APT / THREAT GROUP💰 FINANCIALHIGH

FIN1

🇷🇺Russia-attributed
1
campaigns
1
aliases
Last seen:Mar 17, 2026

Intelligence Profile

FireEye first identified this activity during a recent investigation at an organization in the financial industry. They identified the presence of a financially motivated threat group that they track as FIN1, whose activity at the organization dated back several years. The threat group deployed numerous malicious files and utilities, all of which were part of a malware ecosystem referred to as ‘Nemesis’ by the malware developer(s), and used this malware to access the victim environment and steal cardholder data. FIN1, which may be located in Russia or a Russian-speaking country based on language settings in many of their custom tools, is known for stealing data that is easily monetized from financial services organizations such as banks, credit unions, ATM operations, and financial transaction processing and financial business services companies.

Threat Analysis

FIN1 is a high-sophistication threat actor attributed to Russia, engaged in cyber operations with a primary motivation of financial.

Financially motivated threat actors like FIN1 prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.

With high sophistication, FIN1 is capable of targeted intrusions using adapted commodity tools alongside custom implants, maintaining operational security and evading standard detection mechanisms.

Known Campaigns

FIN1 — Active Operations March 2026

FIN1 is a financial threat actor attributed to Russia. FireEye first identified this activity during a recent investigation at an organization in the financial industry. They identified the presence of a financially motivated threat group that they track as FIN1, whose activity at the organization dated back several years. The threat...

ACTIVEMEDIUM2026

External References

Quick Facts

TypeAPT / Threat Group
Motivation💰 financial
Sophisticationhigh
Origin🇷🇺 Russia
Aliases1
SourceMalpedia

Also Known As

FIN1

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.