Tirion

LoaderMalicious

Custom loader used to deploy additional payloads and maintain persistence

AuditCred

StealerMalicious

Credential harvesting tool targeting browser credentials and password managers

NetSupport Manager

RATLegitimate

Legitimate remote administration tool abused by FIN7 for remote access in intrusion campaigns

SQLMap

ExploitLegitimate

SQL injection tool integrated into Checkmarks platform for automated exploitation

Anubis

LoaderMalicious

Shellcode loader used to deploy second-stage payloads while evading endpoint protection

BlackMatter

OtherMalicious

Ransomware variant deployed in financially-motivated attacks

DarkSide

OtherMalicious

Ransomware-as-a-Service utilized in extortion campaigns

NetSupport Manager RAT

RATLegitimate

Legitimate remote administration tool weaponized by FIN7 for remote access and control in recent campaigns

AuKill

ExploitMalicious

EDR killer tool exploiting vulnerable drivers to disable security solutions, used before ransomware deployment

BELLHOP

LoaderMalicious

Shellcode loader used to deploy additional payloads while evading detection

Liquor

LoaderMalicious

Backdoor loader used in FIN7 campaigns for establishing initial access and downloading additional payloads

Indicators of Compromise

(42)

IOC values are defanged for safety

Type	Value	Notes
domain	`comfrede[.]com`	C2 domain used in hospitality sector targeting
domain	`julopos[.]com`	C2 infrastructure for GRIFFON malware
ip	`185[.]180[.]197[.]36`	Carbanak C2 server infrastructure
ip	`91[.]219[.]236[.]166`	C2 node linked to POS malware operations
hash	`fcc2e3e2a9a2a2bdd5a5e5c6c0e34f13`	Carbanak backdoor variant (MD5)
domain	`advanced-ip-sccanner[.]com`	Typosquatting domain used in U.S. automotive campaign 2023-2024
domain	`myipscanner[.]com`	Redirect domain in automotive campaign 2023-2024
hash	`2fc8b38d3f40d8151ec717c8a8813cf06df90c10`	AvNeutralizer EDR bypass tool, detected in Black Basta intrusions
ip	`38[.]180[.]138[.]251`	C2 server for Post-Connect.jar malware observed in 2024 VEILDrive campaign
domain	`microsoftwindowsdefender[[.]]com`	Typosquatting domain used in 2023 phishing campaigns
domain	`amazon-aws[[.]]org`	Typosquatting domain part of FIN7 infrastructure
domain	`appleid-verify[[.]]com`	Phishing domain used to impersonate Apple services
domain	`awscloud-essential[[.]]com`	Typosquatting domain used in 2024 phishing campaigns
domain	`microsoftword-office[[.]]com`	Typosquatting domain used for credential harvesting
domain	`amazon-aws-login[[.]]com`	Phishing infrastructure mimicking AWS login pages
domain	`microsoftmng[.]com`	Typosquatting domain used in 2024 campaigns
domain	`amexconnect[.]com`	American Express typosquatting domain used for credential harvesting
domain	`googledownloads[.]net`	Google typosquatting domain distributing malware
domain	`zohoassist[[.]]eu`	Typosquatting domain used in FIN7 phishing campaigns impersonating legitimate remote support services
domain	`anydesksupport[[.]]info`	Malicious domain used by FIN7 to distribute fake remote desktop software
domain	`awscloud-security[[.]]com`	Infrastructure domain used in FIN7 campaigns targeting cloud service users
domain	`microsoftonline-office[.]com`	Phishing domain used in 2024 campaigns impersonating Microsoft services
domain	`secure-amexlogin[.]com`	Typosquatting domain targeting American Express users
domain	`googledrive-docs[.]com`	Typosquatting domain mimicking Google Drive for credential harvesting
domain	`microsoftdefenderes[.]com`	Typosquatting domain used in 2024 phishing campaigns impersonating Microsoft Defender
domain	`amazon-aws-security[.]com`	Phishing domain used to target AWS users in 2024
domain	`corekernell[[.]]com`	C2 domain used in FIN7 operations
domain	`mswordeditor[[.]]com`	Phishing domain used in FIN7 campaigns
domain	`microsoftonedrive[[.]]co`	Typosquatting domain impersonating Microsoft OneDrive
domain	`advancedipscanner-download[[.]]com`	Typosquatting domain impersonating Advanced IP Scanner used in 2024 campaign
domain	`anydesk-download[[.]]com`	Typosquatting domain impersonating AnyDesk for malware delivery
domain	`apc-update[[.]]com`	Typosquatting domain used in supply chain themed attacks
domain	`legal-advices[[.]]com`	FIN7 phishing infrastructure used in 2024 campaigns
domain	`arazhelp[[.]]com`	FIN7 command and control domain associated with 2024 operations
domain	`best7zip[[.]]com`	Fake 7-Zip download site distributing malware as part of GrayAlpha operations
domain	`microsoftdefender-update[.]com`	Typosquatting domain used in 2024 phishing campaigns
domain	`aws-cloud-service[.]com`	Malicious domain mimicking AWS for credential harvesting
domain	`zoomconference[.]net`	Typosquatting domain distributing malware through fake meeting invites
domain	`americanexpress-check[[.]]com`	Typosquatting domain impersonating American Express for credential phishing
domain	`microsoftoffice365-login[[.]]com`	Typosquatting domain mimicking Microsoft 365 login portal
domain	`filetransfer[[.]]io`	FIN7 phishing infrastructure domain used in 2023-2024 campaigns
domain	`wetransfer[[.]]link`	Typosquatting domain used by FIN7 for malware delivery

Infrastructure

(6)

Domain values are defanged for safety

Domain / Host	Type	Status	Last Checked
`comfrede[.]com` C2 domain used in hospitality sector targeting	c2	offline	Apr 2, 2026
`julopos[.]com` C2 infrastructure for GRIFFON malware	c2	offline	Apr 2, 2026
`185[.]180[.]197[.]36` Carbanak C2 server infrastructure	ip	offline	Apr 2, 2026
`91[.]219[.]236[.]166` C2 node linked to POS malware operations	ip	offline	Apr 2, 2026
`advanced-ip-sccanner[.]com`	domain	offline	Apr 2, 2026
`myipscanner[.]com`	domain	active	Apr 2, 2026

Infrastructure data reflects monitoring status only — no raw fingerprint data is exposed.

References

(100)

MITRE ATT&CK - FIN7

https://attack.mitre.org/groups/G0046/

U.S. DOJ - Three Members of Notorious Cybercrime Group FIN7 Charged

https://www.justice.gov/opa/pr/three-members-notorious-international-cybercrime-group-fin7-custody-role-attacking-over-100

Mandiant - FIN7 Evolution and Ransomware

https://www.mandiant.com/resources/evolution-of-fin7

FIN7 Reboot - Cybercrime Gang Enhances Ops with New EDR Bypasses and Automated Attacks

https://www.sentinelone.com/labs/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks/

GrayAlpha Unmasked: New FIN7-Linked Infrastructure, PowerNet Loader, and Fake Update Attacks

https://www.recordedfuture.com/research/grayalpha-uses-diverse-infection-vectors-deploy-powernet-loader-netsupport-rat

Threat Group FIN7 Targets the U.S. Automotive Industry

https://blogs.blackberry.com/en/2024/04/fin7-targets-the-united-states-automotive-industry

Microsoft: Notorious FIN7 hackers return in Clop ransomware attacks

https://www.bleepingcomputer.com/news/security/microsoft-notorious-fin7-hackers-return-in-clop-ransomware-attacks/

FIN7: Silent Push unearths 4000+ phishing and shell domains

https://www.silentpush.com/blog/fin7/

Threat hunting case study: Uncovering FIN7

https://www.intel471.com/blog/threat-hunting-case-study-uncovering-fin7

Financially motivated threat actors misusing App Installer

https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/

FIN7 Group Attributed to TAG-124 TDS and GrayAlpha Cluster Operations

https://www.sentinelone.com/labs/grayalpha-fin7-deploys-powernet-maskbat/

Microsoft Threat Intelligence: Sangria Tempest Shifts to Automated Attacks

https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/

FIN7 Deploys Clop Ransomware in 2023 Campaign

https://www.bleepingcomputer.com/news/security/fin7-hackers-launch-darkside-ransomware-attacks/

FIN7 Evolution and Phishing Campaigns

https://www.mandiant.com/resources/blog/fin7-spear-phishing-campaign-targets-personnel

CISA Alert on FIN7 Tactics

https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-266a

FIN7 Evolution and Phishing Campaigns - Mandiant

https://www.mandiant.com/resources/blog/fin7-power-automate-api

FIN7 Backdoor Malware Analysis - Morphisec

https://blog.morphisec.com/fin7-attacks-restaurant-industry

Carbanak Group Uses Signed Binaries - ESET Research

https://www.welivesecurity.com/2019/05/29/carbanak-group-false-flag-attack/

FIN7 Evolution and Phishing Campaigns (Recorded Future)

https://www.recordedfuture.com/fin7-revisited-detecting-new-tactics-and-tools

Sangria Tempest Targets Automotive Industry (Microsoft)

https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/

FIN7 Evolution and Phishing Campaigns - Recorded Future

https://www.recordedfuture.com/fin7-threat-analysis

FIN7 Group Uses Updated Techniques - CISA Alert

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a

FIN7 Deploys Anubis Backdoor to Hijack Windows Systems via Compromised SharePoint Sites

https://thehackernews.com/2025/04/fin7-deploys-anubis-backdoor-to-hijack.html

PRODAFT - Anubis Backdoor IOCs

https://github.com/prodaft/malware-ioc/blob/master/SavageLadybug/AnubisBackdoor.md

FIN7 Cybercrime Group Targeting U.S. Auto Industry with Carbanak Backdoor

https://thehackernews.com/2024/04/fin7-cybercrime-group-targeting-us-auto.html

Emulating the Criminal Adversary FIN7 - Part 2

https://www.attackiq.com/2025/02/14/emulating-fin7-part-2/

FIN7, FIN8, and Others Use Ragnar Loader for Persistent Access and Ransomware Operations

https://thehackernews.com/2025/03/fin7-fin8-and-others-use-ragnar-loader.html

Sophos MDR tracks two ransomware campaigns using email bombing, Microsoft Teams vishing

https://news.sophos.com/en-us/2025/01/21/sophos-mdr-tracks-two-ransomware-campaigns-using-email-bombing-microsoft-teams-vishing/

Malware distributor Storm-0324 facilitates ransomware access

https://www.microsoft.com/en-us/security/blog/2023/09/12/malware-distributor-storm-0324-facilitates-ransomware-access/

FIN7 Evolution and Phishing Campaigns 2021-2024

https://www.mandiant.com/resources/blog/fin7-pursuing-software-supply-chain

Microsoft Threat Intelligence on Sangria Tempest (FIN7)

https://www.microsoft.com/en-us/security/blog/2023/09/14/financially-motivated-threat-actors-misusing-app-installer

FIN7 Group Unveiled: A Deep Dive into a Notorious Cybercrime Syndicate

https://www.sentinelone.com/labs/fin7-returns-with-new-tricks/

Microsoft Threat Intelligence - Sangria Tempest

https://learn.microsoft.com/en-us/security/operations/threat-actors/fin7

CISA Alert: FIN7 Continues Targeting Multiple Sectors

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-278a

FIN7 Evolution and the Phishing LNK

https://www.mandiant.com/resources/blog/fin7-evolution-and-phishing-lnk

FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7

https://www.mandiant.com/resources/blog/fin7-power-hour-adversary-archaeology

FIN7 Malware Delivery and the BlackBasta Ransomware Emerged

https://www.sentinelone.com/labs/from-fin7-to-clop-understanding-the-evolution-of-carbanak/

Microsoft Threat Intelligence: Sangria Tempest

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming

FIN7 Resurfaces with Automated Attack Platform

https://www.sentinelone.com/blog/fin7-resurfaces-with-automated-attack-platform/

Microsoft - Sangria Tempest Threat Intelligence

https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/

FIN7 Evolution and Phishing Campaigns 2024

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-277a

FIN7 Evolution and Phishing Campaigns - Mandiant

https://www.mandiant.com/resources/blog/fin7-power-automating-attacks

Silent Librarian and FIN7 Connection Analysis 2024

https://www.mandiant.com/resources/blog/fin7-carbanak-backdoor-evolution

Microsoft Threat Intelligence - Sangria Tempest Profile

https://learn.microsoft.com/en-us/defender/threat-intelligence/actor-profiles/sangria-tempest

Mandiant: FIN7 Spear Phishing Campaign Targets U.S. Automotive Industry

https://www.mandiant.com/resources/blog/fin7-spear-phishing-campaign-targets-us-automotive-industry

FIN7 Evolution and Phishing Tactics - Microsoft Threat Intelligence

https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/

CISA Alert: FIN7 Cyber Threat Actor

https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-265a

The Evolution of FIN7: From Point-of-Sale to Ransomware

https://www.mandiant.com/resources/blog/evolution-of-fin7

Microsoft Threat Intelligence on FIN7/Sangria Tempest Operations

https://www.microsoft.com/en-us/security/blog/threat-intelligence/fin7-sangria-tempest/

Microsoft: Sangria Tempest increases operational tempo in 2024

https://www.microsoft.com/en-us/security/blog/2024/11/20/sangria-tempest-increases-operational-tempo-in-2024/

FIN7 Group Uses JavaScript Implants in Attacks Against U.S. Businesses

https://www.recordedfuture.com/fin7-group-uses-javascript-implants-in-attacks-against-us-businesses

FIN7 Evolution and Phishing Campaigns - Proofpoint

https://www.proofpoint.com/us/blog/threat-insight/fin7-targets-us-automotive-industry

Microsoft Threat Intelligence on Sangria Tempest

https://www.microsoft.com/en-us/security/blog/threat-intelligence/sangria-tempest

Secureworks: Gold Niagara Threat Profile

https://www.secureworks.com/research/threat-profiles/gold-niagara

Microsoft Threat Actor Naming - Sangria Tempest

https://learn.microsoft.com/en-us/defender-xdr/microsoft-threat-actor-naming

Microsoft Threat Intelligence: Sangria Tempest shifts tactics

https://www.microsoft.com/en-us/security/blog/threat-intelligence/

Sangria Tempest - Microsoft Threat Intelligence

https://www.microsoft.com/en-us/security/blog/threat-intelligence/sangria-tempest/

FIN7 Evolution and Phishing Campaigns

https://www.sentinelone.com/labs/fin7-targets-us-automotive-industry-with-spearphishing-campaign/

Sangria Tempest: Threat Actor Profile

https://www.microsoft.com/en-us/security/blog/2023/09/14/malicious-actors-use-web-protection-services-to-hide-phishing-infrastructure/

FIN7 Evolution and Phishing Campaigns

https://www.mandiant.com/resources/blog/fin7-evolution-2023

Microsoft Threat Intelligence: Sangria Tempest

https://learn.microsoft.com/en-us/security/threat-intelligence/sangria-tempest

CISA Alert: FIN7 Targeting US Critical Infrastructure

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a

FIN7 Evolution and the Phishing LNK

https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html

How FIN7 Attacked and Stole Data

https://www.crowdstrike.com/blog/fin7-pursues-large-scale-campaign-in-us-retail-hospitality/

FIN7 Group Uses JavaScript Backdoor to Target US Financial Services

https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/

Microsoft Threat Intelligence: Sangria Tempest (FIN7) Overview

https://www.microsoft.com/en-us/security/business/threat-intelligence/threat-actor-profile/sangria-tempest

FIN7 Evolution and Phishing Campaigns - CISA

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a

FIN7 Group Targeted Security Researchers with Malicious USB Devices

https://www.mandiant.com/resources/blog/fin7-spear-phishing-campaign-targets-personnel-involved-sec-filings

FIN7 Backdoor Masquerades as Cybersecurity Tool

https://www.sentinelone.com/labs/fin7-backdoor-masquerades-as-cybersecurity-tool/

Microsoft Threat Intelligence: Sangria Tempest

https://learn.microsoft.com/en-us/defender/threat-intelligence/threat-actor-naming

FIN7 Evolution and Phishing Campaigns - Microsoft Threat Intelligence

https://www.microsoft.com/en-us/security/blog/2023/09/14/fin7-threat-actor-group-deploys-malware-through-amazon-ses/

FIN7 - The Infamous Cybercrime Rig 'FIN7' Continues to Evolve

https://www.sentinelone.com/labs/fin7-revisited-inside-astra-panel-and-sqlrat-malware/

FIN7 Returns: Automated Attacks and Evolved TTPs

https://www.sentinelone.com/labs/fin7-returns-automated-attacks-and-evolved-ttps/

FIN7 Group Linked to 7-Zip, AWS, and Google Ads Spoofing Attacks

https://thehackernews.com/2024/01/fin7-group-linked-to-7-zip-aws-and.html

Microsoft Threat Intelligence: Sangria Tempest

https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/

FIN7 Group Targeted Security Researchers with Malicious USB Devices

https://www.mandiant.com/resources/blog/fin7-power-plant-credentials

Microsoft Threat Intelligence: Sangria Tempest Profile

https://learn.microsoft.com/en-us/security/insider-risk/sangria-tempest

Microsoft Threat Intelligence: Sangria Tempest

https://learn.microsoft.com/en-us/defender/threat-intelligence/sangria-tempest

FIN7 Evolution and the Phishing LNK

https://www.mandiant.com/resources/blog/fin7-evolution-phishing-lnk

FIN7 Group Leverages Legitimate Tools and Malicious LNK Files

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-250a

FIN7 Evolution: Tracking the Notorious Cybercrime Group

https://www.mandiant.com/resources/blog/fin7-evolution

Sangria Tempest Shifts Tactics to Evade Detection

https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals

FIN7 Threat Actor Unleashes EDR Killer to Fly Under the Radar

https://www.sentinelone.com/labs/fin7-threat-actor-unleashes-edr-killer-to-fly-under-the-radar/

Microsoft Threat Intelligence: Sangria Tempest

https://learn.microsoft.com/en-us/defender/threat-intelligence/actors/sangria-tempest

CISA Cybersecurity Advisory: FIN7 Actor Profile

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-256a

Sangria Tempest - Microsoft Threat Intelligence

https://www.microsoft.com/en-us/security/blog/threat-intelligence/threat-actors/sangria-tempest/

FIN7 Evolution and Phishing Campaigns - Recorded Future

https://www.recordedfuture.com/fin7-ransomware-campaigns

Microsoft Threat Intelligence - Sangria Tempest

https://learn.microsoft.com/en-us/security/operations/threat-actors

FIN7 Evolution and Phishing Campaigns - CISA Alert AA23-145A

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-145a

FIN7 Evolution and Phishing Campaigns - Microsoft Security Blog

https://www.microsoft.com/en-us/security/blog/2023/11/16/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/

FIN7 Group Continues Sophisticated Operations - Mandiant

https://www.mandiant.com/resources/blog/fin7-pursuing-an-improved-attack-lifecycle

FIN7 Evolution and Phishing Campaigns - CISA

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-243a

FIN7 Group Compromises Systems via SQL Injection - Secureworks

https://www.secureworks.com/blog/fin7-group-uses-malicious-usb-devices-spear-phishing

FIN7 Evolution and Phishing Campaigns - Microsoft Security

https://www.microsoft.com/en-us/security/blog/2023/09/14/detecting-and-mitigating-a-multi-stage-aitm-phishing-and-bec-campaign/

CISA Alert: FIN7 Targeting US Automotive Industry

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-046a

FIN7 Group Targeted Security Researchers with Malicious USB Devices

https://www.mandiant.com/resources/blog/fin7-group-targeted-security-researchers

FIN7 Evolution and the Phishing LNK

https://www.sentinelone.com/labs/fin7-evolution-and-the-phishing-lnk/

Mandiant: FIN7 Pursuing Ransomware

https://www.mandiant.com/resources/blog/fin7-pursuing-ransomware

FIN7 Evolution and Phishing Campaigns - Microsoft Threat Intelligence

https://www.microsoft.com/en-us/security/blog/2023/09/14/storm-0324-and-fin7-using-cloud-based-services-to-distribute-ransomware/

FIN7 Power Automate and Azure AD Abuse - Mandiant

https://www.mandiant.com/resources/blog/fin7-power-automate-c2