?Formally attributedActiveMITRE G0046 →

FIN7

FIN7 is a financially-motivated threat group that has been active since 2013. FIN7 has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, pharmaceutical, and utilities industries in the United States. A portion of FIN7 was operated out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, FIN7 shifted operations to big game hunting (BGH), including use of REvil ransomware and their own Ransomware-as-a-Service (RaaS), Darkside. FIN7 may be linked to the Carbanak Group, but multiple threat groups have been observed using Carbanak, leading these groups to be tracked separately.

Compare attribution across sources →

Attribution signal

?Score = mentions × confidence weight, summed across all attributed sources. Higher source diversity increases the score.≥ 10 High≥ 3 Moderate< 3 Low

0.7

Low signal strength

Mentions2

Sources1

High conf.0

Last seenJun 2026

First observed

2017-05-31

Last active

Active

Origin

Eastern Europe — likely Russia or Ukraine based on indictments

Aliases

Techniques

Campaigns

Eastern Europe — likely Russia or Ukraine based on indictmentsmedium confidence

TargetsRetailRestaurantHospitalityFinancial

RegionsUsEuAu

Attribution signals

2 mentions · 1 source

#1been linked tomoderate

Malware

bleepingcomputer

Jun 2026

"The financially motivated FIN7 threat group (which often collaborated with the Maze, Egregor, Conti, REvil, and BlackBasta ransomware groups) and the Cuba ransomware gang have also both been linked to attacks targeting VBR security flaws."

#2unspecifiedunspecified

Unspecified

greynoise

Jun 2026

"threat actors like FIN7"

Hedge terms observed

been linked tounspecified