← All Threat Actors / FIN7
Last updated: April 02, 2026
F
FIN7
Russian-speaking cybercriminal group, multiple members arrested and convicted
πŸ‡·πŸ‡Ί RussiaCybercriminal● ActiveG0046
Key Intelligence
MITRE ID
G0046
Country
πŸ‡·πŸ‡Ί Russia
Motivation
Financial Gain
Active Since
2013
Last Seen
2025
Techniques
25 across 12 tactics
Attribution
Russian-speaking cybercriminal group, multiple members arrested and convicted
Also Known As
CarbanakCarbon SpiderSangria TempestELBRUSITG14Navigator Group
Target Profile
Targeted Industries
HospitalityRestaurantsRetailFinancial ServicesGaming
Targeted Countries
πŸ‡ΊπŸ‡Έ United StatesπŸ‡¬πŸ‡§ United KingdomπŸ‡¦πŸ‡Ί AustraliaπŸ‡«πŸ‡· France

Overview

FIN7 is one of the world's most sophisticated financially motivated threat groups. Originally focused on POS malware for credit card theft, the group evolved into ransomware operations. Notable for operating a fake security company 'Combi Security' to recruit unwitting developers. Multiple members have been arrested, including alleged leader Andrii Kolpakov, but the group continues operations with new TTPs.

Tools & Malware

CarbanakGRIFFONBOOSTWRITERDFSNIFFERBIRDDOGCobalt StrikeREvilBlackMatterPOWERPLANTLizar/TirionMimikatzMetasploit

Malware & Tool Details

Arsenal attributed to FIN7.

Carbanak
Banking Backdoor
Banking Backdoor
GRIFFON
JavaScript Backdoor
JavaScript Backdoor
BOOSTWRITE
Loader
Loader
RDFSNIFFER
Malware / Tool
ATT&CK Software
BIRDDOG
Malware / Tool
ATT&CK Software
Cobalt Strike
C2 Framework
C2 Framework
REvil
Malware / Tool
ATT&CK Software
BlackMatter
Malware / Tool
ATT&CK Software
POWERPLANT
Malware / Tool
ATT&CK Software
Lizar/Tirion
Malware / Tool
ATT&CK Software
Mimikatz
Credential Dumping
Credential Dumping
Metasploit
Exploitation Framework
Exploitation Framework

Attack Path Carbanak Banking / POS Attack Chain

Following MITRE ATT&CK Flow methodology.

ATTACK FLOWCarbanak Banking / POS Attack Chain8 steps | Drag nodes to rearrange

Diamond Model

Caltagirone, Pendergast & Betz (2013) | Drag to rearrange
ADVERSARY
Russian-speaking criminal org, multiple arrested including Andrii Kolpakov
CAPABILITY
Carbanak, GRIFFON, BOOSTWRITE, Cobalt Strike, Lizar/Tirion, BadUSB devices
INFRASTRUCTURE
Combi Security (fake pen-testing company), bulletproof hosting, carding forums
VICTIM
Restaurants (Chipotle, Arby's), hotels (Trump, Hyatt), banks, SEC-filing companies

ATT&CK Navigator

Interactive MITRE ATT&CK Navigator layer for FIN7 (G0046).

Open Full Navigator

Known CVEs Exploited

CVEYearDescription
CVE-2017-01992017Office/WordPad RCE for phishing delivery
CVE-2018-159822018Flash Player RCE in phishing documents

Notable Campaigns

2022
Black Basta Affiliation
Links established to Black Basta ransomware operations.
2020
BadUSB Campaign
Mailing malicious USB devices disguised as Best Buy gift cards to targeted companies.
2017
SEC Filing Attacks
Targeting companies filing with the SEC to steal non-public financial data.
2015
Carbanak Banking Attacks
Theft of $1B+ from banks worldwide through ATM cashouts and SWIFT manipulation.

Detection Engineering

Cobalt Strike Beacon Detection
Detect named pipe patterns (\\MSSE-*, \\postex_*, \\status_*). Monitor for Malleable C2 profiles in HTTP traffic using JA3/JA3S fingerprinting. Alert on process injection into svchost.exe from non-system processes. Sigma rule: proc_creation_win_cobaltstrike_load_by_rundll32.
View Detection Rule / Guide
POS RAM Scraping Detection
Monitor for unusual processes accessing payment card track data patterns in memory. Deploy application allowlisting on POS terminals. Alert on processes scanning memory of POS applications. Implement strict egress filtering on POS VLANs.
View Detection Rule / Guide
BadUSB / HID Attack Detection
Implement USB device control policies blocking unknown HID devices. Monitor for rapid keystroke injection patterns (>100 keystrokes/second). Alert on new USB HID device connections. Sigma rule: win_security_usb_device_plugged.
View Detection Rule / Guide

Related Threat Actors

Documented in MITRE ATT&CK, vendor intelligence, and government advisories.

Black Basta
Ransomware affiliate
FIN7 members linked to Black Basta since 2022.
REvil
Ransomware affiliate
FIN7 operators have deployed REvil ransomware.

Defense Recommendations

Mitigations with MITRE ATT&CK IDs. Click badges for implementation guidance.

Implement PCI DSS v4.0 network segmentation isolating POS from corporate networks.
PCI DSS v4.0 Req 1
Deploy P2PE on all POS terminals to prevent RAM scraping. FIN7 deploys memory scrapers for track data.
PCI PTS Standard
Block Office macros for non-essential employees via GPO and ASR rules.
Microsoft ASR Rules
Deploy EDR with Cobalt Strike detection (named pipes, Malleable C2, beacon jitter).
Red Canary CS Guide

Attribution Confidence

High
Attribution
Confidence
Evidence Supporting Attribution
DOJ arrests and convictions of FIN7 members (2018-2021)
https://www.justice.gov/opa/pr/three-members-notorious-inter
Multiple vendor intelligence attributions
https://www.mandiant.com/resources/blog/fin7-evolution-and-p
FBI private industry notifications
https://attack.mitre.org/groups/G0046/

Threat Assessment

Capability8/10
Intent9/10
Targeting7/10
High
Overall Threat Level
Most successful financially motivated cybercriminal group. Stole data from 1000+ businesses. Now pivoting to ransomware operations via Black Basta affiliation.

Legal Actions & Sanctions

2018-08
3 FIN7 members arrested including alleged manager
Arrests
https://www.justice.gov/opa/pr/three-members-notorious-international-cybercrime-group-fin7-custody-role-attacking-over-100
2021-04
FIN7 organizer sentenced to 10 years
Sentencing
https://www.justice.gov/usao-wdwa/pr/high-level-organizer-notorious-hacking-group-fin7-sentenced-ten-years-prison

Recent Reporting

2024-05
Mandiant: FIN7 evolution to ransomware operations
https://www.mandiant.com/resources/blog/fin7-evolution-and-phishing-lnk

Emulation Plans & Guidance

PlanSourceTypeDescriptionLink
MITRE CTID - FIN7 Full Emulation PlanMITRE CTIDOpen SourceComplete FIN7 emulation with Scenario 1 (detection) and Scenario 2 (protection)Open
FIN7 Emulation - Scenario 1 WalkthroughMITRE CTIDOpen SourceStep-by-step: spearphishing, mshta execution, Cobalt Strike, POS targetingOpen
FIN7 Emulation - Scenario 2 ProtectionMITRE CTIDOpen SourceProtection scenario testing defenses against FIN7 POS targeting and Cobalt Strike payloadsOpen
SCYTHE #ThreatThursday - FIN7SCYTHEBlog PostWeekly threat emulation walkthrough with FIN7 TTPs, ATT&CK mapping, and defense guidanceOpen
Mandiant: FIN7 Evolution and Phishing LNKMandiantBlog PostTechnical analysis of FIN7 evolution with emulation-relevant TTPs and detection opportunitiesOpen
Emulating FIN7 - Part 1AttackIQBlog PostTwo attack graphs emulating FIN7 2024 activities: brand impersonation websites, malvertisingOpen
Emulating FIN7 - Part 2AttackIQBlog PostFIN7 2022-2023 TTPs: BOOSTWRITE loader, Cobalt Strike, lateral movement to POS systemsOpen
Fingerprinting FIN7AttackIQBlog PostAssessment template for FIN7 emulation with TTP walkthrough and scenario investigationOpen

References & Intelligence Sources

Page Contributors

Adversary Village
MITRE ATT&CK Team
BreachSimRange