AI Draft ACTIVE

FIN6

Also known as: ITG08, Skeleton Spider
Affiliation Cybercriminal
Motivation Financial
Status active
Country Unknown
First Seen 2015
Last Seen 2022
Target Sectors Retail, Hospitality, E-commerce, Financial Services
Target Geographies United States, Europe, Global

Executive Summary

FIN6 is a financially motivated group active since at least 2015, documented primarily for theft of payment card data from point-of-sale (POS) systems in retail and hospitality environments. The group is tracked under multiple vendor designations including ITG08 (IBM X-Force) and Skeleton Spider (CrowdStrike). FIN6 has used spear-phishing for initial access, credential harvesting tools for lateral movement, and specialized POS RAM-scraping malware — FrameworkPOS and GratefulPOS — to collect payment card data from the memory of POS processes. Harvested card data has been sold through underground marketplaces.

Beginning around 2018, public reporting documented FIN6 activity associated with ransomware deployment against compromised enterprise environments, representing an operational shift or expansion from card theft to extortion. Available evidence does not establish FIN6’s country of origin or identify specific operators.

Notable Campaigns

2015–2018 — Payment Card Harvesting Operations

FIN6’s documented early operations focused on compromising retail and hospitality organizations to steal payment card data. The group used spear-phishing to obtain an initial foothold, followed by credential harvesting to enable lateral movement across POS infrastructure. FrameworkPOS and GratefulPOS were deployed to scrape card data from the memory of POS processes, with collected data staged locally before exfiltration. MITRE ATT&CK documentation and the Mandiant “Pick Six” intrusion report describe this operational pattern across multiple victim environments.

Stolen payment card data was subsequently advertised and sold on underground markets, indicating a direct monetization pipeline rather than state-directed collection. The consistency of targeting across unrelated retail and hospitality organizations reflects an opportunistic, financially-driven operation.

2018–2022 — Ransomware Deployment and Expanded Operations

MITRE ATT&CK reporting documents FIN6 activity associated with the deployment of ransomware, including LockerGoga and Ryuk, against compromised enterprise environments. This expansion — whether representing direct deployment or facilitation through partnerships with ransomware operators — marked an expansion of the group’s monetization methods beyond payment card theft. The consistent use of prior FIN6 TTPs for initial access and lateral movement in these cases supports attribution to the same operational cluster.

E-commerce targeting also emerged in this period alongside continued brick-and-mortar retail operations, with the More_eggs JScript backdoor observed as an initial-stage implant in multiple campaigns attributed to FIN6.

Technical Capabilities

FIN6 achieves initial access primarily through spear-phishing emails with malicious attachments. The More_eggs JScript backdoor has been used as an initial-stage implant to establish a foothold in target environments. Once inside, actors harvest credentials from LSASS memory and use those credentials to move laterally via RDP and SMB shares, ultimately reaching POS systems and other targeted hosts.

FrameworkPOS and GratefulPOS are the group’s primary POS RAM-scraping tools. Both target the memory of POS processes to extract payment card track data. Collected card records are staged locally — typically compressed into archives — before exfiltration over the command-and-control channel. Metasploit has been observed in FIN6 intrusions for post-exploitation capability.

Exfiltration occurs over the group’s C2 infrastructure using HTTP/HTTPS communications. FIN6 demonstrates consistent operational security awareness, including use of legitimate administrative tools to blend with normal network activity and minimize forensic footprint during lateral movement.

Attribution

FIN6 is documented by multiple independent security vendors including Mandiant (now part of Google), IBM X-Force, and CrowdStrike, as well as MITRE ATT&CK and the MITRE CTID adversary emulation project. Consistent TTPs, shared tooling, and overlapping targeting across independently investigated intrusions support treatment as a single distinct operational cluster.

No public government indictment or country-level attribution appears in available open-source reporting. The group’s monetization model — selling stolen payment card data on underground markets and later deploying ransomware — is consistent with financially motivated cybercriminal operations without identified state nexus.

MITRE ATT&CK Profile

T1566.001 - Spearphishing Attachment: FIN6 has used spear-phishing emails with malicious attachments to gain initial access to target environments.

T1078 - Valid Accounts: FIN6 has used legitimate credentials obtained through credential harvesting to maintain persistence and move laterally.

T1059.001 - PowerShell: FIN6 has used PowerShell for execution and post-exploitation activity within compromised environments.

T1003.001 - LSASS Memory: FIN6 has used credential harvesting tools to dump credentials from LSASS memory on compromised hosts.

T1021.001 - Remote Desktop Protocol: FIN6 has used RDP to move laterally through victim networks following initial compromise and credential harvesting.

T1021.002 - SMB/Windows Admin Shares: FIN6 has used SMB and Windows admin shares for lateral movement within victim environments.

T1056.001 - Keylogging: FIN6 has used keyloggers as part of its credential and payment card data collection operations.

T1005 - Data from Local System: FIN6 has used FrameworkPOS and GratefulPOS to scrape payment card data from the memory of point-of-sale processes.

T1074.001 - Local Data Staging: FIN6 has staged collected payment card data locally before exfiltration.

T1041 - Exfiltration Over C2 Channel: FIN6 has exfiltrated collected data over the same command-and-control channel used for post-exploitation activity.

T1105 - Ingress Tool Transfer: FIN6 has transferred tools and payloads including FrameworkPOS and GratefulPOS to compromised systems during operations.

T1071.001 - Web Protocols: FIN6 has used HTTP/HTTPS for command-and-control communications in observed intrusions.

Sources & References

Known Tools

FrameworkPOSGratefulPOSMore_eggsMetasploitLockerGogaRyuk
cybercriminalfin6payment-card-theftpos-malwareransomware-affiliate