Financial Cybercrime Group – Financial Fraud
Executive Summary
FIN8 (also known as Carbanak Variant, FIN8, Carbanak 2.0, G0052) is a financial cybercrime group primarily focused on financial fraud, banking operations, and ransomware-as-a-service. This report covers their operations as of 2026, including their recent campaigns, tools, TTPs, and target sectors.
Basic Information
- Name: FIN8 (Carbanak Variant)
- Aliases: FIN8, Carbanak Variant, Carbanak 2.0, G0052
- MITRE ATT&CK Group ID: G0052
- Country of Origin: Unknown (likely Russia/Eastern Europe)
- Threat Level: MEDIUM
- Primary Motivation: Financial cybercrime, financial fraud
Recent Operations (2025-2026)
Banking Sector (2025-2026):
- Banking infrastructure targeting
- Point-of-sale system operations
- ATM network operations
- Financial institution compromise
Retail Sector (2025-2026):
- Retail point-of-sale targeting
- Credit card data theft
- Customer data compromise
- Payment gateway operations
Primary Tools:
- Cobalt Strike (primary post-exploitation)
- Custom banking trojans
- Point-of-sale malware
- Ransomware frameworks
- Credential dumping (Mimikatz, BloodHound)
TTPs (MITRE ATT&CK Mapping)
Initial Access:
- Phishing (Spearphishing Link, Spearphishing Attachment)
- Exploit publicly available vulnerabilities
- Supply chain compromise
Execution:
- Browser Execution
- PowerShell
- Command and Scripting Interpreter
Persistence:
- Boot/Logon Autostart
- Accessibility Features
- Lateral Tool Transfer
Privilege Escalation:
- Exploitation for Privilege Escalation
- Abuse Elevation Control Mechanism
Defense Evasion:
- Indicator Removal
- File and Directory Permissions Modification
- Obfuscated Files or Information
Credential Access:
- Credential Dumping (LSASS Memory)
- Remote Service Discovery
Discovery:
- Active Directory Enumeration
- Network Service Discovery
Lateral Movement:
- Remote Services (RDP, SMB)
- Remote Services (SMB)
Collection:
- Data from Local System
- Data from Network
Exfiltration:
- Exfiltration Over C2 Channel
- Exfiltration Over Alternative Protocol
Known Campaigns (2025-2026)
Operation 1 (2025):
- Target: Banking infrastructure
- Impact: Financial fraud, ATM operations
- Tools: Cobalt Strike, banking trojans
Operation 2 (2025):
- Target: Retail POS systems
- Impact: Credit card data theft
- Tools: Cobalt Strike, POS malware
Operation 3 (2026):
- Target: Financial institutions
- Impact: Bank network compromise
- Tools: Cobalt Strike, Mimikatz
Threat Assessment
Threat Level: MEDIUM
Primary Targets:
- Banking sector
- Retail sector
- Financial institutions
- Payment processors
Capabilities:
- Financial cybercrime
- Banking fraud
- Point-of-sale attacks
- Ransomware-as-a-service
- ATM operations
Sources
- KELA Cyber
- Picus Security
- BankInfoSecurity
- Record Media
- CrowdStrike Threat Intelligence
- Mandiant Reports
- FortiGuard Labs
- CISA Advisories
Report Generated: 2026-06-10
Intelligence Freshness: Current (as of June 2026)
Classification: Unclassified