Skip to main content
Mallory
Back to threat actors
Financially Motivated34 malware familiesExploits CVEs in the wild

FIN6

Also known asCamouflage TempestFIN6gold_franklingolden_chickensITG08Magecart Group 6SKELETON SPIDERStorm-0538ta4557TAALVENOM SPIDER

FIN6 is a financially motivated threat actor also referenced in the provided content by the aliases Camouflage Tempest, Golden Chickens, Gold Franklin, ITG08, Magecart Group 6, Skeleton Spider, Storm-0538, TA4557, TAAL, and Venom Spider. The content describes FIN6 as targeting payment card data, including collecting and exfiltrating payment card data from compromised systems and using malicious JavaScript to steal payment card data from e-commerce sites. Reported tradecraft includes use of Registry Run keys and scheduled tasks for persistence for downloader tools HARDTACK and SHIPBREAD and FrameworkPOS; PowerShell for access into merchant networks and for downloading and executing shellcode; WMI to automate remote execution of PowerShell scripts; Plink to create SSH tunnels to command-and-control servers; scripting to iterate through compromised point-of-sale systems, copy data to log files, and remove original data files; use of tools such as Mimikatz, Cobalt Strike, AdFind, and Stealer One; targeting of email, file transfer utilities including FTP, and web browsers for credential theft; disabling security tools with a kill.bat script; compressing data on remote systems and moving it to staging systems before exfiltration; removing files from victim machines; and delivering malicious attachments by email. Additional reporting in the provided content notes FIN6 used public tools including osql.exe to map internal networks and conduct reconnaissance against Active Directory, SQL servers, and NetBIOS; used RDP for lateral movement; and used Windows Credential Editor and Metasploit's PsExec NTDSGRAB module to obtain a copy of a victim Active Directory database.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

57 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

15 of 15 tactics83 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
1 technique
T1595
Active Scanning
TA0042
Resource Development
2 techniques
T1588
Obtain Capabilities
T1588.002
Tool
T1608
Stage Capabilities
TA0001
Initial Access
1 technique
T1566
Phishing
T1566.001×2
Spearphishing Attachment
T1566.002
Spearphishing Link
TA0002
Execution
7 techniques
T1047
Windows Management Instrumentation
T1053
Scheduled Task/Job
T1053.005×3
Scheduled Task
T1059×4
Command and Scripting Interpreter
T1059.001×8
PowerShell
T1059.003×4
Windows Command Shell
T1059.007×2
JavaScript
T1129×3
Shared Modules
T1203
Exploitation for Client Execution
T1204
User Execution
T1204.002×3
Malicious File
T1574
Hijack Execution Flow
TA0003
Persistence
2 techniques
T1053
Scheduled Task/Job
T1053.005×3
Scheduled Task
T1547
Boot or Logon Autostart Execution
T1547.001×5
Registry Run Keys / Startup Folder
TA0004
Privilege Escalation
4 techniques
T1053
Scheduled Task/Job
T1053.005×3
Scheduled Task
T1068×3
Exploitation for Privilege Escalation
T1484
Domain or Tenant Policy Modification
T1484.001
Group Policy Modification
T1547
Boot or Logon Autostart Execution
T1547.001×5
Registry Run Keys / Startup Folder
TA0005
Stealth
7 techniques
T1027
Obfuscated Files or Information
T1027.010×2
Command Obfuscation
T1027.013
Encrypted/Encoded File
T1027.014
Polymorphic Code
T1070
Indicator Removal
T1070.004×3
File Deletion
T1140
Deobfuscate/Decode Files or Information
T1218
System Binary Proxy Execution
T1218.014
MMC
T1497
Virtualization/Sandbox Evasion
T1497.003
Time Based Checks
T1564
Hide Artifacts
T1564.006
Run Virtual Instance
T1574
Hijack Execution Flow
TA0112
Defense Impairment
2 techniques
T1484
Domain or Tenant Policy Modification
T1484.001
Group Policy Modification
T1553
Subvert Trust Controls
T1553.002
Code Signing
TA0006
Credential Access
3 techniques
T1003×2
OS Credential Dumping
T1003.003
NTDS
T1539
Steal Web Session Cookie
T1555×3
Credentials from Password Stores
T1555.003
Credentials from Web Browsers
TA0007
Discovery
7 techniques
T1012
Query Registry
T1016
System Network Configuration Discovery
T1016.001
Internet Connection Discovery
T1018×4
Remote System Discovery
T1046
Network Service Discovery
T1087
Account Discovery
T1087.002×2
Domain Account
T1497
Virtualization/Sandbox Evasion
T1497.003
Time Based Checks
T1518
Software Discovery
T1518.001
Security Software Discovery
TA0008
Lateral Movement
1 technique
T1021
Remote Services
T1021.001
Remote Desktop Protocol
TA0009
Collection
4 techniques
T1005×2
Data from Local System
T1074
Data Staged
T1113
Screen Capture
T1560
Archive Collected Data
TA0011
Command and Control
6 techniques
T1071
Application Layer Protocol
T1071.001×2
Web Protocols
T1090
Proxy
T1105
Ingress Tool Transfer
T1571
Non-Standard Port
T1572×3
Protocol Tunneling
T1573
Encrypted Channel
T1573.001
Symmetric Cryptography
TA0010
Exfiltration
1 technique
T1041
Exfiltration Over C2 Channel
TA0040
Impact
4 techniques
T1486×2
Data Encrypted for Impact
T1489
Service Stop
T1490
Inhibit System Recovery
T1529
System Shutdown/Reboot
ARSENAL

Associated malware families

34 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
More_eggsThe payload used in the infection chain of this recent activity is the group’s notorious More_eggs malware, a backdoor capable of harvesting sensitive information and carrying out several additional tasks.9May 25, 2026
Stealer OneFIN6 has used the Stealer One credential stealer to target web browsers.6May 26, 2026
TerraLoaderVenom Spider, also known as GOLDEN CHICKENS, is a threat actor known for offering Malware-as-a-Service (MaaS) tools like VenomLNK, TerraLoader, TerraStealer, and TerraCryptor.6May 31, 2026
TerraLogger"Unlike its data-sucking counterpart TerraStealerV2, TerraLogger takes a simpler... approach by capturing keystrokes..."6Mar 18, 2026
TerraStealerV2"C. TerraStealerV2 Credential-harvesting malware targeting browsers, FTP clients, and email platforms."6Mar 18, 2026

29 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

4 CVEs this actor has used in observed campaigns. 4 of them exploited in the wild.

CVE-2010-4398Driver Improper Interaction with Windows Kernel Vulnerability in win32k.sysIn the wildEvidence2

Carberp has exploited multiple Windows vulnerabilities (CVE-2010-2743, CVE-2010-3338, CVE-2010-4398, CVE-2008-1084) and a .NET Runtime Optimization vulnerability for privilege escalation.

CVE-2011-2005Ancillary Function Driver Elevation of Privilege in afd.sysIn the wildEvidence2

FIN6 ... targeted CVE-2013-3660, CVE-2011-2005, and CVE-2010-4398, all of which could allow local users to access kernel-level privileges.

CVE-2013-3660Win32k EPATHOBJ::pprFlattenRec local privilege escalationIn the wildEvidence2

FIN6 ... targeted CVE-2013-3660, CVE-2011-2005, and CVE-2010-4398, all of which could allow local users to access kernel-level privileges.

CVE-2025-9491Microsoft Windows LNK File UI Misrepresentation Remote Code Execution VulnerabilityIn the wildEvidence2

This detection identifies instances where Windows Explorer.exe spawns PowerShell or cmd.exe processes, particularly focusing on executions initiated by LNK files. This behavior is associated with the ZDI-CAN-25373 Windows shortcut zero-day vulnerability, where specially crafted LNK files are used to trigger malicious code execution through cmd.exe or powershell.exe. This technique has been actively exploited by multiple APT groups in targeted attacks through both HTTP and SMB delivery methods.

IOCS

Observables

89 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

89 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
slideshareNews
May 21, 2026
Hunting for Credentials Dumping in Windows Environment | PDF

Uses Windows Credential Editor and Metasploit PsExec NTDSGRAB to dump credentials and obtain copies of Active Directory databases.

Read more
malpediaNews
May 14, 2026
Turla (Threat Actor)

Named threat actor referenced in global threat reporting.

Read more
splunk researchNews
May 3, 2026
Detection: Linux Auditd Copy Fail Privilege Escalation | Splunk Security Content

Listed in the detection annotations as a threat actor associated with exploitation for privilege escalation.

Read more
splunk researchNews
Apr 22, 2026
Detection: PowerShell PInvoke Process Injection API Chain | Splunk Security Content

Listed as a threat actor associated with the PowerShell P/Invoke process injection API chain detection and related ATT&CK techniques.

Read more
+196 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping57

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal34

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs4

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables89

Domains, IPs, and hashes tied to this actor, refreshed continuously.