3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
FIN8

FIN8

ID: 6cc10329997dd4c0379c1a7617a42a4813509
Cybercrime Cybercriminal
Threat types: Intrusion, Financial Theft, Ransomware
Unknown UNKNOWN
Updated: 2026-01-13
Created: 2025-10-21
Progress: 35% Completeness: 28% Freshness: 50%
Operation zone: UNKNOWN
Aliases Limited alias preview
No aliases registered.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

FIN8 is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology, chemical, and financial sectors. In June 2021, security researchers detected FIN8 switching from targeting point-of-sale (POS) devices to distributing a number of ransomware variants. Ref: https://attack.mitre.org/groups/G0061/


Technique Technique name Tactics Evidence
T1003.001 LSASS Memory TA0006
  • OS Credential Dumping: LSASS Memory - FIN8 harvests credentials using Invoke-Mimikatz or Windows Credentials Editor (WCE). · ref
T1016.001 Internet Connection Discovery TA0007
  • System Network Configuration Discovery: Internet Connection Discovery - FIN8 has used the Ping command to check connectivity to actor-controlled C2 servers. · ref
T1021.001 Remote Desktop Protocol TA0008
  • Remote Services: Remote Desktop Protocol - FIN8 has used RDP for lateral movement. · ref
T1021.002 SMB/Windows Admin Shares TA0008
  • Remote Services: SMB/Windows Admin Shares - FIN8 has attempted to map to C$ on enumerated hosts to test the scope of their current credentials/context. FIN8 has also used smbexec from the Impacket suite for lateral movement. · ref
T1027.010 Command Obfuscation TA0005
  • Obfuscated Files or Information: Command Obfuscation - FIN8 has used environment variables and standard input (stdin) to obfuscate command-line arguments. FIN8 also obfuscates malicious macros delivered as payloads. · ref
T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol TA0010
  • Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol - FIN8 has used FTP to exfiltrate collected data. · ref
T1053.005 Scheduled Task TA0002 TA0003 TA0004
  • Scheduled Task/Job: Scheduled Task - FIN8 has used scheduled tasks to maintain RDP backdoors. · ref
T1055.004 Asynchronous Procedure Call TA0004 TA0005
  • Process Injection: Asynchronous Procedure Call - FIN8 has injected malicious code into a new svchost.exe process. · ref
T1059.001 PowerShell TA0002
  • Command and Scripting Interpreter: PowerShell - FIN8's malicious spearphishing payloads are executed as PowerShell. FIN8 has also used PowerShell for lateral movement and credential access. · ref
T1059.003 Windows Command Shell TA0002
  • Command and Scripting Interpreter: Windows Command Shell - FIN8 has used a Batch file to automate frequently executed post compromise cleanup activities. FIN8 has also executed commands remotely via cmd.exe. · ref
T1070.001 Clear Windows Event Logs TA0005
  • Indicator Removal: Clear Windows Event Logs - FIN8 has cleared logs during post compromise cleanup activities. · ref
T1070.004 File Deletion TA0005
  • Indicator Removal: File Deletion - FIN8 has deleted tmp and prefetch files during post compromise cleanup activities. FIN8 has also deleted PowerShell scripts to evade detection on compromised machines. · ref
T1071.001 Web Protocols TA0011
  • Application Layer Protocol: Web Protocols - FIN8 has used HTTPS for command and control. · ref
T1074.002 Remote Data Staging TA0009
  • Data Staged: Remote Data Staging - FIN8 aggregates staged data from a network into a single location. · ref
T1134.001 Token Impersonation/Theft TA0004 TA0005
  • Access Token Manipulation: Token Impersonation/Theft - FIN8 has used a malicious framework designed to impersonate the lsass.exe/vmtoolsd.exe token. · ref
T1204.001 Malicious Link TA0002
  • User Execution: Malicious Link - FIN8 has used emails with malicious links to lure victims into installing malware. · ref
T1204.002 Malicious File TA0002
  • User Execution: Malicious File - FIN8 has used malicious e-mail attachments to lure victims into executing malware. · ref
T1518.001 Security Software Discovery TA0007
  • Software Discovery: Security Software Discovery - FIN8 has used Registry keys to detect and avoid executing in potential sandboxes. · ref
T1546.003 Windows Management Instrumentation Event Subscription TA0003 TA0004
  • Event Triggered Execution: Windows Management Instrumentation Event Subscription - FIN8 has used WMI event subscriptions for persistence. · ref
T1560.001 Archive via Utility TA0009
  • Archive Collected Data: Archive via Utility - FIN8 has used RAR to compress collected data before exfiltration. · ref
T1566.001 Spearphishing Attachment TA0001
  • Phishing: Spearphishing Attachment - FIN8 has distributed targeted emails containing Word documents with embedded malicious macros. · ref
T1566.002 Spearphishing Link TA0001
  • Phishing: Spearphishing Link - FIN8 has distributed targeted emails containing links to malicious documents with embedded macros. · ref
T1573.002 Asymmetric Cryptography TA0011
  • Encrypted Channel: Asymmetric Cryptography - FIN8 has used the Plink utility to tunnel RDP back to C2 infrastructure. · ref
T1588.002 Tool TA0042
  • Obtain Capabilities: Tool - FIN8 has used open-source tools such as Impacket for targeting efforts. · ref
T1588.003 Code Signing Certificates TA0042
  • Obtain Capabilities: Code Signing Certificates - FIN8 has used an expired open-source X.509 certificate for testing in the OpenSSL repository, to connect to actor-controlled C2 servers. · ref
Strategic Intelligence
Limited preview
No content.
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.