FIN7: Financial-Sector Supply Chain Tradecraft

FIN7 has been active since at least 2013 and has spent the intervening decade evolving from point-of-sale malware operators into a multi-stage, supply-chain-aware threat group. The rebrand through Carbanak, the Combi Security front company, the arrest of several members in 2018, and the continued operation under refreshed infrastructure and personnel make the group an interesting case study in threat actor persistence. The 2024 tradecraft is meaningfully different from the 2018 tradecraft, and financial-sector defenders who are still modelling FIN7 as POS-malware-focused are working from an outdated profile.

Current operational structure

By 2024 FIN7 has shown activity in several operational clusters that may or may not be a single coordinated group:

• Ransomware affiliation with multiple RaaS operations (historical links to REvil, BlackBasta, BlackCat).
• Initial access broker (IAB) operations, selling compromises of specific targets to other actors.
• Custom tooling development, including malicious Windows binaries signed with compromised-or-legitimate certificates.
• Supply chain compromises of widely-deployed enterprise software, sometimes via maintainer-targeted phishing.

The structure resembles a franchised operation more than a single cohesive group. Attribution to "FIN7" in 2024 threat intelligence products often spans multiple affiliated clusters.

POS malware is still present but no longer primary

The 2013–2017 era of FIN7 featured high-volume attacks against retail and hospitality POS systems. Distinctive malware families (Carbanak, later Cobalt Strike deployments) targeted payment card data for direct fraud.

This activity continues at reduced volume but is no longer the dominant mode. The migration to ransomware affiliation and IAB services reflects both defender improvements (better POS segmentation, EMV/chip cards reducing card-data value) and the higher ROI of ransomware extortion.

The FIN7 signature in ransomware affiliation

When FIN7 operates as a ransomware affiliate, the operational signature tends to include:

• Initial access via spear-phishing with professional-looking lures, often tailored to the target industry.
• Living-off-the-land movement once inside — PowerShell, WMI, legitimate admin tools rather than custom malware.
• Careful lateral movement over days or weeks before triggering ransomware deployment.
• Data exfiltration before encryption, consistent with the double-extortion standard.

The patience of the lateral movement phase distinguishes FIN7 from smash-and-grab actors. Their operations often dwell inside an environment for weeks before visible impact, which complicates detection.

The PowerDrop / Lizar / Diceloader toolchain

Custom FIN7 tooling in 2023–2024 includes:

• PowerDrop — PowerShell-based persistence and C2 tool.
• Lizar (also known as DiceLoader) — modular post-exploitation framework.
• AuKill — EDR-evasion utility targeting specific endpoint products.
• Signed binaries using either stolen or attacker-obtained code signing certificates.

The signed-binary technique is significant for supply chain defenders. A valid code signing certificate allows binaries to pass many default trust checks. FIN7 has reportedly obtained legitimate certs through front company purchases and compromised legitimate certs through maintainer phishing.

Supply chain angle: certificate targeting

FIN7 has been credibly linked to incidents where the attack vector was a legitimate developer or signing infrastructure compromise. Recovering credentials or signing keys from a legitimate vendor and using them to sign FIN7 malware gives the malware unusual trust in target environments.

For financial-sector defenders, this means:

• Signed-binary trust is not a sufficient check — the signer can be compromised.
• Vendors whose signing infrastructure is targeted (software vendors, MSPs, consulting firms) can become unwitting propagators.
• Third-party risk management should specifically address signing-infrastructure hardening.

The financial-sector specific targeting

FIN7 targeting of financial sector organisations shows some distinctive patterns:

Treasury and payment operations targeting — initial access often routes toward finance-function personnel to enable fraudulent wire transfers and BEC-style compromises.

Payroll provider targeting — hitting a payroll provider gives access to many downstream financial-sector organisations at once.

Market data and trading infrastructure — some FIN7-attributed activity has targeted trading platforms and market data vendors with apparent intent to enable market manipulation or insider-trading-adjacent operations.

The pattern suggests targeting that understands financial-sector business processes, not just generic enterprise environments.

Detection priorities for financial-sector defenders

Four specific detection priorities informed by FIN7 tradecraft:

1. PowerShell execution patterns anomalous for the user/role — long dwell times, obfuscated content, outbound connections.
2. Signed-binary execution from unexpected parents — signed Microsoft binary spawned by Outlook, or signed utility invoked from a user profile directory.
3. Credential access patterns — processes reading browser-stored credentials, Windows Credential Manager, SSH keys.
4. Anomalous outbound connections from finance-function user machines — especially during off-hours.

Each of these has baseline-plus-alerting implementations in mature SIEM platforms. The challenge is often tuning them specifically for financial-sector environments where normal activity includes high PowerShell usage and frequent signed-binary execution.

Vendor risk management informed by FIN7

Three practices that reduce FIN7-class exposure via vendors:

Require vendor signing-infrastructure attestation in contracts for critical software vendors. Specifically: where are signing keys stored, who can access them, what's the rotation cadence.

Track software vendor incident history including whether past incidents involved signing infrastructure compromise.

Plan for signed-binary compromise scenarios in IR playbooks. If a vendor's signed binary is confirmed malicious, what is your response? Pure code-signing trust is not a reliable control.

The arrest-resilient persistence of FIN7

The 2018 arrests of several high-profile FIN7 members were expected by many defenders to degrade the group's operations. The arrests did affect specific operations but did not end the group. Replacement personnel, operational continuity, and the distributed-cluster organisational model meant that FIN7 activity continued at or above pre-arrest volumes within months.

The lesson for defenders: law enforcement action against specific actors provides only temporary relief. Defensive posture against FIN7-class tradecraft needs to assume the group persists.

Where the threat model is headed

Three plausible developments for 2025:

1. More supply chain compromises rather than direct endpoint access. Compromising one vendor's build pipeline gives access to many customers.
2. AI-augmented spear phishing using generative models for personalised lure content. Some current activity appears to be doing this already.
3. Cryptocurrency-related targeting expanding beyond direct crypto organisations into financial firms with crypto exposure.

Each reinforces the importance of supply chain and vendor-management controls over pure endpoint defenses.

How Safeguard Helps

Safeguard's TPRM module tracks vendor signing-infrastructure posture, incident history, and risk signals relevant to FIN7-class threat models. Griffin AI correlates financial-sector threat intelligence feeds with the specific vendor and dependency graph of the organisation to produce targeted risk ratings. Policy gates can require vendor signing-attestation evidence at contract renewal for critical software vendors. For financial-sector organisations whose FIN7-class exposure is real and ongoing, Safeguard provides the vendor and supply-chain-specific visibility that endpoint-focused defenses miss.