FIN7

FIN7 is a financially motivated cybercriminal threat group, active since at least 2012/2013, with origins in Russia according to the provided reporting. Known aliases include Carbon Spider, ELBRUS, G0046, Gold Niagara, ITG14, Sangria Tempest, and Carbanak. The group has targeted organizations across hospitality, retail, finance, energy, and high-tech sectors, and reporting also notes targeting of U.S.-based chain restaurants, manufacturing, legal, public-sector, and automotive organizations. Earlier activity focused on point-of-sale and payment card theft; since 2020, the group shifted toward ransomware operations, with reported affiliations or collaboration with REvil, Conti, Maze, Egregor, Black Basta, and operations described as Darkside and later BlackMatter. The content describes FIN7 as technically sophisticated and organized, using customized malware, phishing, underground personas, and staged infrastructure. Reported tooling includes Carbanak, DiceLoader/Lizar/IceBot, Powertrash, Core Impact implants, an SSH-based persistence backdoor, AvNeutralizer/AuKill, the JScript backdoor Bateleur, GGLDR, Tinymet, and activity overlapping with the GrayAlpha cluster. GrayAlpha is described as overlapping with FIN7 and using loaders such as PowerNet and MaskBat to deliver NetSupport RAT via fake browser update pages, fake 7-Zip sites, and TAG-124 traffic distribution. FIN7 has also recently been observed deploying the Python-based Anubis backdoor. Initial access and delivery tradecraft in the provided content includes phishing with macro-enabled Word documents, lures themed as encrypted Outlook or Google documents, and attachments that trick victims into double-clicking images that execute hidden LNK files. FIN7 has staged trojanized legitimate software containing an Atera agent installer on Amazon S3. The group has also been linked to automated SQL injection attacks against public-facing applications and use of the Checkmarks platform. Sophos reported a separate cluster, STAC5143, copying the Storm-1811 playbook and possibly connected to FIN7/Sangria Tempest/Carbon Spider with medium confidence; that activity used email bombing, fake IT support contact over Microsoft Teams, Teams remote screen control, Java payloads, ProtonVPN sideloading, and Python RPivot components. Observed FIN7 execution, persistence, and evasion behaviors in the content include use of Windows services, Registry Run and RunOnce keys, Startup folder items, scheduled tasks, WMI to install malware, cmd.exe obfuscation techniques, and anti-analysis/sandbox-evasion logic. Bateleur creates a scheduled task named GoogleUpdateTaskMachineSystem for persistence and communicates over HTTPS. FIN7 malware has created new Windows services and added them to startup directories. The group has used cmd.exe /C quser for user session discovery, tasklist /v for process discovery, and developed a custom video-recording capability to monitor victim environments. A major theme in the reporting is FIN7’s commercialization of offensive tooling. SentinelOne assessed with high confidence that FIN7 used the underground personas goodsoft, lefroggy, killerAV, and Stupor to advertise and sell AvNeutralizer on darknet and criminal forums. AvNeutralizer is described as a custom security-evasion tool designed to disable or bypass endpoint protections, customized for buyers’ target security products, and sold for roughly $4,000 to $15,000. Reporting states it was developed beginning in April 2022 and later used by multiple ransomware operators, including intrusions involving AvosLocker, MedusaLocker, BlackCat, Trigona, and LockBit. The latest version reportedly used ProcLaunchMon.sys together with a Process Explorer driver to interfere with protected security processes. The content also links FIN7 to exploitation of Veeam Backup & Replication vulnerabilities and notes overlap or possible connections with Black Basta and Cuba-related activity. Proofpoint attributed Bateleur to FIN7 with high confidence, while Sophos assessed only medium-confidence links between FIN7 and STAC5143. Where attribution in the source material is qualified, that uncertainty is retained here.