Full Report
Insikt Group exposes GrayAlpha’s evolving infrastructure and infection methods—including PowerNet and MaskBat loaders, fake 7-Zip sites, and the undocumented TAG-124 network—linking the group to FIN7’s advanced cybercriminal operations.
Analysis Summary
# Threat Actor: GrayAlpha (Overlaps with FIN7)
## Attribution & Identity
- **Primary Identification:** GrayAlpha.
- **Known Aliases/Associations:** Overlaps significantly with the financially motivated cybercriminal group commonly referred to as FIN7.
- **Historical Context:** FIN7 has been active since at least 2013 and is known for operating like a professional business with highly compartmentalized teams. FIN7 members were indicted by the US DOJ in 2018.
## Activity Summary
The activity summary focuses on newly identified infrastructure associated with GrayAlpha/FIN7:
- **New Infrastructure:** Discovery of new domains used for payload distribution and additional associated IP addresses.
- **Recent Activity:** While multiple infection vectors were observed simultaneously, only fake 7-Zip download sites remained active at the time of writing, with new domains registered as recently as April 2025.
- **Investigation Lead:** Analysis of the fake 7-Zip sites led to the identification of an individual who may be involved in the GrayAlpha operation.
## Tactics, Techniques & Procedures
- **Infection Vectors:**
1. Fake browser update pages.
2. Fake 7-Zip download sites (Typosquatting, e.g., `_advanced-ip-sccanner[.]com_`).
3. Traffic Distribution System (TDS) TAG-124 (which was not previously publicly documented).
- **Malware/Loaders:**
- **PowerNet:** A custom PowerShell loader that decompresses and executes the **NetSupport RAT**.
- **MaskBat:** Another custom loader similar to FakeBat but heavily obfuscated and containing strings linked to GrayAlpha.
- **Tradecraft:** Leverages social engineering and customized malware. Demonstrates a high level of persistence sometimes associated with APTs.
## Targeting
- **Sectors:** Historically, FIN7 targets retail, hospitality, and financial sectors (especially related to payment card data theft).
- **Geography:** Organizations across 47 US states and multiple countries (based on historical FIN7 scope).
- **Victims:** Thousands of point-of-sale (POS) systems compromised historically; the current campaign suggests ongoing targeting across multiple industries due to the professionalization of cybercrime.
## Tools & Infrastructure
- **Malware Families Used:** NetSupport RAT (delivered post-loading), POWERTRASH, DiceLoader (historical FIN7 association).
- **Infrastructure:**
- **Hosting:** Infrastructure predominantly resolves to bulletproof hosters, notably Stark Industries Solutions (AS44477) and AS29802 (HIVELOCITY, Inc.).
- **Key ASN:** AS41745 (FORTIS-AS), operated by “Baykov Ilya Sergeevich” (ORG-HIP1-RIPE), which is closely tied to the ISP "hip-hosting" (`fortis[.]host`, `hip-hosting[.]com`).
- **Defanged Infrastructure Examples (Associated with Infection Vector 1):** `_advanced-ip-sccanner[.]com_`, `advancedipscannerapp[.]com`
## Implications
GrayAlpha/FIN7 demonstrates the continued professionalization and increasing sophistication of financially motivated cybercriminal groups, adopting persistence levels similar to nation-state actors. Their methods are evolving (e.g., new loaders like PowerNet) and are highly adaptive, making them a persistent, high-value threat driven by sustained profitability.
## Mitigations
- Enforce application allow-listing capabilities to block the download of seemingly legitimate files containing malware.
- Comprehensive employee security training emphasizing recognition of suspicious behaviors (e.g., unexpected browser update prompts, malvertising redirects).
- Utilize detection rules, such as provided YARA rules and Malware Intelligence Hunting queries, updating them frequently.
- Monitor network artifacts and employ broad detection techniques, accounting for the actor's constant evolution.
- Monitor the broader cybercriminal ecosystem to anticipate adaptation and specialization trends.