Skip to main content
Mallory
Back to threat actors
Financially Motivated42 malware familiesExploits CVEs in the wild

FIN7

Also known asCARBON SPIDERELBRUSFIN7g0046GOLD NIAGARAITG14Sangria Tempest

FIN7 is a financially motivated threat actor. Known aliases in the provided content include Carbon Spider, ELBRUS, G0046, GOLD NIAGARA, ITG14, and Sangria Tempest; the content also notes FIN7 is also known as Carbanak. The group has been linked to attacks targeting Veeam Backup & Replication security flaws and has often collaborated with the Maze, Egregor, Conti, REvil, and BlackBasta ransomware groups. Microsoft reporting in the provided content states that Sangria Tempest/ELBRUS/Carbon Spider/FIN7 received access from Storm-0324 and that such handoffs frequently resulted in ransomware deployment. JSSLoader is attributed in the content to the Russian FIN7 hacking group. The provided content describes FIN7 tradecraft including spear-phishing campaigns, including one targeting personnel involved in SEC filings; use of malicious Microsoft Excel add-in (.xll) files delivered by email to drop JSSLoader; and abuse of mshta.exe/HTA and VBScript in tradecraft associated with FIN7. FIN7 used legitimate services such as Google Docs, Google Scripts, and Pastebin for command and control. The group used cmd.exe extensively, including a novel environment-variable string substitution obfuscation technique observed in June 2017, and also used the command prompt to launch commands and to open the Run dialog via malicious USB devices acting as virtual keyboards. FIN7 has established persistence by creating Registry Run and RunOnce keys, adding items to the Startup folder, and creating scheduled tasks. The group has used PowerShell, including a script named 3CF9.ps1 to perform process discovery via tasklist /v, and used PowerShell to launch shellcode that retrieved additional payloads. FIN7 used WMI to install malware on targeted systems. The content also states FIN7 used JavaScript scripts and SQL scripts to perform tasks on victim machines. Tooling and utilities directly mentioned in the content include Cobalt Strike, PowerSploit, Atera, Impacket, Mimikatz, and PsExec. FIN7 malware has used csvde.exe to export system information, and malware associated with FIN7/WsTaskLoad gathered host details such as operating system and hostname. The group has collected files and other sensitive information from compromised networks. The content also notes FIN7 attempted to run Darkside ransomware with the filename sleep.exe and used a malicious executable named WsTaskLoad.exe to mimic the legitimate Wondershare-associated filename. The content further states FIN7 signed Carbanak payloads with legally purchased code-signing certificates and also signed phishing documents, backdoors, and staging tools.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

49 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

13 of 15 tactics67 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0042
Resource Development
3 techniques
T1587
Develop Capabilities
T1587.001
Malware
T1588
Obtain Capabilities
T1588.002
Tool
T1608×2
Stage Capabilities
T1608.001
Upload Malware
T1608.002
Upload Tool
TA0001
Initial Access
2 techniques
T1190×2
Exploit Public-Facing Application
T1566×3
Phishing
T1566.001×5
Spearphishing Attachment
TA0002
Execution
7 techniques
T1047
Windows Management Instrumentation
T1053
Scheduled Task/Job
T1053.005×2
Scheduled Task
T1059×2
Command and Scripting Interpreter
T1059.001×7
PowerShell
T1059.003×6
Windows Command Shell
T1059.005×4
Visual Basic
T1059.006
Python
T1059.007×5
JavaScript
T1129×3
Shared Modules
T1203
Exploitation for Client Execution
T1204
User Execution
T1204.002×4
Malicious File
T1204.003
Malicious Image
T1574
Hijack Execution Flow
TA0003
Persistence
5 techniques
T1053
Scheduled Task/Job
T1053.005×2
Scheduled Task
T1112
Modify Registry
T1137
Office Application Startup
T1137.001
Office Template Macros
T1505
Server Software Component
T1505.003
Web Shell
T1547
Boot or Logon Autostart Execution
T1547.001×3
Registry Run Keys / Startup Folder
T1547.009×3
Shortcut Modification
TA0004
Privilege Escalation
2 techniques
T1053
Scheduled Task/Job
T1053.005×2
Scheduled Task
T1547
Boot or Logon Autostart Execution
T1547.001×3
Registry Run Keys / Startup Folder
T1547.009×3
Shortcut Modification
TA0005
Stealth
6 techniques
T1027×3
Obfuscated Files or Information
T1036×3
Masquerading
T1140
Deobfuscate/Decode Files or Information
T1218
System Binary Proxy Execution
T1218.005
Mshta
T1218.010
Regsvr32
T1564
Hide Artifacts
T1564.006
Run Virtual Instance
T1574
Hijack Execution Flow
TA0112
Defense Impairment
2 techniques
T1112
Modify Registry
T1553
Subvert Trust Controls
T1553.002
Code Signing
TA0007
Discovery
4 techniques
T1012
Query Registry
T1033
System Owner/User Discovery
T1057
Process Discovery
T1082
System Information Discovery
TA0008
Lateral Movement
1 technique
T1021
Remote Services
T1021.001
Remote Desktop Protocol
TA0009
Collection
2 techniques
T1005×2
Data from Local System
T1074
Data Staged
T1074.001
Local Data Staging
TA0011
Command and Control
3 techniques
T1102
Web Service
T1105
Ingress Tool Transfer
T1219
Remote Access Tools
TA0010
Exfiltration
1 technique
T1567
Exfiltration Over Web Service
T1567.002
Exfiltration to Cloud Storage
TA0040
Impact
1 technique
T1486×2
Data Encrypted for Impact
ARSENAL

Associated malware families

42 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
CarbanakFIN7 has signed Carbanak payloads with legally purchased code signing certificates.10May 26, 2026
REvilIn 2020 ELBRUS transitioned from using PoS malware to deploying ransomware as part of a financially motivated extortion scheme, specifically deploying the MAZE and Revil RaaS families.8May 26, 2026
Cobalt StrikeAPT29 has obtained and used a variety of tools including Mimikatz, SDelete, Tor, meek, and Cobalt Strike.6May 26, 2026
DarksideELBRUS developed their own RaaS ecosystem named DarkSide. They deployed DarkSide payloads as part of their operations and recruited and managed affiliates that deployed the DarkSide ransomware.6May 26, 2026
JSSLoaderELBRUS is responsible for developing and distributing multiple custom malware families used for persistence, including JSSLoader and Griffon.6May 26, 2026

37 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

11 CVEs this actor has used in observed campaigns. 11 of them exploited in the wild.

CVE-2021-31207Post-auth arbitrary file write in Microsoft Exchange Server (ProxyShell)In the wildEvidence3

ELBRUS has also been abusing CVE-2021-31207 in Exchange to compromise organizations in April of 2022, an interesting pivot to using a less popular authenticated vulnerability in the ProxyShell cluster of vulnerabilities.

CVE-2025-9491Microsoft Windows LNK File UI Misrepresentation Remote Code Execution VulnerabilityIn the wildEvidence2

This detection identifies instances where Windows Explorer.exe spawns PowerShell or cmd.exe processes, particularly focusing on executions initiated by LNK files. This behavior is associated with the ZDI-CAN-25373 Windows shortcut zero-day vulnerability, where specially crafted LNK files are used to trigger malicious code execution through cmd.exe or powershell.exe. This technique has been actively exploited by multiple APT groups in targeted attacks through both HTTP and SMB delivery methods.

CVE-2019-0604Microsoft SharePoint Remote Code Execution VulnerabilityIn the wildEvidence1

CVE-2019-0604, a critical vulnerability opening unpatched Microsoft SharePoint servers to attack, is being exploited by attackers to install a web shell... A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package...

CVE-2020-1472ZerologonIn the wildEvidence1

Dragonfly has exploited a Windows Netlogon vulnerability (CVE-2020-1472) to obtain access to Windows Active Directory servers.

CVE-2021-34473ProxyShell pre-auth SSRF/authentication bypass in Microsoft Exchange AutodiscoverIn the wildEvidence1

This analytic identifies potential exploitation attempts of ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyNotShell (CVE-2022-41040, CVE-2022-41082) vulnerabilities in Microsoft Exchange Server.

6 more CVEs tied to this actor tracked in Mallory.

IOCS

Observables

100 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

100 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
+196 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping49

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal42

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs11

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables100

Domains, IPs, and hashes tied to this actor, refreshed continuously.