New FIN7-Linked Infrastructure, PowerNet Loader, and Fake Update Attacks

June 18, 2025, 1 p.m.

Description

Insikt Group uncovered new infrastructure linked to GrayAlpha, a threat actor associated with FIN7. They identified a custom PowerShell loader named PowerNet that deploys NetSupport RAT, and another loader called MaskBat. Three main infection vectors were discovered: fake browser updates, fake 7-Zip download sites, and the TAG-124 traffic distribution system. While all three methods were used simultaneously, only the fake 7-Zip sites remained active at the time of writing. The analysis also led to the identification of a potential individual involved in GrayAlpha operations. The group's sophisticated tactics highlight the need for comprehensive security measures, including application allow-listing, employee training, and advanced detection techniques.

Date

  • Created: June 13, 2025, 8:55 p.m.
  • Published: June 13, 2025, 8:55 p.m.
  • Modified: June 18, 2025, 1 p.m.

Attack Patterns

Additional Informations

  • Retail
  • Hospitality
  • Finance