FIN7 Spear-Phishing Campaign Targets U.S. Automotive Industry

The notorious cybercrime group FIN7, also known as Carbon Spider, has been linked to a spear-phishing campaign targeting the U.S. automotive industry with Carbanak Backdoor.

Using sophisticated tactics, they specifically targeted IT department employees with administrative rights, offering a fake IP scanning tool to deploy their well-known Anunak backdoor. This marks a shift for FIN7, known for stealing data from point-of-sale systems since 2012, towards ransomware operations in recent years, deploying strains like Black Basta, Cl0p, DarkSide, and REvil. Two members of the group have already been sentenced to prison in the U.S.

The campaign, discovered by BlackBerry in late 2023, begins with a spear-phishing email containing a booby-trapped link to a fake site resembling Advanced IP Scanner. This leads to the download of a malicious executable, WsTaskLoad.exe, which initiates a multi-stage process ultimately executing Carbanak and establishing persistence with OpenSSH for remote access. Although the specific intent for ransomware deployment remains unclear, early detection prevented lateral movement.


While targeting a large multinational automotive manufacturer, BlackBerry identified several similar malicious domains, suggesting a broader campaign by FIN7. To mitigate such threats, organizations are advised to remain vigilant against phishing attempts, implement multi-factor authentication, maintain up-to-date software, and monitor for unusual login activity.