3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
FIN4

FIN4

ID: 77f2ab704898b5917645c9de9e3b8b7b62446
Cybercrime Cybercriminal
Threat types: Intrusion, Phishing, Data Theft
Unknown UNKNOWN
Updated: 2026-01-13
Created: 2025-10-21
Progress: 35% Completeness: 28% Freshness: 50%
Operation zone: UNKNOWN
Aliases Limited alias preview
No aliases registered.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

FIN4 is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013. FIN4 is unique in that they do not infect victims with typical persistent malware, but rather they focus on capturing credentials authorized to access email and other non-public correspondence. Ref: https://attack.mitre.org/groups/G0085/


Technique Technique name Tactics Evidence
T1056.001 Keylogging TA0006 TA0009
  • Input Capture: Keylogging - FIN4 has captured credentials via fake Outlook Web App (OWA) login pages and has also used a .NET based keylogger. · ref
T1056.002 GUI Input Capture TA0006 TA0009
  • Input Capture: GUI Input Capture - FIN4 has presented victims with spoofed Windows Authentication prompts to collect their credentials. · ref
T1059.005 Visual Basic TA0002
  • Command and Scripting Interpreter: Visual Basic - FIN4 has used VBA macros to display a dialog box and collect victim credentials. · ref
T1071.001 Web Protocols TA0011
  • Application Layer Protocol: Web Protocols - FIN4 has used HTTP POST requests to transmit data. · ref
T1090.003 Multi-hop Proxy TA0011
  • Proxy: Multi-hop Proxy - FIN4 has used Tor to log in to victims' email accounts. · ref
T1114.002 Remote Email Collection TA0009
  • Email Collection: Remote Email Collection - FIN4 has accessed and hijacked online email communications using stolen credentials. · ref
T1204.001 Malicious Link TA0002
  • User Execution: Malicious Link - FIN4 has lured victims to click malicious links delivered via spearphishing emails (often sent from compromised accounts). · ref
T1204.002 Malicious File TA0002
  • User Execution: Malicious File - FIN4 has lured victims to launch malicious attachments delivered via spearphishing emails (often sent from compromised accounts). · ref
T1564.008 Email Hiding Rules TA0005
  • Hide Artifacts: Email Hiding Rules - FIN4 has created rules in victims' Microsoft Outlook accounts to automatically delete emails containing words such as "hacked," "phish," and "malware" in a likely attempt to prevent organizations from communicating about their activities. · ref
T1566.001 Spearphishing Attachment TA0001
  • Phishing: Spearphishing Attachment - FIN4 has used spearphishing emails containing attachments (which are often stolen, legitimate documents sent from compromised accounts) with embedded malicious macros. · ref
T1566.002 Spearphishing Link TA0001
  • Phishing: Spearphishing Link - FIN4 has used spearphishing emails (often sent from compromised accounts) containing malicious links. · ref
Strategic Intelligence
Limited preview
No content.
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.