FIN7 — also tracked under the names Carbon Spider and GOLD NIAGARA — is a financially motivated cybercriminal organization that first came to prominence in 2013 [1]. Its driving objective has consistently been monetary profit, and across more than a decade, the group has repeatedly adapted its methods and business model to maximize returns while reducing exposure.
In its earlier years, FIN7 concentrated on large-scale intrusions designed to harvest payment card data. The group targeted Point‑of‑Sale (POS) systems at scale, focusing heavily on sectors where card-present transactions are common — principally the restaurant, financial services, and hospitality industries within the United States. These campaigns were characterized by broad targeting and the capture of payment card information from many infected POS terminals, with the intent of monetizing card data on underground markets.
A hallmark of FIN7's operations is technical sophistication. Over time, the group adopted and refined multi‑stage infection chains and fileless execution techniques that make detection and forensic analysis more difficult. Rather than relying solely on disk-resident payloads, FIN7 frequently employed scripting and in‑memory execution to reduce forensic artifacts. The group's toolset has included PowerShell, JavaScript, and VBScript — used in various stages of an intrusion to download, assemble, or execute code directly in memory. These approaches allowed FIN7 to maintain persistence and move laterally while attempting to evade traditional signature‑based defenses and reduce obvious traces on compromised hosts.
Around 2020, FIN7's operational posture shifted from wide, opportunistic compromises of POS systems toward targeting larger, higher-value organizations — a pattern often called "big‑game hunting." In line with this strategic pivot, FIN7 moved into the Ransomware‑as‑a‑Service (RaaS) ecosystem [1].
To support and scale its technical efforts, FIN7 established fraudulent cybersecurity firms — most notably entities using the names Combi Security and Bastion Secure. These sham companies were used as a cover to recruit legitimate‑appearing security professionals, including penetration testers. Recruits were often unaware of the ultimate malicious purpose; under the guise of legitimate contracting, they produced tools, conducted assessments, or developed capabilities that directly supported the criminal campaigns. This approach allowed FIN7 to effectively leverage real-world security talent and tooling while maintaining layers of plausible deniability and operational separation from the criminal acts their recruits were enabling.
In this post, we'll analyze FIN7's operational playbook, review its most significant intrusions, and dissect the tactics it employs.
Simulate APT Attacks with 14-Day Free Trial of Picus Platform
February 2017 - FIN7 engaged in a spearphishing campaign of company employees involved with United States Securities and Exchange Commission (SEC) filings [6].
1 August 2018 - The U.S. Department of Justice announced the indictment of three high-ranking members of FIN7, providing details on the group's structure, roles, and extensive campaigns that compromised thousands of POS systems [2].
2020 - The group shifted its primary focus from POS data theft to "big game hunting," conducting post-intrusion ransomware attacks against large enterprises [1].
October 2021 - Researchers exposed FIN7's use of a front company named "Bastion Secure" to hire legitimate penetration testers and IT specialists, who were then unknowingly assigned to conduct the group's ransomware operations [3].
January 2022 - The U.S. Federal Bureau of Investigation (FBI) issued a warning that FIN7 was mailing malicious USB devices, impersonating entities like Amazon and the Department of Health and Human Services, to U.S. companies to install ransomware [4].
FIN7 compromised a digital products website, replaced its download links with ones leading to trojanized Atera installers on an Amazon S3 bucket, and used the tool to deploy POWERPLANT, which is a vast backdoor framework with a broad range of capabilities on victim systems.
FIN7 specifically targeted individuals associated with United States Securities and Exchange Commission (SEC) filings, many of whom were publicly named in their organizations' official filings. The attackers spoofed the sender address as EDGAR filings@sec.gov, using a malicious attachment titled "Important_Changes_to_Form10_K.doc" (MD5: d04b6410dddee19adec75f597c52e386) [6].
FIN7 consistently used PowerShell for on-system execution, launching scripts with execution-policy bypass flags directly via PowerShell.exe. Observed command-line patterns include:
|
powershell.exe -ex bypass -file C:\windows\temp\fdddu32.ps1 powershell.exe -ex bypass -f c:\users\public\temp\AC-Win10w-x64.ps1 |
These specific parameter combinations (-ex bypass with -f or -file) exhibit very low prevalence outside FIN7-attributed activity.
FIN7 frequently launched PowerShell via cmd.exe wrappers to run scripts with non-interactive/no-profile flags and execution-policy bypass. Observed invocations include [5] :
|
cmd.exe /c start %SYSTEMROOT%\system32\WindowsPowerShell\v1.0\powershell.exe -noni -nop -exe bypass -f <REDACTED>/ADMIN$/temp/wO9EBGmDqwdc.ps1 |
FIN7 has used Visual Basic Script (VBS) as part of its infection process. In one campaign, the malicious document dropped a VBS script upon execution, and the script installed a PowerShell-based backdoor. The backdoor utilized DNS TXT records for command and control (C2) communications [6].
A work-in-progress variant of the LOADOUT downloader was submitted to VirusTotal (MD5: 485b2a920f3b5ae7cfad93a4120ec20d) and detected by only a single engine. Two hours later, a new version appeared (MD5: 012e7b4d6b5cb8d46771852c66c71d6d), in which the PowerShell command was concealed using FIN7's custom obfuscation mechanism [5].
PowerShell command before obfuscation:
|
objTS.WriteLine(TextCrypt) |
PowerShell command after obfuscation:
|
Text1 = "/3/3.1/2.1,7/2/2.0/3+4+5/4/2*3,7.0,7/2/2.1/4.0,6/3/3.0/3.0+5/4+5-9/4.1+5/4/3*3,7.0,6/3/2*3272327272412292326241618252310112117262125222518252429242516 |
They were likely evaluating the effectiveness of their custom obfuscation against public repositories to check static detection engine coverage.
They also used custom string obfuscation in commands [5]:
|
Private Function GetShiftKey() |
The FIN7 group used a basic but effective obfuscation mechanism — interspersing malicious code with random junk to evade static detections. Below is an example of the group's code, obfuscated in this way [5]:
|
kiki=ado.ReadText |
To circumvent improved AV detection, the LOADOUT downloader developers tweaked the code that was likely being flagged in detection signatures, inserting the string "FUCKAV" directly into it [5].
|
data = "id=" & get_id() & "&FUCKAVtype=put" & get_computer_info("") & "&DomainHosts=" & count_domain_hosts() & "&UserName=" & usFUCKAVername & "&LogicalDrives=" & get_grivers() & "&SystemInfo=nothing&SoftwareInfo=nothing&NetworkInfo=nothingFUCKAV&ProcessList=" & get_processlist() & "&DesktopFileList=" & get_desktopfiles() & "&DesktopScreenshFUCKAVot=nothing&WebHistory=nothing&stype=vbs" |
FIN7 performed enumeration using a combination of built-in Windows commands, PowerSploit modules, and Kerberoasting PowerShell components.
Specifically, they imported a Kerberoast script and executed the following command to extract service account hashes in HashCat format [5]:
|
powershell.exe -c Import-Module C:\Users\Public\kerberoast_hex.ps1; Invoke-Kerberoast -OutputFormat HashCat > hash.txt |
Adversaries may try to identify the primary user, currently logged-in users, frequent users of a system, or whether a user is actively using it; data gathered during System Owner/User Discovery can shape follow-on behavior. FIN7 used the command below [5] for this purpose, which displays information about users currently logged on to the local or a specified remote system.
|
cmd.exe /C quser |
Knowledge of domain-level permission groups lets an adversary discover which groups exist and which users belong to them—revealing accounts with elevated privileges (for example, domain administrators); FIN7 tried to determine group membership by running [5]:
|
cmd.exe /C net group "Domain Admins" /domain |
FIN7 invoked RunDll32 to launch TERMITE — a password‑protected shellcode loader to deploy BEACON, Metasploit, and Bughatch payloads — and in this instance, TERMITE loaded and executed a shellcode stager for Cobalt Strike BEACON. The command line was [5]:
|
RunDll32 TstDll.dll,TstSec 11985756 |
FIN7 launched two similar Windows process chains on the target server [5]. They had gained initial access during the intrusion by logging in across two separate days with compromised Remote Desktop Protocol (RDP) credentials.
|
rdpinit.exe |
We also strongly suggest simulating FIN7 Attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other threat groups within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for FIN7:
|
Threat ID |
Threat Name |
Attack Module |
|
84033 |
FIN7 Threat Group Campaign Backdoor Malware Email Threat |
Network Infiltration |
|
24726 |
FIN7 Threat Group Campaign Backdoor Malware Download Threat |
Network Infiltration |
|
32970 |
FIN7 Threat Group Campaign Malware Download Threat - 1 |
Network Infiltration |
|
25496 |
FIN7 Threat Group Campaign Downloader Download Threat |
Network Infiltration |
|
74671 |
FIN7 Threat Group Campaign Malware Download Threat - 2 |
Network Infiltration |
|
92906 |
FIN7 Threat Group Campaign Malware Email Threat - 2 |
Network Infiltration |
|
24752 |
FIN7 Threat Group Campaign Malware Email Threat - 1 |
Network Infiltration |
|
89876 |
FIN7 Threat Group Campaign Downloader Email Threat |
Network Infiltration |
|
58503 |
FIN7 Threat Group Campaign |
Windows Endpoint |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Platform.
FIN7 group is also known as: GOLD NIAGARA, ITG14, Carbon Spider, ELBRUS, Sangria Tempest, Calcium, Navigator, ATK 32, APT-C-11, TAG-CR1, CARBON SPIDER, ATK32, G0046, G0008, Coreid, Carbanak, JokerStash.
References
[1] "FIN7." Accessed: Oct. 14, 2025. [Online]. Available: https://attack.mitre.org/groups/G0046
[2] "Three Members of Notorious International Cybercrime Group 'Fin7' In Custody for Role in Attacking Over 100 U.S. companies." Accessed: Oct. 14, 2025. [Online]. Available: https://www.justice.gov/archives/opa/pr/three-members-notorious-international-cybercrime-group-fin7-custody-role-attacking-over-100
[3] The Hacker News, "Hackers Set Up Fake Company to Get IT Experts to Launch Ransomware Attacks," The Hacker News. Accessed: Oct. 14, 2025. [Online]. Available: https://thehackernews.com/2021/10/hackers-set-up-fake-company-to-get-it.html
[4] S. Gatlan, "FBI: Hackers use BadUSB to target defense firms with ransomware," BleepingComputer. Accessed: Oct. 14, 2025. [Online]. Available: https://www.bleepingcomputer.com/news/security/fbi-hackers-use-badusb-to-target-defense-firms-with-ransomware/
[5] "FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7," Google Cloud Blog. Accessed: Oct. 14, 2025. [Online]. Available: https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/
[6] Accessed: Oct. 14, 2025. [Online]. Available: https://web.archive.org/web/20170316051921/http://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html