A new backdoor has been identified in an unsuccessful attack launched by FIN8 targeting an unnamed U.S.-based financial institution. FIN8 is a financially motivated threat group that targets multiple industries.

What's new?

Bitdefender stumbled across a new version of the BadHatch malware in a recent attack against a financial institute.
  • Dubbed Sardonic, the new version is under active development and comes with a wide range of capabilities including letting operators use it instantly without updating its components.
  • In the recent incident, the attackers first breached the targeted network to carry out reconnaissance before performing privilege escalation and lateral movement to deploy the payload.
  • Despite numerous attempts to spread Sardonic on domain controllers, it failed because malicious command lines were blocked.

Sardonic can establish persistence on the infected machine and collect system info, execute arbitrary commands, load extra plugins, and send the data remotely to a server controlled by the attackers.

About FIN8

Since 2016, FIN8 has been using various techniques such as spear-phishing, along with different malware such as BadHatch /PunchTrack to steal payment card info from POS systems.
  • In March, FIN8 started targeting retail, technology, insurance, and chemical industries based in South Africa, the U.S., Canada, Panama, Italy, and Puerto Rico with BadHatch malware.
  • It is known for taking lingering pauses between campaigns, updating built-in tools and techniques, and abusing other genuine services.


FIN8 is fortifying its capabilities and malware delivery infrastructure. Organizations are advised to separate their PoS systems used by employees and educate them about the same. Moreover, they should train employees to identify phishing emails and strengthen email security solutions.

Cyware Publisher