analyst @ nohacky :~/threat-actors $
cat / threat-actors / fin7
analyst@nohacky:~/fin7.html
active threat profile
type cybercrime
threat_level HIGH
status ACTIVE
origin Eastern Europe / Russia-linked criminal ecosystem
last_updated 2026-03-13
F7
fin7

FIN7

also known as: ALIAS_1 ALIAS_2 ALIAS_3

FIN7 is one of the most operationally mature financially motivated intrusion groups publicly tracked, with a long record of targeted phishing, enterprise intrusion, point-of-sale compromise, payment-card theft, and later overlap with ransomware ecosystems. The group matters because it combines enterprise-grade organization, custom tooling, disciplined social engineering, and continuing operational adaptation.

attributed origin Eastern Europe / Russia-linked criminal ecosystem
suspected sponsor Organized cybercrime
first observed 2013
primary motivation Financial
primary targets Retail, Hospitality, Restaurants, Financial Services, Enterprise IT
known campaigns 5+ documented clusters
mitre att&ck group G0046
target regions North America, Europe, Australia
threat level HIGH

Overview

FIN7 is a financially motivated threat group tracked by MITRE as G0046. Public reporting ties the group to large-scale theft of payment card data and to highly tailored initial access activity using socially engineered phishing, fake personas, and malware loaders. U.S. law-enforcement filings describe FIN7 as a multi-person criminal enterprise that used the front company Combi Security to recruit talent and mask its operations. Over time, security vendors have also linked elements of FIN7 activity to ransomware-adjacent operations and tool development, illustrating an evolution from classic carding-focused intrusion activity into broader enterprise monetization tradecraft.

Target Profile

FIN7 historically targeted organizations where cardholder data, financial value, or monetizable enterprise access could be converted into direct criminal revenue. Its victimology broadened over time from point-of-sale-heavy sectors into larger enterprise environments and, in some reporting, ransomware-oriented intrusion workflows.

  • Retail and restaurants: FIN7 became widely known for compromising merchants, restaurants, and hospitality organizations to reach point-of-sale environments and steal payment card data at scale.
  • Hospitality and gaming: Public indictments and threat reporting describe repeated targeting of hotels, casinos, and related service providers where distributed endpoints and payment processing increase attack surface.
  • Broader enterprises: Later reporting shows FIN7 using loaders, phishing chains, SQL-injection-enabled access, and post-compromise tooling against a wider set of corporate victims for credential theft, persistence, lateral movement, and follow-on monetization.

Tactics, Techniques & Procedures

The techniques below reflect repeatedly documented FIN7 tradecraft across ATT&CK and vendor reporting. They are representative rather than exhaustive.

mitre id technique description
T1566.001 Phishing: Spearphishing Attachment FIN7 is well known for tailored phishing lures, often crafted for specific business roles and sometimes reinforced with follow-up social engineering to increase execution rates.
T1059 / T1059.001 / T1059.005 Command and Scripting Interpreter Public reporting documents extensive use of PowerShell, JavaScript loaders, and VBS to stage payloads, perform discovery, and support execution chains.
T1047 Windows Management Instrumentation FIN7 has used WMI for remote execution and malware deployment within compromised Windows environments.
T1078 / T1558.003 Valid Accounts / Kerberoasting ATT&CK documents credential harvesting and Kerberoasting activity used to expand access and support lateral movement.
T1036.005 Masquerading FIN7 has disguised malicious binaries with filenames resembling legitimate software components to reduce operator scrutiny and delay detection.
T1562.004 Impair Defenses: Disable or Modify System Firewall ATT&CK reporting notes FIN7 adding firewall rules and otherwise modifying host defenses to keep remote access channels available.

Known Campaigns

The campaign summaries below combine law-enforcement and vendor-attributed activity clusters commonly associated with FIN7 or its closely tracked aliases.

Point-of-Sale Intrusion Wave 2015-2018

U.S. indictments and sentencing records describe FIN7 intrusions against thousands of systems across restaurants, hospitality, and gaming environments, with theft of tens of millions of payment-card records from compromised point-of-sale estates.

Combi Security Recruiting and Phishing Operations 2015-2018

Law-enforcement records state that FIN7 used Combi Security as a front company to recruit personnel while conducting phishing-led initial access, malware deployment, internal reconnaissance, and monetization of stolen card data.

Loader and Ransomware-Adjacent Operations 2019-2024

Vendor reporting links FIN7 aliases to post-phishing malware chains using JSSLoader, POWERTRASH, Carbanak, Gracewire, SQL injection-enabled access, and EDR-evasion tooling such as AvNeutralizer, with some researchers also assessing ties between FIN7 personnel and later ransomware ecosystems.

Tools & Malware

FIN7 has used a mix of long-lived signature malware families and newer loaders or access frameworks, showing both continuity and adaptation.

  • Carbanak: A long-associated FIN7 backdoor family used for persistence, remote access, and post-compromise control in enterprise environments.
  • GRIFFON / DiceLoader / JSSLoader / POWERTRASH: Loader and staging families tied by different vendors to FIN7 activity chains for initial access, payload delivery, or handoff into later-stage malware.
  • AvNeutralizer and follow-on tooling: SentinelOne documented FIN7-linked development of specialized tooling intended to tamper with or degrade security controls during later-stage intrusions.

Indicators of Compromise

This profile intentionally omits static IOCs. FIN7 infrastructure, loaders, filenames, and delivery domains have changed repeatedly across campaigns, and stale indicators create poor defensive outcomes when used outside time-bounded intelligence contexts.

warning

Use campaign-specific IOCs from current vendor reporting, ISAC sharing, EDR telemetry, and ATT&CK-aligned detections instead of long-lived static blocklists.

Mitigation & Defense

Defenses against FIN7 should prioritize phishing resistance, identity hardening, egress visibility, Windows telemetry, and controls around payment-processing or high-value enterprise segments.

  • Harden initial access paths: Enforce phishing-resistant MFA where possible, disable unnecessary macro/script execution paths, filter container/archive delivery chains, and inspect links to cloud-hosted staging content.
  • Constrain post-compromise movement: Monitor and restrict PowerShell, WMI, PsExec-like administration, service creation, remote tasking, Kerberoasting indicators, and suspicious firewall-rule modification.
  • Segment monetizable assets: Isolate POS/payment systems, protect domain administration paths, reduce credential reuse, and apply high-fidelity detections for card-data collection, archive staging, and unusual outbound transfer activity.
note

Alias mapping around FIN7 can vary by vendor. Some reporting distinguishes the historic payment-card-focused cluster from later ransomware-linked or access-broker-adjacent activity, while other vendors place them in the same broader criminal lineage. Treat cross-vendor aliasing carefully when building detections or enrichment logic.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile