Date: 11/19/2025
Severity: High
Summary
FIN7 has been active since at least 2013, previously targeting sectors such as retail, hospitality, and financial services. The group shifted its monetization strategy from POS malware to big-game-hunting ransomware over time. Although widely analyzed, the malware’s code has changed very little since its early versions. It appears to have been used in real-world attacks since at least 2022. The payload is typically retrieved from a remote server hosting a ZIP archive containing an “install.bat” script. Open-source reporting indicates the malware provides persistence, reverse SSH tunneling for C2, and data exfiltration via SFTP.
Indicators of Compromise (IOC) List
IP Address : | 38.135.54.20 193.233.205.55 |
Hash : | 2a0078b20b94c1346b85aba80db76ba07c5ccbcb78de53fac9d177d48afd8d4c
bd9bad7c6ab35355dd29ac177fc6d9f732705cafb246ed37da303ddab31ade99
126ceb09a96fe13f76929f2139a813f8c950059108038a8dc4ece1905577c7f6
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | dstipaddress IN ("38.135.54.20","193.233.205.55") or srcipaddress IN ("38.135.54.20","193.233.205.55") |
Detection Query 2 : | sha256hash IN ("bd9bad7c6ab35355dd29ac177fc6d9f732705cafb246ed37da303ddab31ade99","2a0078b20b94c1346b85aba80db76ba07c5ccbcb78de53fac9d177d48afd8d4c","126ceb09a96fe13f76929f2139a813f8c950059108038a8dc4ece1905577c7f6")
|
Reference:
https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-11-13-IOCs-for-Squeamish-Libra-activity.txt