FIN6 / ITG08 (also known as ITG08, Skeleton Spider, Magecart Group 6) is a state-sponsored advanced persistent threat group attributed to eCrime (Russian-speaking), active since 2015. The group primarily targets retail, hospitality, POS systems, e-commerce sectors. It is tracked by MITRE ATT&CK as G0037.
Overview & Attribution
Financially motivated threat group specializing in payment card theft from POS systems and e-commerce platforms, responsible for millions of stolen card numbers across retail and hospitality.
FIN6 has been active since 2015, attributed to eCrime (Russian-speaking). The group is known for targeting retail, hospitality, POS systems, e-commerce using a combination of custom malware, living-off-the-land techniques, and sophisticated social engineering.
- Attribution: eCrime (Russian-speaking)
- Active since: 2015
- Primary targets: retail, hospitality, POS systems, e-commerce
- Also known as: ITG08, Skeleton Spider, Magecart Group 6
Arsenal & Tools
FIN6 employs a diverse arsenal of custom and shared tooling:
- FrameworkPOS: Custom/shared tooling used in operations
- Trinity POS: Custom/shared tooling used in operations
- Cobalt Strike: Custom/shared tooling used in operations
- Anchor: Custom/shared tooling used in operations
- more_eggs: Custom/shared tooling used in operations
Targeting & Operations
The group focuses on retail, hospitality, POS systems, e-commerce sectors, with operations spanning multiple geographic regions. Their campaigns typically involve carefully crafted spearphishing, strategic watering holes, and exploitation of public-facing applications.
FIN6 is characterized by persistent, long-term access operations. Once inside a target network, the group establishes multiple redundant persistence mechanisms and moves laterally to high-value systems before beginning data exfiltration.
MITRE ATT&CK Mapping
| Tactic | Technique | Usage |
|---|---|---|
| Initial Access | T1078 Valid Accounts | Stolen/purchased credentials |
| Execution | T1059.001 PowerShell | PowerShell post-exploitation |
| Persistence | T1053.005 Scheduled Task | Scheduled task persistence |
| Collection | T1005 Data from Local System | POS memory scraping |
| Lateral Movement | T1021.002 SMB/Admin Shares | SMB lateral movement |
| Exfiltration | T1041 Exfil Over C2 | Card data exfiltration |
Notable Campaigns
FIN6 has been linked to multiple significant campaigns targeting retail, hospitality, POS systems, e-commerce organizations. The group continuously evolves its tooling and infrastructure to evade detection while maintaining persistent access to compromised networks.
- Long-term espionage: Multi-year intrusions into government and defense networks
- Supply chain targeting: Compromise of technology providers and managed service providers
- Zero-day exploitation: Use of previously unknown vulnerabilities for initial access
Detection & Defense
- Threat intelligence integration: Monitor for known FIN6 IOCs and TTPs in SIEM/EDR platforms
- Network monitoring: Detect C2 patterns associated with FrameworkPOS and related tooling
- Email security: Implement advanced phishing detection for spearphishing campaigns
- Endpoint detection: Deploy behavioral detection rules for known FIN6 TTPs
- Patch management: Prioritize patching of vulnerabilities known to be exploited by this group
- Lateral movement detection: Monitor for suspicious authentication patterns and admin tool usage
Defend Against FIN6
Mjolnir Security provides specialized capabilities to detect and respond to FIN6 operations.
- APT Threat Hunting Proactive hunting for FIN6 TTPs, tooling artifacts, and infrastructure indicators within your environment.
- Threat Intelligence Continuous monitoring of FIN6 campaigns and infrastructure changes with actionable intelligence for your defense team.
- 24/7 Incident Response Rapid containment and forensic investigation. Call +1 833 403 5875.
Stay ahead of emerging threats. Get notified when we publish new intelligence reports and advisories.
Subscribe to Alerts