3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
FIN5

FIN5

ID: 8bbda4174ad6455dfbcf09cca3f2151648986
Cybercrime Cybercriminal
Threat types: Intrusion, POS Malware, Financial Theft
Unknown UNKNOWN
Updated: 2026-01-13
Created: 2025-10-21
Progress: 35% Completeness: 28% Freshness: 50%
Operation zone: UNKNOWN
Aliases Limited alias preview
No aliases registered.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian. Ref: https://attack.mitre.org/groups/G0053/


Technique Technique name Tactics Evidence
T1070.001 Clear Windows Event Logs TA0005
  • Indicator Removal: Clear Windows Event Logs - FIN5 has cleared event logs from victims. · ref
T1070.004 File Deletion TA0005
  • Indicator Removal: File Deletion - FIN5 uses SDelete to clean up the environment and attempt to prevent detection. · ref
T1074.001 Local Data Staging TA0009
  • Data Staged: Local Data Staging - FIN5 scripts save memory dump data into a specific directory on hosts in the victim environment. · ref
T1090.002 External Proxy TA0011
  • Proxy: External Proxy - FIN5 maintains access to victim environments by using FLIPSIDE to create a proxy for a backup RDP tunnel. · ref
T1588.002 Tool TA0042
  • Obtain Capabilities: Tool - FIN5 has obtained and used a customized version of PsExec, as well as use other tools such as pwdump, SDelete, and Windows Credential Editor. · ref
Strategic Intelligence
Limited preview
No content.
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.