1 malware familyExploits CVEs in the wild

FIN4

Also known asFIN4

FIN4 is a threat actor associated with stealing insider information for advantage in stock trading. The provided content identifies FIN4 as using spearphishing emails, often sent from compromised accounts, with malicious links or attachments that frequently contained embedded malicious macros. FIN4 also used stolen legitimate documents in phishing lures and relied on user execution of malicious files. The actor used legitimate stolen credentials to access and hijack victims' online email communications, including logging into victim email accounts via Tor. The content also states that FIN4 presented victims with spoofed Windows Authentication prompts to collect credentials. For network communications and data transmission, FIN4 used HTTP POST requests. Known alias in the provided content: fin4.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

32 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

12 of 15 tactics49 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0043

Reconnaissance

1 technique

T1595

Active Scanning

TA0042

Resource Development

2 techniques

T1587

Develop Capabilities

T1587.002

Code Signing Certificates

T1588

Obtain Capabilities

T1588.004

Digital Certificates

TA0001

Initial Access

3 techniques

T1078×10

Valid Accounts

T1190

Exploit Public-Facing Application

T1566

Phishing

T1566.001×25

Spearphishing Attachment

T1566.002×6

Spearphishing Link

TA0002

Execution

2 techniques

T1059

Command and Scripting Interpreter

T1059.001×2

PowerShell

T1059.005×5

Visual Basic

T1204

User Execution

T1204.001

Malicious Link

T1204.002×11

Malicious File

TA0003

Persistence

3 techniques

T1078×10

Valid Accounts

T1098×2

Account Manipulation

T1098.003

Additional Cloud Roles

T1137

Office Application Startup

TA0004

Privilege Escalation

2 techniques

T1078×10

Valid Accounts

T1098×2

Account Manipulation

T1098.003

Additional Cloud Roles

TA0005

Stealth

3 techniques

T1036

Masquerading

T1036.008

Masquerade File Type

T1078×10

Valid Accounts

T1564

Hide Artifacts

T1564.006

Run Virtual Instance

TA0006

Credential Access

4 techniques

T1056

Input Capture

T1056.002

GUI Input Capture

T1110

Brute Force

T1552

Unsecured Credentials

T1621

Multi-Factor Authentication Request Generation

TA0007

Discovery

1 technique

T1087

Account Discovery

T1087.002

Domain Account

TA0009

Collection

2 techniques

T1056

Input Capture

T1056.002

GUI Input Capture

T1114

Email Collection

T1114.002×5

Remote Email Collection

TA0011

Command and Control

6 techniques

T1071

Application Layer Protocol

T1071.001×7

Web Protocols

T1090

Proxy

T1090.003×3

Multi-hop Proxy

T1105

Ingress Tool Transfer

T1219

Remote Access Tools

T1572

Protocol Tunneling

T1573

Encrypted Channel

T1573.002

Asymmetric Cryptography

TA0010

Exfiltration

1 technique

T1041×3

Exfiltration Over C2 Channel

ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen

TorThe following analytic detects the execution of the TOR Browser and related TOR components on Windows endpoints by monitoring process creation activity. Adversaries and insider threats leverage TOR to anonymize command-and-control traffic, facilitate data exfiltration, and evade network monitoring and policy enforcement.1Mar 17, 2026

WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2025-9491Microsoft Windows LNK File UI Misrepresentation Remote Code Execution VulnerabilityIn the wildEvidence2

This detection identifies instances where Windows Explorer.exe spawns PowerShell or cmd.exe processes, particularly focusing on executions initiated by LNK files. This behavior is associated with the ZDI-CAN-25373 Windows shortcut zero-day vulnerability, where specially crafted LNK files are used to trigger malicious code execution through cmd.exe or powershell.exe. This technique has been actively exploited by multiple APT groups in targeted attacks through both HTTP and SMB delivery methods.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

splunk researchNews

Apr 13, 2026

Detection: Windows Azure PowerShell Module Installation Via PowerShell Script | Splunk Security Content

Listed as a threat actor associated with Azure Active Directory account takeover, persistence, privilege escalation, and related cloud-focused post-compromise activity detected via PowerShell module installation.

splunk researchNews

Apr 13, 2026

Detection: Windows Binary Execution from an Archive | Splunk Security Content

Listed as a threat actor associated with the malicious file execution technique detected by this analytic.

splunk researchNews

Apr 13, 2026

Detection: Windows EFI Volume Mount Attempt Via Mountvol | Splunk Security Content

Listed in the detection annotations as a threat actor associated with EFI volume mounting / installation-related behavior.

splunk researchNews

Apr 13, 2026

Detection: Windows Universal Data Link File Creation | Splunk Security Content

Referenced as a threat actor associated with spearphishing attachment activity involving malicious file execution and potential credential capture via UDL files.

+115 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping32

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.