← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
FIN7 Uses Trusted Brands and Sponsored Google Ads to Distribute MSIX Payloads
In April 2024, eSentire’s Threat Response Unit (TRU) observed multiple incidents involving FIN7, a financially motivated threat group based in Russia that has been active since 2013. The threat actors used malicious websites to impersonate well-known brands, including AnyDesk, WinSCP, BlackRock, Asana, Concur, The Wall Street Journal, Workable, and Google Meet.
Indicators of Compromise (50)
| TYPE | INDICATOR | DESCRIPTION | CREATED | |
|---|---|---|---|---|
| URL | http://cdn41.space | — | 2024-05-20 | |
| URL | http://cdn46.space | — | 2024-05-20 | |
| URL | http://cdn45.space | — | 2024-05-20 | |
| URL | http://cdn35.space | — | 2024-05-20 | |
| URL | http://cdn30.space | — | 2024-05-20 | |
| URL | http://cdn34.space | — | 2024-05-20 | |
| URL | http://cdn32.space | — | 2024-05-20 | |
| URL | http://cdn43.space | — | 2024-05-20 | |
| URL | http://cdn37.space | — | 2024-05-20 | |
| URL | http://cdn42.space | — | 2024-05-20 | |
| URL | http://cdn27.space | — | 2024-05-20 | |
| URL | http://cdn25.space | — | 2024-05-20 | |
| URL | http://cdn36.space | — | 2024-05-20 | |
| URL | http://cdn33.space | — | 2024-05-20 | |
| URL | http://cdn40.click | — | 2024-05-20 | |
| URL | http://cdn31.space | — | 2024-05-20 | |
| URL | http://cdn38.space | — | 2024-05-20 | |
| URL | http://eprst431.boo | — | 2024-05-20 | |
| URL | http://cdn1124.net | — | 2024-05-20 | |
| URL | http://cdn1701.com | — | 2024-05-20 | |
| FileHash-MD5 | b6f12d39edbfe3b33952be4329064b35 | — | 2024-05-20 | |
| FileHash-MD5 | e7b1fb0ef5dd20f4522945b902803f10 | — | 2024-05-20 | |
| FileHash-MD5 | 0740803404a58d9c1c1f4bd9edaf4186 | — | 2024-05-20 | |
| FileHash-MD5 | 782621d1062a8fc7d626ceb68af314e5 | — | 2024-05-20 | |
| FileHash-MD5 | bb0a503a83b1f9833c3d3d08784b78a8 | — | 2024-05-20 | |
| domain | 7-zip.cfd | — | 2024-05-20 | |
| domain | advanced-ip-scanner.link | — | 2024-05-20 | |
| domain | advancedipscannerapp.com | — | 2024-05-20 | |
| domain | aimp.day | — | 2024-05-20 | |
| domain | asana.pm | — | 2024-05-20 | |
| domain | asana.tel | — | 2024-05-20 | |
| domain | asana.wf | — | 2024-05-20 | |
| domain | autodesk.pm | — | 2024-05-20 | |
| domain | blackrock.re | — | 2024-05-20 | |
| domain | blackrock.wf | — | 2024-05-20 | |
| domain | concur.pm | — | 2024-05-20 | |
| domain | concur.re | — | 2024-05-20 | |
| domain | concur.skin | — | 2024-05-20 | |
| domain | investing.wf | — | 2024-05-20 | |
| domain | lexisnexis.day | — | 2024-05-20 | |
| domain | meet-go.click | — | 2024-05-20 | |
| domain | pgadmin.link | — | 2024-05-20 | |
| domain | quicken-install.com | — | 2024-05-20 | |
| domain | sapconcur.pro | — | 2024-05-20 | |
| domain | vkontakte.in | — | 2024-05-20 | |
| domain | wall-street-journal.link | — | 2024-05-20 | |
| domain | webex-install.com | — | 2024-05-20 | |
| domain | winscp-install.com | — | 2024-05-20 | |
| domain | workday.pm | — | 2024-05-20 | |
| hostname | www.any-connectcisco.com | — | 2024-05-20 |