FIN7 Hackers Using Windows 11 Themed Documents to Drop Javascript Backdoor

Nested Applications

Asset Publisher

null FIN7 Hackers Using Windows 11 Themed Documents to Drop Javascript Backdoor

A recent wave of spear-phishing campaigns leveraged weaponized Windows 11 Alpha-themed Word documents with Visual Basic macros to drop malicious payloads, including a JavaScript implant, against a point-of-sale (PoS) service provider located in the U.S.


The attacks, which are believed to have taken place between late June to late July 2021, have been attributed with "moderate confidence" to a financially motivated threat actor dubbed FIN7.


The specified targeting of the Clearmind domain fits well with FIN7's preferred modus operandi. 
An Eastern European group active since at least mid-2015, FIN7 has a checkered history of targeting restaurant, gambling, and hospitality industries in the U.S. to plunder financial information such as credit and debit card numbers that were then used or sold for profit on underground marketplaces.
Although multiple members of the collective have been imprisoned for their roles in different campaigns since the start of the year, FIN7's activities have also been tied to another group called Carbanak, given its similar TTPs, with the main distinction being that while FIN7 focuses on hospitality and retail sectors, Carbanak has singled out banking institutions.


In the latest attack observed by Anomali, the infection commences with a Microsoft Word maldoc containing a decoy image that's purported to have been "made on Windows 11 Alpha," urging the recipient to enable macros to trigger the next stage of activity, which involves executing a heavily-obfuscated VBA macro to retrieve a JavaScript payload, which has been found to share similar functionality with other backdoors used by FIN7.


Besides taking several steps to try to impede analysis by populating the code with junk data, the VB script also checks if it is running under a virtualized environment such as VirtualBox and VMWare, and if so, terminates itself, in addition to stopping the infection chain upon detecting Russian, Ukrainian, or several other Eastern European languages.


The backdoor's attribution to FIN7 stems from overlaps in the victimology and techniques adopted by the threat actor, including the use of a JavaScript-based payload to plunder valuable information.


"FIN7 is one of the most notorious financially motivated groups due to the large amounts of sensitive data they have stolen through numerous techniques and attack surfaces" . "Things have been turbulent for the threat group over the past few years as with success and notoriety comes the ever-watchful eye of the authorities. Despite high-profile arrests and sentencing, including alleged higher-ranking members, the group continues to be as active as ever."

We are a member of First

We are a member of First






Most Viewed Assets

Most Viewed News

Nested Applications

Contact Us

Free Call[OH]: 933

Phone Number: +251-993939270




P.O.Box: 124498

Asset Publisher


Nested Applications

Asset Publisher



  • Trustworthiness
  • Innovation
  • Scientific
  • Democracy
  • Synergy
  • Saving