FIN6 - SparTech Software

FIN6 is a financially motivated cybercriminal group active since at least 2012 (sometimes cited as 2015), initially notorious for targeting point-of-sale (POS) systems in the retail and hospitality sectors to steal payment card data for resale on underground markets. Over time, the group expanded its operations to include e-commerce skimming, ransomware (including ties to Ryuk and Lockergoga), and, most recently, advanced social engineering campaigns targeting corporate HR and recruiting workflows.

FIN6 (aka Camouflage Tempest, Gold Franklin, or Skeleton Spider) have adopted a novel attack vector using AWS-hosted fake resumes on LinkedIn to deliver More_eggs malware.
FIN6 (aka Camouflage Tempest, Gold Franklin, or Skeleton Spider) is a financially motivated cybercrime group active since 2012, initially targeting point-of-sale systems to steal payment card data. Recently, they’ve adopted a novel attack vector using AWS-hosted fake resumes on LinkedIn to deliver More_eggs malware, specifically targeting corporate recruiters.
FIN6 is attacking corporations by taking advantage of HR processes of new employment.
FIN6, a financially motivated cybercrime group historically known for point-of-sale system breaches and ransomware operations, has pivoted to exploiting HR workflows through a sophisticated social engineering campaign. By impersonating job seekers, they target recruiters to deploy malware and infiltrate corporate networks.

United States	~59% of ransomware attacks globally Thousands per year
Poland	1,000+ per week
Russia	Highest cybercrime threat level
China	Thousands per year
India	115% surge in attacks Q2 2024
Ukraine	Significant surge since 2022
Brazil	Among top countries for blocked attacks
Mexico	65% of businesses hit in 2024
Germany	High targeted rate (EU)
France	High targeted rate (EU)

AS Name	ASN
Bharat Sanchar Nigam Ltd	9829
No.31,Jin-rong Street	4134
CHINA UNICOM China169 Backbone	4837
DigitalOcean, LLC	14061
HUAWEI INTERNATIONAL PTE. LTD.	136907
Amazon.com, Inc.	14618
Alibaba (US) Technology Co., Ltd.	45102
Google LLC	396982
Amazon.com, Inc.	16509
3xK Tech GmbH	200373

IP Address	Notable Exploits/Context
104.238.159.149	SharePoint zero-day, broad exploitation
107.191.58.76	SharePoint zero-day, government targets
96.9.125.147	SharePoint, previously Ivanti exploits
139.162.47.194	Exploits on CitrixBleed 2
38.180.148.215	CitrixBleed 2 campaigns
185.224.128.17	High activity, Netherlands
89.248.163.200	High activity, Netherlands
15.235.218.150	Associated with APT, active C2
45.9.148.114	Associated with C2, malicious netflow
91.107.150.184	C2 infrastructure, recent IoC

Related