FIN7

SentinelLabs reported that FIN7 had been developing and marketing the 'AvNeutralizer' (a.k.a. AuKill) EDR-tampering tool on Russian-language criminal forums since at least April 2022, abusing the Windows ProcLaunchMon.sys driver to disable endpoint protection. The tool was observed in intrusions deploying AvosLocker, MedusaLocker, BlackCat, and LockBit ransomware, underlining FIN7's shift from operating its own POS-fraud crews toward enabling other ransomware affiliates.

Microsoft Threat Intelligence reported that Sangria Tempest (ELBRUS / Carbon Spider / FIN7) was abusing the ms-appinstaller URI scheme to distribute the EugenLoader downloader, which in turn delivered the Carbanak backdoor and Gracewire malware as precursors to human-operated ransomware. Microsoft tied the activity to Sangria Tempest's April 2023 Clop ransomware campaign, the group's first ransomware operation since late 2021.

DOJ unsealed indictments in the Western District of Washington against Ukrainian nationals Dmytro Fedorov, Fedir Hladyr, and Andrii Kolpakov, all alleged to be senior members of FIN7. The 26-count indictment charged conspiracy, wire fraud, computer intrusion, access-device fraud, and aggravated identity theft tied to the theft of more than 15 million payment-card records from over 6,500 POS terminals at 3,600 U.S. business locations. FIN7 ran a sham penetration-testing firm, 'Combi Security,' to recruit operators.

MITRE ATT&CK published its FIN7 group profile (G0046), tracking the financially-motivated cluster active since at least 2013 against U.S. retail, restaurant, and hospitality targets. The profile records aliases including GOLD NIAGARA, ITG14, Carbon Spider, ELBRUS, and Microsoft's later 'Sangria Tempest' designation, and links FIN7 to the CARBANAK backdoor (S0030), GRIFFON, POWERSOURCE, and the Lizar/Diceloader implant.