fin6

FIN6

also known as: ITG08 Skeleton Spider Camouflage Tempest Magecart Group 6 Gold Franklin TA4557 TAAL G0037

A financially motivated Eastern European crew whose evolution traces the entire arc of modern payment card crime: from point-of-sale malware in hospitality and retail (2015), to Magecart JavaScript skimmers on e-commerce checkout pages (2018), to ransomware partnerships with Ryuk and LockerGoga (2019), to their current tactic of flipping the LinkedIn job scam — posing as job seekers to deliver More_eggs to recruiters and HR departments (2024–2025). Stolen card data has been sold on underground markets including JokerStash, generating tens of millions of dollars over the group's operational history.

attributed origin Eastern Europe (organized crime)

suspected sponsor None — financially motivated

first observed 2012–2015

primary motivation Financial — card theft, ransomware, credential theft

primary targets Retail, Hospitality, E-Commerce, HR / Recruitment

known campaigns 10+ confirmed

mitre att&ck group G0037

target regions North America, Europe, Global (e-commerce)

threat level High

Overview

FIN6 is one of the most documented and longest-running financially motivated cybercrime groups in the threat intelligence record. Operational since at least 2012 and first publicly named by FireEye/Mandiant in 2016, the group is composed of Eastern European organized crime actors whose consistent objective has been the monetization of payment card data at scale. Over the course of a decade, FIN6 has systematically moved from one payment card attack surface to the next as each became less profitable or more defended — a pattern that distinguishes it from static criminal operations and marks it as an adaptable, operationally mature crew.

The group began by targeting physical point-of-sale terminals using FrameworkPOS malware, primarily in the US hospitality and retail sectors. As EMV chip adoption reduced the value of in-person card theft, FIN6 pivoted to e-commerce card skimming via injected JavaScript — a technique associated with the Magecart threat cluster, specifically Magecart Group 6. When skimming operations became more heavily monitored, the group moved again: into ransomware partnerships with Ryuk and LockerGoga operators, monetizing network access rather than harvesting cards directly. By 2019 through 2025, the group's primary access vector shifted again — to elaborate LinkedIn-based social engineering, posing first as recruiters offering fake jobs, then reversing the model to pose as applicants targeting recruiters and HR personnel with More_eggs malware.

FIN6 does not develop all of its tooling in-house. The group is a known customer of the Golden Chickens (Venom Spider) malware-as-a-service operation, which produces More_eggs, and has partnered with the TrickBot gang's Anchor framework. This willingness to buy, partner, and co-opt infrastructure from other criminal groups — combined with strong internal operational security, selective targeting, and geopolitical agnosticism — makes FIN6 a durable and formidable financial threat.

active campaign — 2025

As of June 2025, DomainTools confirmed FIN6 is actively running a recruiter-targeting campaign via LinkedIn and Indeed. The group poses as job seekers, builds rapport with hiring professionals, then directs them to AWS-hosted fake resume sites (registered anonymously via GoDaddy) that serve More_eggs via a CAPTCHA-gated ZIP download. Phishing emails contain no clickable links — recipients are instructed to type the domain manually, bypassing email security filters. Environmental fingerprinting serves harmless content to VPN connections and non-Windows systems, ensuring only corporate Windows workstations receive the payload.

Target Profile

FIN6's target selection has evolved in direct response to shifts in payment card security and the defensive landscape, but has remained anchored to environments that process or enable access to financial data.

Retail and hospitality (PoS era): Brick-and-mortar retailers, hotel chains, and restaurant groups in the United States and Europe were the group's original hunting ground. Targets were selected for high transaction volumes at physical payment terminals, with FrameworkPOS deployed to harvest card track data at scale.
E-commerce merchants: Following EMV chip adoption, FIN6 pivoted to card-not-present (CNP) fraud via Magecart-style JavaScript injection. High-value e-commerce platforms were targeted for checkout page skimming, with data sold to intermediaries or directly on underground markets. Compromised checkout pages from a single platform could enable simultaneous attacks across multiple merchants.
Enterprise networks (ransomware phase): In 2019 and 2020, FIN6 monetized established network access by deploying Ryuk, LockerGoga, and MegaCortex ransomware — a "big game hunting" shift that doesn't require the group to harvest card data directly. TrickBot botnet access provided the initial foothold for many of these intrusions.
HR and recruitment professionals: The current primary target is corporate recruiters and HR departments — personnel with access to corporate networks, credentials, and systems of high lateral movement value. The group first targeted job seekers on LinkedIn with fake job offers, then reversed the model in 2022–2025 to target the hiring side of the relationship by posing as applicants.
Multinational organizations broadly: By 2019, FIN6 had expanded beyond card-processing environments to target any enterprise where network access could be monetized — including pharmaceutical, entertainment, and financial services companies — via More_eggs initial access and follow-on ransomware or credential theft.

Tactics, Techniques & Procedures

FIN6's TTP set has evolved substantially across its operational history but maintains consistent patterns: selective social engineering for initial access, extensive use of living-off-the-land tools for lateral movement, and partnership with external criminal services for key capabilities.

mitre id	technique	description
T1566.002	Spear-Phishing Link	Current primary access vector. Targets receive messages on LinkedIn or Indeed from fake job-seeker personas. Phishing emails are professionally written with no embedded links — recipients are instructed to manually type fake resume domains to bypass email security filters and link scanners.
T1566.001	Spear-Phishing Attachment	Used in earlier campaigns (2018–2019) delivering More_eggs via malicious Office documents with embedded JavaScript. Also used against e-commerce merchants, with malicious docs containing links to PowerShell scripts executed in memory only, leaving no files on disk.
T1059.007	JavaScript / More_eggs Backdoor	More_eggs (Terra Loader) is purchased from Golden Chickens (Venom Spider) as a MaaS offering. Delivered via LNK files in ZIP archives from fake resume sites. On execution, it abuses legitimate Windows processes, performs host reconnaissance, and beacons to C2 for secondary payloads including credential stealers and ransomware.
T1195	Supply Chain / Magecart Skimming	As Magecart Group 6, FIN6 injected malicious JavaScript into e-commerce checkout pages to exfiltrate payment card data in real time. Targeting platforms with many merchants on the same codebase multiplied the impact of a single injection. Skimmer scripts included anti-forensic self-removal capabilities.
T1486	Data Encrypted for Impact (Ransomware)	FIN6 partnered with operators of Ryuk, LockerGoga, MegaCortex, and MAZE ransomware to monetize established network access. PsExec was used for mass deployment across AD-joined systems. In some cases, Group Policy Modification distributed ransomware to all domain machines simultaneously after Domain Admin credentials were acquired.
T1078	Valid Accounts / Credential Theft	Stealer One credential-harvesting malware targets email clients, browsers, FTP clients, and enterprise applications. Mimikatz is used for post-exploitation credential dumping. More_eggs secondarily harvests credentials for corporate bank accounts, email, and IT administrator accounts.
T1090	Proxy / Infrastructure Obfuscation	Fake resume domains are registered anonymously via GoDaddy privacy services and hosted on AWS EC2 or S3. AWS's trusted reputation reduces the likelihood that corporate web filters or email gateways will block the domains. Environmental fingerprinting serves benign content to VPN users and non-Windows systems, preventing sandbox detection.
T1059.001	PowerShell	Fileless PowerShell execution observed in e-commerce merchant targeting campaigns (2018–2019). Scripts were memory-resident only, did not download additional files, and granted direct access to the merchant's network. Meterpreter shells were used alongside PowerShell for persistence and lateral movement.
T1570	Lateral Tool Transfer / Living-off-the-land	FIN6 consistently uses legitimate administrative tools for lateral movement — PsExec, Metasploit/Meterpreter, CobaltStrike, WMIC, and ADFind for network reconnaissance and enumeration. SQL database server instances are specifically targeted during the reconnaissance phase for schema enumeration.
T1041	Exfiltration / Card Data Monetization	Harvested payment card data is sold on underground marketplaces — historically JokerStash (now defunct) and other dark web card shops. The group has sold millions of payment card records over its operational history. Data may also be passed through intermediaries rather than sold directly.

Known Campaigns

Confirmed or highly attributed operations spanning FIN6's decade-long operational history, reflecting the group's methodical pivot across payment card attack surfaces.

PoS Compromises — Hospitality and Retail 2015–2017

FIN6's foundational campaign phase, publicly documented by Mandiant's "Follow the Money" report. The group targeted brick-and-mortar retailers and hospitality chains in the US and Europe, compromising point-of-sale systems with FrameworkPOS malware to harvest magnetic stripe track data from card transactions. Lateral movement used standard Windows administrative tools. Stolen card data was aggregated and sold in bulk on underground marketplaces including JokerStash, with millions of cards attributed to these operations.

More_eggs Initial Access — E-Commerce Targeting 2018–2019

Visa's Payment Fraud Disruption team documented FIN6 targeting high-value e-commerce merchants via malicious documents delivering More_eggs as a first-stage payload. Executed PowerShell scripts were memory-resident only, leaving no disk artifacts. Post-compromise, the group moved laterally to identify POS and e-commerce environments, enumerate SQL database schemas, and inject skimmer JavaScript into checkout pages — marking the transition to Magecart Group 6 activity. Stolen data was sold to intermediaries or directly on dark web card markets.

Magecart Group 6 — E-Commerce JavaScript Skimming 2018–2020

FIN6 was identified as Magecart Group 6, operating large-scale JavaScript skimming campaigns against e-commerce platforms. The group injected malicious checkout-page scripts that exfiltrated payment card data entered by shoppers in real time. Skimmer code included self-removal and anti-forensic features to hinder detection. By targeting e-commerce platforms with shared codebases across many merchants, FIN6 was able to compromise thousands of online shops through a small number of successful platform-level intrusions.

Ransomware Partnerships — Ryuk, LockerGoga, MegaCortex, MAZE 2019–2020

Mandiant's "Pick-Six" report documented FIN6 deploying Ryuk and LockerGoga ransomware against organizations that did not process PoS data — a significant shift in monetization strategy. The group leveraged TrickBot's Anchor framework (documented by IBM X-Force in 2020) to establish access to enterprise networks, then partnered with ransomware operators for final payload deployment. PsExec and Group Policy Modification were used to distribute ransomware across AD-joined domains simultaneously. MegaCortex and MAZE ransomware were subsequently attributed to the same infrastructure cluster.

LinkedIn Job Offer Lures — Fake Recruiter Campaign 2019–2022

eSentire and other researchers documented FIN6 posing as recruiters on LinkedIn to target employees with fake job offers, delivering More_eggs via malicious ZIP files. Targeted individuals were handpicked from LinkedIn profiles in roles with high-value access. The attack chain used LNK files inside ZIP archives, with ie4uinit.exe and regsvr32.exe abused to load the malicious DLL and drop the More_eggs JavaScript backdoor. Campaigns were selective and sparse — consistent with a MaaS operation focused on avoiding defender attention.

Recruiter Targeting — Reversed Job Scam 2022–2025

FIN6 reversed its earlier job-seeker targeting model, now posing as job applicants to target corporate recruiters and HR staff. eSentire first documented this tactic in 2022, targeting industrial services, aerospace/defense, law firms, CPA firms, and staffing agencies. By June 2025, DomainTools confirmed the tactic had evolved further: fake job-seeker personas on LinkedIn and Indeed direct recruiters to AWS-hosted fake portfolio sites registered anonymously via GoDaddy. Sites use CAPTCHA gating and environmental fingerprinting to deliver More_eggs ZIP archives only to corporate Windows workstations, evading sandbox analysis. Phishing emails contain no clickable links, requiring manual URL entry to bypass email security filters.

Tools & Malware

FIN6 operates a hybrid toolkit: proprietary PoS malware developed in-house, supplemented by purchased MaaS tooling and legitimate administrative utilities for post-exploitation.

FrameworkPOS: Custom point-of-sale malware used in the group's foundational retail and hospitality campaigns. Scraped magnetic stripe track data from the memory of PoS processes and staged it for exfiltration. Analysis of its internals revealed a distinctive obfuscation algorithm used for variant fingerprinting.
More_eggs (Terra Loader): JavaScript-based backdoor purchased from Golden Chickens (Venom Spider) as a MaaS offering. Delivered via LNK files in ZIP archives from fake resume or job application sites. Abuses legitimate Windows processes (ie4uinit.exe, regsvr32.exe) for execution and persistence. Performs host reconnaissance and beacons to C2 for secondary payloads. Notably low antivirus detection rates and bypasses application whitelisting.
Stealer One: Credential-harvesting malware targeting email clients, web browsers, FTP clients, and other credential-storing applications. Used during the reconnaissance phase to collect credentials for lateral movement and network mapping.
Magecart JavaScript skimmer: Custom malicious JavaScript injected into e-commerce checkout pages to capture payment card data submitted by shoppers in real time. Variants included anti-forensic self-removal code to hinder post-incident analysis.
TrickBot / Anchor framework: FIN6 partnered with the TrickBot gang to use the Anchor backdoor (including the Anchor_DNS variant communicating over DNS) for enterprise network access, particularly as a precursor to ransomware deployment.
Ryuk / LockerGoga / MegaCortex / MAZE: Ransomware families deployed in partnership with other criminal operators to monetize enterprise network access. FIN6 did not develop these payloads but provided the initial access and staging capabilities that preceded deployment.
Cobalt Strike / Meterpreter: Commercial and open-source post-exploitation frameworks used extensively for lateral movement, privilege escalation, and maintaining persistent access across victim networks. Meterpreter-based shells are a consistent element of FIN6's post-compromise toolkit.
Mimikatz: Open-source credential dumping tool used post-compromise to extract credentials from LSASS memory, enabling lateral movement and Domain Admin escalation required for mass ransomware deployment.

Indicators of Compromise

Publicly available IOCs from documented recent campaigns. Verify currency before operational use.

warning

FIN6 rotates fake resume domains frequently and registers new ones anonymously via GoDaddy. Listed domains should be treated as historical reference. Organizations should implement behavioral and pattern-based controls rather than relying on domain blocklists for this threat. AWS-hosted portfolio domains registered anonymously are a structural indicator of this campaign type.

indicators of compromise — linkedin / recruiter campaigns (2024–2025)

domain bobbyweisman[.]com (fake resume site — 2025 campaign)

domain ryanberardi[.]com (fake resume site — 2025 campaign)

domain johncboins[.]com (fake resume site — late 2024 campaign)

infra pattern Domains registered via GoDaddy privacy / hosted on AWS EC2 or S3

delivery ZIP archive → LNK file → ie4uinit.exe / regsvr32.exe → More_eggs DLL

evasion CAPTCHA gate + environmental fingerprinting (VPN / non-Windows = benign content)

certificate Historical: "223647473 (MJO TM LTD)" signing cert — multiple related DLLs

Mitigation & Defense

FIN6's current campaign posture makes HR and recruitment functions a primary attack surface. Defenses must address both the technical delivery chain and the social engineering preconditions that enable it.

HR and recruiter awareness training: FIN6's current tactic specifically targets recruiting staff. Train all personnel who review resumes or manage job applicant communications to verify identities through out-of-band channels before downloading files. Awareness of the role-reversal tactic — threat actors posing as applicants — is a specific gap most general phishing training does not address.
Block or alert on LNK files in ZIP archives: The current More_eggs delivery chain uses ZIP → LNK → malicious DLL. Email and web gateways should alert on or quarantine ZIP archives containing LNK files. Where LNK files have no legitimate business use in attachments, block outright.
Restrict ie4uinit.exe and regsvr32.exe abuse: More_eggs abuses these legitimate Microsoft binaries to load malicious DLLs. Application control policies (AppLocker, WDAC) should alert on ie4uinit.exe executing from non-standard paths and regsvr32.exe loading DLLs from user-writable directories.
Web proxy controls for manually typed URLs: FIN6's phishing emails deliberately avoid clickable links, requiring manual URL entry. This bypasses email link scanning but not web proxy controls. Ensure web proxy inspection and categorization covers newly registered domains regardless of how users navigate to them.
Monitor for AWS-hosted anonymous domains: The group consistently uses AWS EC2/S3 for fake resume hosting and GoDaddy for anonymous registration. Alert on employees navigating to newly registered domains hosted on AWS infrastructure, particularly from HR or recruiting workstations.
Detect PsExec and mass process spawning: FIN6's ransomware deployment phase uses PsExec for simultaneous mass execution across domain systems. Alert on PsExec activity originating from non-standard systems and monitor for rapid, AD-wide process spawning events.
Privileged credential protection: The group escalates to Domain Admin before ransomware deployment. Implement privileged access workstations (PAWs), tiered AD administration models, and Protected Users security group membership for high-privilege accounts to limit credential exposure from Mimikatz-style attacks.
E-commerce integrity monitoring: For organizations operating customer-facing checkout pages, deploy sub-resource integrity (SRI) checks on JavaScript, implement Content Security Policy (CSP) headers restricting script sources, and monitor for unauthorized modifications to checkout page code in production.

analyst note

FIN6's decade-long evolution — PoS malware to Magecart skimming to ransomware partnerships to LinkedIn social engineering — reflects a group that consistently identifies the highest-value attack surface available and adapts when defenses catch up. The current recruiter-targeting campaign is technically low-complexity but operationally effective, exploiting HR personnel who routinely download files from unknown external candidates. The use of AWS infrastructure and GoDaddy privacy registration for operational cover mirrors nation-state tradecraft in an organized crime context. Organizations should treat HR functions as a standing attack surface requiring its own threat model, not just a recipient of general security awareness content.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile