FIN7 Morphs into a Broader, More Dangerous Cybercrime Group

Mandiant has now tied the group to at least eight unattributed clusters of activity targeting organizations across various industries and regions.

New research shows the notorious cybercrime group FIN7 to be behind numerous clusters of previously unattributed threat activity spanning several years and targeting organizations in multiple regions and industries.
The study by Mandiant shows that the threat actor has shifted from mostly targeting the retail and hospitality sectors to aiming at organizations across a considerably broader range of industries using a wider range of weapons than before.
In the process, FIN7s motivations have evolved as well, from mainly stealing payment card data to now deploying ransomware, ransomware-enabling operations, and double extortion attacks. FIN7 also has introduced new attack tools and has begun using supply chain attacks and the use of stolen credentials — in addition to its original phishing techniques — to gain initial access on target networks.
In a report this week, researchers from Mandiant said they had been able to
reliably connect FIN7 to eight separate clusters of threat activity
going back to at least 2020 that targeted organizations in software, consulting, cloud services, financial services, utilities, food and beverages, and other sectors. The researchers said it found a dozen intrusions at its customer locations since 2020 that are attributable to FIN7. Mandiant researchers made these conclusions after analyzing data related to attacker infrastructure, intrusion methods, malware code, and the modus operandi associated with the different clusters of threat activity.
That analysis led Mandiant to reliably attribute as many as 17 previously unattributed threat activity clusters to FIN17. Zander Work, technical analyst at Mandiant, says currently available evidence points to the threat actor being tied to nearly two-dozen other threat clusters, though it has not been able to reliably confirm these links.
We currently suspect another 22 threat clusters of being FIN7 with varying levels of confidence, Work says. These [threat clusters] are not necessarily indicative of independent threat actors, and rather represent activity that may be related based on overlapping TTPs.
Stubbornly Persistent
FIN7 (aka Carbanak Group and Cobalt Group) is a threat actor that, like many others, has stubbornly
continued to operate
despite multiple efforts to stop it. Only last week, the FBI warned of the group sending
weaponized USB thumb drives
to organizations in the defense, insurance, and transportation industries with the goal of introducing ransomware on their networks.
Previous vendor studies have estimated the group has stolen well more than $1.2 billion, most of it — initially, at least — from the sales of data related to millions of stolen credit card and debit cards. Among the groups hundreds of victims are well-known companies, such as Saks Fifth Avenue, Chipotle Mexican Grill, Arbys, and Hudsons Bay Brands. The group has also been linked to attacks on thousands of point-of-sale terminals across thousands of business locations.
In 2018, the
FBI arrested three key members FIN7
, one of whom was later
sentenced to 10 years in prison
. The arrests have done nothing to stop the group from operating as usual, growing bigger and expanding into other areas of criminal operations. Mandiant estimates that the group has dozens of members and has ramped up activity to the volume it was before the 2018 arrests.
Historically, FIN7 monetized their intrusions via payment card theft, and Mandiant observed them primarily targeting US retail and hospitality companies, Work says.
In most instances, the groups victims — and attacks — were specifically targeted. However, starting in 2020, Mandiant observed FIN7 campaigns becoming broad to the point where some of their targets appear to have been chosen without much care. It is reasonable to assume that any organization deemed large enough to pay a ransom and that FIN7 suspects would not cause unwanted geopolitical attention is a possible target, Work says.
Evolving Toolkit and Tactics
As the group has evolved, so has its attack toolkit and initial access techniques. Previously, for instance, FIN7 relied heavily on phishing campaigns to deliver malware downloaders called Griffon or Carbanak and Loadout on target networks. More recently, the threat actor has been using stolen credentials and attacks via third-party sites to get initial access. In one recent attack, for example, FIN7 first compromised the website of a digital products company and modified multiple download links on the site to point to an Amazon S3 bucket containing a backdoor version of a legitimate remote management tool.
Instead of using Loadout and Griffon, FIN7 has increasingly begun trying to deploy its malware directly on a victims network. Two tools that the group has been using recently in particular are Powerplant, a modular, multifunctional backdoor, and Beacon, a tool that FIN7 has been using as a secondary mode of access on compromised networks, alongside Powerplant.
Jeremy Kennelly, senior manager of financial crime analysis at Mandiant, says FIN7s move away from payment card data theft to ransomware operations has made it much harder to assess the damage it is causing now. The damage from ransomware intrusions goes far beyond ransoms paid; recovery efforts may cost significantly more, and lead to business or brand damages that are not easily calculable, he says.
Regardless of specific numbers, the group’s evolving objectives have almost certainly caused significant financial losses to their victims and the victims of other criminals whose operations they have enabled, Kennelly says.
Bryce Abdo, senior analyst at Mandiant, says FIN7s edge over other groups is its tooling, tradecraft, and evasiveness. Backdoors that the group uses — such as Powerplant and another tool called Diceloader — are complex and sophisticated, he says. The group has also shown an ability to limit the intelligence that security researchers can gather about their operations through measures like infrastructure hardening and complex obfuscation techniques.
“FIN7s path forward is likely a combination of relationships with ransomware operators and affiliates, in conjunction with extortion using stolen data as leverage, Abdo says. This assessment is based on FIN7 relationships in the past with [ransomware groups] Maze, DarkSide, and ALPHV, where the dual threat of data theft preceding ransomware deployment is common.”

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
FIN7 Morphs into a Broader, More Dangerous Cybercrime Group