Threat actor · all actors
FIN7G0046 unknown
aka FIN7, GOLD NIAGARA, ITG14, Carbon Spider, ELBRUS, Sangria Tempest
Last updated: 2026-07-03
About this actor
[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, pharmaceutical, and utilities industries in the United States. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was operated out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to big game hunting (BGH), including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware-as-a-Service (RaaS), Darkside. FIN7 may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but multiple threat groups have been observed using [Carbanak](https://attack.mitre.org/software/S0030), leading these groups to be tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)(Citation: Mandiant FIN7 Apr 2022)(Citation: BiZone Lizar May 2021)
Source: MITRE ATT&CK
Activity timeline
- 2026 — 1 CVE published
Profile
| CVE | Risk | CVSS | EPSS | Published | Products |
|---|---|---|---|---|---|
CVE-2026-20929 | 5.5 | 7.5 | 0.0114 | 2026-01-13 | see CVE |
T1005T1008T1021T1021.001T1021.004T1021.005T1027T1027.010T1027.016T1033T1036T1036.004T1036.005T1047T1053T1053.005T1057T1059T1059.001T1059.003T1059.005T1059.007T1069T1069.002T1071T1071.004T1078T1078.003T1082T1087T1087.002T1091T1102T1102.002T1105T1113T1124T1125T1140T1190T1195T1195.002T1204T1204.001T1204.002T1210T1218T1218.005T1218.011T1219T1486T1497T1497.002T1543T1543.003T1546T1546.011T1547T1547.001T1553T1553.002T1558T1558.003T1559T1559.002T1564T1564.001T1564.003T1566T1566.001T1566.002T1567T1567.002T1569T1569.002T1571T1572T1583T1583.001T1583.006T1587T1587.001T1588T1588.002T1591T1591.004T1608T1608.001T1608.004T1608.005T1620T1674T1686
Mitigating controls (NIST 800-53)
| Control | Techniques covered | Coverage |
|---|---|---|
SI-4 | 54 / 93 | 58% |
CM-6 | 51 / 93 | 55% |
CM-2 | 47 / 93 | 51% |
SI-3 | 43 / 93 | 46% |
CM-7 | 41 / 93 | 44% |
AC-3 | 38 / 93 | 41% |
AC-6 | 36 / 93 | 39% |
CA-7 | 36 / 93 | 39% |
AC-2 | 33 / 93 | 35% |
SI-7 | 28 / 93 | 30% |
SC-7 | 25 / 93 | 27% |
AC-4 | 24 / 93 | 26% |
CM-5 | 24 / 93 | 26% |
IA-2 | 22 / 93 | 24% |
RA-5 | 22 / 93 | 24% |
Co-occurring actors
- Mustang Panda 1 shared CVEs
- SolarWinds Compromise 1 shared CVEs
- APT38 1 shared CVEs
- Tonto Team 1 shared CVEs
- Ember Bear 1 shared CVEs
- GOLD SOUTHFIELD 1 shared CVEs
- Aquatic Panda 1 shared CVEs
- APT28 1 shared CVEs
- Sandworm Team 1 shared CVEs
- Ajax Security Team 1 shared CVEs
Similar actors
Similar TTPs
- Gamaredon Group 0.36
- OilRig 0.36
- MuddyWater 0.34
- APT32 0.34
- Mustang Panda 0.33
Overlapping CVEs
- C0027 1.00
- APT12 1.00
- APT28 1.00
- OilRig 1.00
- Tropic Trooper 1.00
Active in same years
- Operation Dream Job 1.00
- SolarWinds Compromise 1.00
- C0027 1.00
- SharePoint ToolShell Exploitation 1.00
- Ke3chang 1.00