Get in Touch

Get in Touch

Get in Touch

Please get in touch using the form below.

Close form

Home / Threat Actors / FIN8 Threat Actor Profile

FIN8 Overview

The threat actor group, tracked as FIN8, has been active since at least 2016 and is primarily focused on financially motivated cyber operations. The group has targeted several industry sectors including insurance, retail, technology, and chemical sectors, by compromising point-of-sale (PoS) systems and stealing payment card data.

FIN8 is known for deploying malware such as PUNCHTRACK and BADHATCH to infect PoS systems. Recently, it has been linked to the White Rabbit ransomware operation, which shares a malicious URL and a version of the FIN8 backdoor called BADHATCH. The White Rabbit ransomware is a new strain that borrows features from the Egregor ransomware. It uses a double-extortion technique and is delivered via the Cobalt Strike post-exploitation framework. The exact relationship between FIN8 and White Rabbit is still unknown, but there are indications of a close connection or possible mimicry. FIN8 was recently detected to have utilised an enhanced rendition of the Sardonic backdoor to deliver the ALPHV (also known as BlackCat) ransomware variant.

FIN8 constantly develop their malware toolset as well as their tactics. Due to their recent pivoting towards theincorporation of ransomware such as ALPHV into their attack chain and the success of the associated campaign, it is likely that this trend will continue.

Targeted Sectors

FIN8 have targeted several industry sectors including insurance, retail, technology, and chemical sectors, by compromising PoS systems and stealing payment card data.

Threat Actor Motivations

The motives of FIN8 can be evaluated by observing the strategies they apply within the context of their campaigns. Due to their target set, as well as the list of intrusion methods applied by the group, it is almost certainly the case that Sangria Tempest operations are motivated purely on the basis of financial gain.

The Quorum Cyber Threat Intelligence team provides threat actor profiles so that you can better understand cybercriminals’ tactics, techniques, and procedures (TTPs).

Download your FIN8 report today to read more details.