New FIN7-Linked Infrastructure, PowerNet Loader, and Fake Update Attacks
June 18, 2025, 1 p.m.
Description
Insikt Group uncovered new infrastructure linked to GrayAlpha, a threat actor associated with FIN7. They identified a custom PowerShell loader named PowerNet that deploys NetSupport RAT, and another loader called MaskBat. Three main infection vectors were discovered: fake browser updates, fake 7-Zip download sites, and the TAG-124 traffic distribution system. While all three methods were used simultaneously, only the fake 7-Zip sites remained active at the time of writing. The analysis also led to the identification of a potential individual involved in GrayAlpha operations. The group's sophisticated tactics highlight the need for comprehensive security measures, including application allow-listing, employee training, and advanced detection techniques.
External References
Tags
Date
- Created: June 13, 2025, 8:55 p.m.
- Published: June 13, 2025, 8:55 p.m.
- Modified: June 18, 2025, 1 p.m.
Additional Informations
- Retail
- Hospitality
- Finance