{"id":10434,"date":"2023-04-26T09:15:00","date_gmt":"2023-04-26T08:15:00","guid":{"rendered":"https:\/\/www.withsecure.com\/resources-hub\/w-labs\/fin7-target-veeam-servers\/"},"modified":"2023-04-26T09:15:00","modified_gmt":"2023-04-26T08:15:00","slug":"fin7-target-veeam-servers","status":"publish","type":"lab_item","link":"https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/fin7-target-veeam-servers\/","title":{"rendered":"FIN7 tradecraft seen in attacks against Veeam backup servers"},"content":{"rendered":"<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 wp-block-one-column-block--meta-sharing layout--spacing-xxxxl-top layout--spacing-xl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                            <div class='wp-block-one-column-block__meta-sharing-grid'><div class=\"wp-component-content wp-component-content--default wp-block-one-column-block__content fade-in\">\n            <h1 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    FIN7 tradecraft seen in attacks against Veeam <span class=\"blue-text\">backup servers<\/span><\/h1>                    <div class=\"wp-component-content__inner\">\n                                                    <div class=\"wp-component-content__meta\">\n                                                                            <span class=\"wp-component-content__meta-categories\">\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Attack Detection                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Threat intelligence                                    <\/span>\n                                                            <\/span>\n                                                                                                    <span class=\"wp-component-content__meta-date\">\n                                26 April, 2023                            <\/span>\n                                                                    <\/div>\n                                            <\/div>\n                <\/div><section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--content-1 wp-block-sharing-icons--disable-container wp-block-one-column-block__sharing fade-in wp-block-one-column-block__sharing fade-in\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Teilen Sie dies                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/fin7-target-veeam-servers\/&#038;title=FIN7%20tradecraft%20seen%20in%20attacks%20against%20Veeam%20backup%20servers\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Auf LinkedIn teilen\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=FIN7 tradecraft seen in attacks against Veeam backup servers&#038;url=https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/fin7-target-veeam-servers\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Auf X (Twitter) teilen\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n<\/div>                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                                    <div class=\"wp-component-image__wrapper wp-block-one-column-block__image fade-in\">\n                    <figure class=\"wp-component-image__figure\">\n                                            <img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"800\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-1.jpg.webp\" class=\"wp-component-image\n                            wp-component-image--desktop\n                            wp-component-image--mobile\n                            wp-component-image--ratio-content-25-1 wp-component-image--fit-cover\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-1.jpg.webp 1200w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-1-300x200.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-1-1024x683.jpg.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-1-768x512.jpg.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-1-447x298.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-1-219x146.jpg.webp 219w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/>                                                    <\/figure>\n                    <\/div>\n                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-two-column-block edwp-block js-wp-block-two-column-block wp-block-two-column-block--content-1 wp-block-two-column-block__left--align-y-top wp-block-two-column-block__right--align-y-top wp-block-two-column-block--split-sidebar layout--none-top layout--spacing-xxxl-bottom\"\n    data-block-id=\"block_3b68d9ef5fd9d6079dedb9642cda5d5a\"\n    >\n    <div class=\"wp-block-two-column-block__container row-load\">\n                                                        <div class=\"wp-block-two-column-block__left\">\n                                    <div class=\"wp-component-authors-list wp-block-two-column-block__authors\">\n                    <p class=\"wp-component-authors-list__title\">\n                Authors            <\/p>\n        \n        <div class=\"wp-component-authors-list__items\">\n                                                <div class=\"wp-component-author-card \">\n    <div class=\"wp-component-author-card__media\">\n                    <span class=\"wp-component-author-card__photo-placeholder\" aria-hidden=\"true\">\n                <svg viewBox=\"0 0 64 64\" role=\"presentation\" focusable=\"false\">\n                    <path d=\"M32 34c-8.1 0-14.7 6.6-14.7 14.7v3.5h29.4v-3.5C46.7 40.6 40.1 34 32 34z\"><\/path>\n                    <path d=\"M32 31.2c6 0 10.9-4.9 10.9-10.9S38 9.4 32 9.4s-10.9 4.9-10.9 10.9S26 31.2 32 31.2z\"><\/path>\n                <\/svg>\n            <\/span>\n            <\/div>\n    <div class=\"wp-component-author-card__content\">\n                    <h3 class=\"wp-component-author-card__name\">Neeraj Singh<\/h3>\n        \n                \n            <\/div>\n\n<\/div>\n\n                                                                <div class=\"wp-component-author-card \">\n    <div class=\"wp-component-author-card__media\">\n                    <img loading=\"lazy\" decoding=\"async\" width=\"1080\" height=\"1080\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/Mohammad-Kazem-Hassan-Nejad_WithSecure_2.jpg.webp\" class=\"wp-component-author-card__photo\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/Mohammad-Kazem-Hassan-Nejad_WithSecure_2.jpg.webp 1080w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/Mohammad-Kazem-Hassan-Nejad_WithSecure_2-300x300.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/Mohammad-Kazem-Hassan-Nejad_WithSecure_2-1024x1024.jpg.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/Mohammad-Kazem-Hassan-Nejad_WithSecure_2-150x150.jpg.webp 150w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/Mohammad-Kazem-Hassan-Nejad_WithSecure_2-768x768.jpg.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/Mohammad-Kazem-Hassan-Nejad_WithSecure_2-447x447.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/Mohammad-Kazem-Hassan-Nejad_WithSecure_2-700x700.jpg.webp 700w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/Mohammad-Kazem-Hassan-Nejad_WithSecure_2-146x146.jpg.webp 146w\" sizes=\"auto, (max-width: 1080px) 100vw, 1080px\" \/>            <\/div>\n    <div class=\"wp-component-author-card__content\">\n                    <h3 class=\"wp-component-author-card__name\">Mohammad Kazem Hassan Nejad<\/h3>\n        \n                    <p class=\"wp-component-author-card__meta\">\n                Senior Threat Intelligence Researcher, WithSecure            <\/p>\n                \n            <\/div>\n\n<\/div>\n\n                                    <\/div>\n\n            <\/div>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__hide-mobile wp-block-two-column-block__share wp-block-two-column-block__hide-mobile\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/fin7-target-veeam-servers\/&#038;title=FIN7%20tradecraft%20seen%20in%20attacks%20against%20Veeam%20backup%20servers\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Auf LinkedIn teilen\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=FIN7 tradecraft seen in attacks against Veeam backup servers&#038;url=https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/fin7-target-veeam-servers\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Auf X (Twitter) teilen\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                                                <div class=\"wp-block-two-column-block__right\">\n                                <div class=\"wp-component-paragraph wp-block-two-column-block__paragraph \">\n    <div class=\"text parbase aem-GridColumn aem-GridColumn--default--12\">\n<h2>Updates:<\/h2>\n<p>28-04-2023 1100 UTC &#8211; We have reviewed and updated this blogpost to reflect our latest findings:<\/p>\n<ul>\n<li>We have added information regarding the file \u201c445.ps1\u201d, which was missing at the time of writing.<\/li>\n<li>We have updated this blogpost to broaden our attribution from FIN7 to FIN7 or a threat actor utilizing FIN7 tradecraft.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<\/div>\n<div class=\"text parbase aem-GridColumn aem-GridColumn--default--12\">\n<h2>Introduction<\/h2>\n<p>WithSecure Intelligence identified attacks which occurred in late March 2023 against internet-facing servers running Veeam Backup &amp; Replication software. Our research indicates that the intrusion set used in these attacks has overlaps with those attributed to the FIN7 activity group. It is likely that initial access &amp; execution was achieved through a recently patched Veeam Backup &amp; Replication vulnerability, CVE-2023-27532[1].<\/p>\n<p>FIN7 is a financially motivated cybercrime group with roots dating back to mid-2010s. The group has been involved in several high-profile, large-scale attacks over the years. The group\u2019s tradecraft and modus operandi have evolved over their multi-year history, developing new tools[2], expanding their operations[3], as well as affiliating with other threat actors[4].<\/p>\n<p>This blogpost provides an analysis of intrusions we have observed, along with a timeline of these attacks.<\/p>\n<p>&nbsp;<\/p>\n<h2><a id=\"_Toc133327368\" name=\"_Toc133327368\"><\/a>Initial activity<\/h2>\n<p>On 28<sup>th<\/sup>\u00a0March 2023, initial activity was observed across internet-facing servers running Veeam Backup &amp; Replication software. An SQL server process \u201csqlservr.exe\u201d related to the Veeam Backup instance executed a shell command, which performed in-memory download and execution of a PowerShell script.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-7367 size-large\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/veeam-1024x548.png.webp\" alt=\"\" width=\"1024\" height=\"548\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/veeam-1024x548.png.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/veeam-300x161.png.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/veeam-768x411.png.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/veeam-447x239.png.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/veeam-273x146.png.webp 273w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/veeam.png.webp 1112w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<\/div>\n<div class=\"image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--12 aem-GridColumn--offset--default--0\">\n<div id=\"image-5510a427c0\" class=\"cmp-image\" data-cmp-is=\"image\" data-cmp-widths=\"480,768,992,1280,1920\" data-cmp-src=\"\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image.coreimg.82{.width}.png\/1701089578846\/veeam.png\" data-cmp-hook-image=\"imageV3\"><img decoding=\"async\" class=\"cmp-image__image\" src=\"https:\/\/labs.withsecure.com\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image.coreimg.png\/1701089578846\/veeam.png\" srcset=\"\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image.coreimg.82.480.png\/1701089578846\/veeam.png 480w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image.coreimg.82.768.png\/1701089578846\/veeam.png 768w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image.coreimg.82.992.png\/1701089578846\/veeam.png 992w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image.coreimg.82.1280.png\/1701089578846\/veeam.png 1280w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image.coreimg.82.1920.png\/1701089578846\/veeam.png 1920w\" alt=\"\" \/>\u00a0<span class=\"cmp-image__title\">Figure 1. Example of shell command launched via sqlservr.exe<\/span><\/div>\n<\/div>\n<div class=\"text parbase aem-GridColumn aem-GridColumn--default--12\">\n<p>Our analysis found that all instances of these PowerShell scripts were POWERTRASH. POWERTRASH is an obfuscated loader written in PowerShell that has been attributed to FIN7. The script contains an embedded payload that is executed through reflective PE injection. The filenames (e.g. icsnd16_64refl.ps1, icbt11801_64refl.ps1) used for these PowerShell scripts were also (notably) identical to the naming convention reportedly used by FIN7[7]<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-7368 size-full\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/example-of-powershell-snippet.png.webp\" alt=\"\" width=\"769\" height=\"642\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/example-of-powershell-snippet.png.webp 769w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/example-of-powershell-snippet-300x250.png.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/example-of-powershell-snippet-447x373.png.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/example-of-powershell-snippet-175x146.png.webp 175w\" sizes=\"auto, (max-width: 769px) 100vw, 769px\" \/><\/p>\n<\/div>\n<div class=\"image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--0\">\n<div id=\"image-2494c95eb0\" class=\"cmp-image\" data-cmp-is=\"image\" data-cmp-widths=\"480,768,992,1280,1920\" data-cmp-src=\"\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_1374597733.coreimg.82{.width}.png\/1701089586538\/example-of-powershell-snippet.png\" data-cmp-hook-image=\"imageV3\"><img decoding=\"async\" class=\"cmp-image__image\" src=\"https:\/\/labs.withsecure.com\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_1374597733.coreimg.png\/1701089586538\/example-of-powershell-snippet.png\" srcset=\"\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_1374597733.coreimg.82.480.png\/1701089586538\/example-of-powershell-snippet.png 480w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_1374597733.coreimg.82.768.png\/1701089586538\/example-of-powershell-snippet.png 768w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_1374597733.coreimg.82.992.png\/1701089586538\/example-of-powershell-snippet.png 992w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_1374597733.coreimg.82.1280.png\/1701089586538\/example-of-powershell-snippet.png 1280w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_1374597733.coreimg.82.1920.png\/1701089586538\/example-of-powershell-snippet.png 1920w\" alt=\"\" \/>\u00a0<span class=\"cmp-image__title\">Figure 2: POWERTRASH<\/span><\/div>\n<div data-cmp-is=\"image\" data-cmp-widths=\"480,768,992,1280,1920\" data-cmp-src=\"\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_1374597733.coreimg.82{.width}.png\/1701089586538\/example-of-powershell-snippet.png\" data-cmp-hook-image=\"imageV3\"><\/div>\n<div class=\"cmp-image\" data-cmp-is=\"image\" data-cmp-widths=\"480,768,992,1280,1920\" data-cmp-src=\"\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_1374597733.coreimg.82{.width}.png\/1701089586538\/example-of-powershell-snippet.png\" data-cmp-hook-image=\"imageV3\">In the past[2], POWERTRASH has been used to execute various payloads, including Carbanak, DICELOADER, and Cobalt Strike. The embedded payload in the incidents we observed in March was DICELOADER, also known as Lizar. DICELOADER is a backdoor linked to FIN7. The operators made use of DICELOADER to gain a foothold in compromised machines to conduct post-exploitation procedures.<\/div>\n<\/div>\n<div class=\"text parbase aem-GridColumn aem-GridColumn--default--12\">\n<p>The exact method used by the threat actor to invoke the initial shell commands remains unknown but was likely achieved through a recently patched Veeam Backup &amp; Replication vulnerability, CVE-2023-27532, which can provide unauthenticated access to a Veeam Backup &amp; Replication instance. However, as there were no concrete indicators to confirm these findings, this remains a low-to-medium confidence assessment based on the following:<\/p>\n<ul>\n<li>The affected servers had TCP open port 9401 exposed to the internet. This port is used for communication with the Veeam Backup Service over SSL. Network activity with an external IP address was observed over this port right before the shell command invocation by the SQL server instance process.<\/li>\n<li>CVE-2023-27532 was patched a few weeks prior to this campaign. Exploitation of this vulnerability requires communication over port 9401.<\/li>\n<li>The servers were running vulnerable versions of the software at the time of attack.<\/li>\n<li>A proof-of-concept[5] (POC) exploit was made publicly available a few days prior to the campaign, on 23<sup>rd<\/sup>\u00a0March 2023. The POC contains remote command execution functionality. The remote command execution, which is achieved through SQL shell commands, yields the same execution chain observed in this campaign.<\/li>\n<\/ul>\n<p>It is worth noting that a few days prior to the initial attack, additional suspicious activity was observed on the servers that we investigated. On 24<sup>th<\/sup>\u00a0March 2023, the SQL server process for Veeam backup instances executed another shell command to copy the \u201cWeb.config\u201d file located within Veeam Backup &amp; Replication program files to another file called \u201csystem.js\u201d. The exact reason for this shell command remains unknown and no strong evidence links this earlier activity to the intrusions. However, it is plausible that the earlier activity was performed by the threat actor to probe and identify internet-facing servers vulnerable to CVE-2023-2753 as part of large-scale vulnerability scanning, something that FIN7 has reportedly done in the past[7].<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-7369 size-large\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/webconfig2-1024x271.png.webp\" alt=\"\" width=\"1024\" height=\"271\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/webconfig2-1024x271.png.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/webconfig2-300x79.png.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/webconfig2-768x203.png.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/webconfig2-1536x406.png.webp 1536w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/webconfig2-447x118.png.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/webconfig2-552x146.png.webp 552w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/webconfig2.png.webp 1611w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<\/div>\n<div class=\"image aem-GridColumn aem-GridColumn--default--12\">\n<div id=\"image-97ed920759\" class=\"cmp-image\" data-cmp-is=\"image\" data-cmp-widths=\"480,768,992,1280,1920\" data-cmp-src=\"\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_131635165.coreimg.82{.width}.png\/1682500249963\/webconfig2.png\" data-cmp-hook-image=\"imageV3\"><img decoding=\"async\" class=\"cmp-image__image\" title=\"Figure 3:Additional suspicious activity\" src=\"https:\/\/labs.withsecure.com\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_131635165.coreimg.png\/1682500249963\/webconfig2.png\" srcset=\"\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_131635165.coreimg.82.480.png\/1682500249963\/webconfig2.png 480w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_131635165.coreimg.82.768.png\/1682500249963\/webconfig2.png 768w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_131635165.coreimg.82.992.png\/1682500249963\/webconfig2.png 992w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_131635165.coreimg.82.1280.png\/1682500249963\/webconfig2.png 1280w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_131635165.coreimg.82.1920.png\/1682500249963\/webconfig2.png 1920w\" alt=\"\" \/><\/div>\n<\/div>\n<div class=\"text parbase aem-GridColumn aem-GridColumn--default--12\">\n<h2><a id=\"_Toc133327369\" style=\"font-family: 'Titling Gothic FB', serif; font-size: 28px;\" name=\"_Toc133327369\"><\/a><span style=\"font-family: 'Titling Gothic FB', serif; font-size: 28px;\">Reconnaissance, Discovery, and Credential theft<\/span><\/h2>\n<\/div>\n<div class=\"text parbase aem-GridColumn aem-GridColumn--default--12\">\n<p>The threat actor used a series of commands as well as custom scripts to gather host and network information from the compromised machines. Some of these commands included:<\/p>\n<ul>\n<li>netstat\u00a0 \u00a0: Display all active TCP connections and listening ports<\/li>\n<li>tasklist\u00a0 \u00a0: Display all running processes<\/li>\n<li>ipconfig : Display all IP configurations<\/li>\n<\/ul>\n<p>Furthermore, a series of SQL commands were executed to steal information from the Veeam backup database.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-7370 size-full\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/examples-of-credential-theft.png.webp\" alt=\"\" width=\"900\" height=\"432\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/examples-of-credential-theft.png.webp 900w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/examples-of-credential-theft-300x144.png.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/examples-of-credential-theft-768x369.png.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/examples-of-credential-theft-447x215.png.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/examples-of-credential-theft-304x146.png.webp 304w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><\/p>\n<\/div>\n<div class=\"image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--0\">\n<div id=\"image-e16163c7f0\" class=\"cmp-image\" data-cmp-is=\"image\" data-cmp-widths=\"480,768,992,1280,1920\" data-cmp-src=\"\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_1669908099.coreimg.82{.width}.png\/1682500324353\/examples-of-credential-theft.png\" data-cmp-hook-image=\"imageV3\"><img decoding=\"async\" class=\"cmp-image__image\" title=\"Figure 4:SQL commands\" src=\"https:\/\/labs.withsecure.com\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_1669908099.coreimg.png\/1682500324353\/examples-of-credential-theft.png\" srcset=\"\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_1669908099.coreimg.82.480.png\/1682500324353\/examples-of-credential-theft.png 480w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_1669908099.coreimg.82.768.png\/1682500324353\/examples-of-credential-theft.png 768w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_1669908099.coreimg.82.992.png\/1682500324353\/examples-of-credential-theft.png 992w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_1669908099.coreimg.82.1280.png\/1682500324353\/examples-of-credential-theft.png 1280w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_1669908099.coreimg.82.1920.png\/1682500324353\/examples-of-credential-theft.png 1920w\" alt=\"\" \/><\/div>\n<\/div>\n<div class=\"text parbase aem-GridColumn aem-GridColumn--default--12\">\n<p>The threat actor also used a PowerShell script to retrieve stored credentials. The script content is identical to a code snippet shared online for retrieving passwords from Veeam Backup Servers[6].<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-7372 size-full\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/credential-theft-script.png.webp\" alt=\"\" width=\"1011\" height=\"170\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/credential-theft-script.png.webp 1011w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/credential-theft-script-300x50.png.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/credential-theft-script-768x129.png.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/credential-theft-script-447x75.png.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/credential-theft-script-868x146.png.webp 868w\" sizes=\"auto, (max-width: 1011px) 100vw, 1011px\" \/><\/p>\n<\/div>\n<div class=\"image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--0\">\n<div id=\"image-3769cbbc37\" class=\"cmp-image\" data-cmp-is=\"image\" data-cmp-widths=\"480,768,992,1280,1920\" data-cmp-src=\"\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_1731370055.coreimg.82{.width}.png\/1682495021276\/credential-theft-script.png\" data-cmp-hook-image=\"imageV3\"><img decoding=\"async\" class=\"cmp-image__image\" title=\"Figure 5:Script to retrieve passwords from server\" src=\"https:\/\/labs.withsecure.com\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_1731370055.coreimg.png\/1682495021276\/credential-theft-script.png\" srcset=\"\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_1731370055.coreimg.82.480.png\/1682495021276\/credential-theft-script.png 480w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_1731370055.coreimg.82.768.png\/1682495021276\/credential-theft-script.png 768w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_1731370055.coreimg.82.992.png\/1682495021276\/credential-theft-script.png 992w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_1731370055.coreimg.82.1280.png\/1682495021276\/credential-theft-script.png 1280w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_1731370055.coreimg.82.1920.png\/1682495021276\/credential-theft-script.png 1920w\" alt=\"\" \/><\/div>\n<\/div>\n<div class=\"text parbase aem-GridColumn aem-GridColumn--default--12\">\n<p>A custom PowerShell script was executed through lateral movement to gather operating system information on the target through the usage of WMI. The content of the script and the execution method is identical to activity associated with FIN7[4].<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-7371 size-large\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/analmolus2-1024x566.png.webp\" alt=\"\" width=\"1024\" height=\"566\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/analmolus2-1024x566.png.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/analmolus2-300x166.png.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/analmolus2-768x424.png.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/analmolus2-447x247.png.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/analmolus2-264x146.png.webp 264w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/analmolus2.png.webp 1202w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<\/div>\n<div class=\"image aem-GridColumn aem-GridColumn--default--12\">\n<div id=\"image-e9a42fe30b\" class=\"cmp-image\" data-cmp-is=\"image\" data-cmp-widths=\"480,768,992,1280,1920\" data-cmp-src=\"\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_253944286.coreimg.82{.width}.png\/1682500394900\/analmolus2.png\" data-cmp-hook-image=\"imageV3\"><img decoding=\"async\" class=\"cmp-image__image\" title=\"Figure 6: Recon\" src=\"https:\/\/labs.withsecure.com\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_253944286.coreimg.png\/1682500394900\/analmolus2.png\" srcset=\"\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_253944286.coreimg.82.480.png\/1682500394900\/analmolus2.png 480w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_253944286.coreimg.82.768.png\/1682500394900\/analmolus2.png 768w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_253944286.coreimg.82.992.png\/1682500394900\/analmolus2.png 992w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_253944286.coreimg.82.1280.png\/1682500394900\/analmolus2.png 1280w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_253944286.coreimg.82.1920.png\/1682500394900\/analmolus2.png 1920w\" alt=\"\" \/><\/div>\n<\/div>\n<div class=\"text parbase aem-GridColumn aem-GridColumn--default--12\">\n<p>To resolve the list of collected IP addresses to their respective host names, a custom PowerShell script, \u201chost_ip.ps1\u201d, was executed. The PowerShell script content is nearly identical to a code snippet shared online for resolving IP to Hostname with PowerShell[8]. \u201dhost_ip.ps1\u201d file name has been reportedly observed in FIN7\u2019s attack arsenal[7].<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-7374 size-full\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/host-ip.png.webp\" alt=\"\" width=\"507\" height=\"878\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/host-ip.png.webp 507w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/host-ip-173x300.png.webp 173w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/host-ip-447x774.png.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/host-ip-84x146.png.webp 84w\" sizes=\"auto, (max-width: 507px) 100vw, 507px\" \/><\/p>\n<\/div>\n<div class=\"image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--6 aem-GridColumn--offset--default--0\">\n<div id=\"image-fd95934865\" class=\"cmp-image\" data-cmp-is=\"image\" data-cmp-widths=\"480,768,992,1280,1920\" data-cmp-src=\"\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_326092241.coreimg.82{.width}.png\/1682500452643\/host-ip.png\" data-cmp-hook-image=\"imageV3\"><img decoding=\"async\" class=\"cmp-image__image\" title=\"Figure 7: Script to resolve IPs to HostName\" src=\"https:\/\/labs.withsecure.com\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_326092241.coreimg.png\/1682500452643\/host-ip.png\" srcset=\"\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_326092241.coreimg.82.480.png\/1682500452643\/host-ip.png 480w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_326092241.coreimg.82.768.png\/1682500452643\/host-ip.png 768w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_326092241.coreimg.82.992.png\/1682500452643\/host-ip.png 992w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_326092241.coreimg.82.1280.png\/1682500452643\/host-ip.png 1280w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_326092241.coreimg.82.1920.png\/1682500452643\/host-ip.png 1920w\" alt=\"\" \/><\/div>\n<\/div>\n<div class=\"text parbase aem-GridColumn aem-GridColumn--default--12\">\n<p>An additional file called \u201c445.ps1\u201d was dropped and executed on the compromised Veeam backup servers. The retrieved script content functions as a port checker, which tests whether a port is open for a given address by attempting to establish a socket connection for a set of IP address and port pairs from an input file.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-7373 size-full\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/445-ps1.png.webp\" alt=\"\" width=\"531\" height=\"360\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/445-ps1.png.webp 531w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/445-ps1-300x203.png.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/445-ps1-447x303.png.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/445-ps1-215x146.png.webp 215w\" sizes=\"auto, (max-width: 531px) 100vw, 531px\" \/><\/p>\n<\/div>\n<div class=\"image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--0\">\n<div id=\"image-10dc9f707e\" class=\"cmp-image\" data-cmp-is=\"image\" data-cmp-widths=\"480,768,992,1280,1920\" data-cmp-src=\"\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_1345152747.coreimg.82{.width}.png\/1682677817810\/445-ps1.png\" data-cmp-hook-image=\"imageV3\"><img decoding=\"async\" class=\"cmp-image__image\" title=\"Figure8: 445.ps1 code snippet\" src=\"https:\/\/labs.withsecure.com\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_1345152747.coreimg.png\/1682677817810\/445-ps1.png\" srcset=\"\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_1345152747.coreimg.82.480.png\/1682677817810\/445-ps1.png 480w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_1345152747.coreimg.82.768.png\/1682677817810\/445-ps1.png 768w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_1345152747.coreimg.82.992.png\/1682677817810\/445-ps1.png 992w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_1345152747.coreimg.82.1280.png\/1682677817810\/445-ps1.png 1280w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_1345152747.coreimg.82.1920.png\/1682677817810\/445-ps1.png 1920w\" alt=\"\" \/><\/div>\n<\/div>\n<div class=\"text parbase aem-GridColumn aem-GridColumn--default--12\">\n<h2><a id=\"_Toc133327370\" name=\"_Toc133327370\"><\/a>Setting up persistence<\/h2>\n<p>A custom PowerShell script, \u201cgup18.ps1\u201d, was executed to set up an active foothold in the compromised machine by creating a persistence mechanism to execute DICELOADER on device startup. This script was hosted on an external file-hosting service \u201ctemp[.]sh\u201d. This unique PowerShell script has not been previously seen in the attack arsenal of FIN7, and we are now tracking it as POWERHOLD.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-7376 size-full\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/gup18-code-snippet.png.webp\" alt=\"\" width=\"794\" height=\"879\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/gup18-code-snippet.png.webp 794w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/gup18-code-snippet-271x300.png.webp 271w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/gup18-code-snippet-768x850.png.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/gup18-code-snippet-447x495.png.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/gup18-code-snippet-132x146.png.webp 132w\" sizes=\"auto, (max-width: 794px) 100vw, 794px\" \/><\/p>\n<\/div>\n<div class=\"image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--0\">\n<div id=\"image-4cc1f6f6f1\" class=\"cmp-image\" data-cmp-is=\"image\" data-cmp-widths=\"480,768,992,1280,1920\" data-cmp-src=\"\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_1987911711.coreimg.82{.width}.png\/1682677883524\/gup18-code-snippet.png\" data-cmp-hook-image=\"imageV3\"><img decoding=\"async\" class=\"cmp-image__image\" title=\"Figure 9. Code snippet of POWERHOLD\" src=\"https:\/\/labs.withsecure.com\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_1987911711.coreimg.png\/1682677883524\/gup18-code-snippet.png\" srcset=\"\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_1987911711.coreimg.82.480.png\/1682677883524\/gup18-code-snippet.png 480w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_1987911711.coreimg.82.768.png\/1682677883524\/gup18-code-snippet.png 768w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_1987911711.coreimg.82.992.png\/1682677883524\/gup18-code-snippet.png 992w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_1987911711.coreimg.82.1280.png\/1682677883524\/gup18-code-snippet.png 1280w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_1987911711.coreimg.82.1920.png\/1682677883524\/gup18-code-snippet.png 1920w\" alt=\"\" \/><\/div>\n<\/div>\n<div class=\"text parbase aem-GridColumn aem-GridColumn--default--12\">\n<p>The PowerShell script drops 7 files, which are embedded in the script content, into a unique folder in %APPDATA%, and sets an autorun registry entry to establish persistence. The dropped files are:<\/p>\n<ul>\n<li>gup.exe \u2013 Legitimate GUP.exe binary (part of the Notepad++ application)<\/li>\n<li>gup.xml \u2013 Configuration file that\u2019s part of the GUP application<\/li>\n<li>libcurl.dll &#8211; .NET DLL file side-loaded by gup.exe<\/li>\n<li>JZ4qWKZW \u2013 Encoded DICELOADER payload that\u2019s loaded and executed by libcurl.dll<\/li>\n<li>jkBDfXaL.bat \u2013 Batch file that executes gup.exe<\/li>\n<li>0JNvHvAz.vbs \u2013 VBScript file that executes the batch file<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-7375 size-large\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/cultloader-execution-chain-1024x572.png.webp\" alt=\"\" width=\"1024\" height=\"572\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/cultloader-execution-chain-1024x572.png.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/cultloader-execution-chain-300x168.png.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/cultloader-execution-chain-768x429.png.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/cultloader-execution-chain-1536x858.png.webp 1536w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/cultloader-execution-chain-447x250.png.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/cultloader-execution-chain-261x146.png.webp 261w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/cultloader-execution-chain.png.webp 1795w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<\/div>\n<div class=\"image aem-GridColumn aem-GridColumn--default--12\">\n<div id=\"image-df73d725ad\" class=\"cmp-image\" data-cmp-is=\"image\" data-cmp-widths=\"480,768,992,1280,1920\" data-cmp-src=\"\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_629205053.coreimg.82{.width}.png\/1682677899670\/cultloader---execution-chain.png\" data-cmp-hook-image=\"imageV3\"><img decoding=\"async\" class=\"cmp-image__image\" title=\"Figure10: Execution chain of POWERHOLD\" src=\"https:\/\/labs.withsecure.com\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_629205053.coreimg.png\/1682677899670\/cultloader---execution-chain.png\" srcset=\"\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_629205053.coreimg.82.480.png\/1682677899670\/cultloader---execution-chain.png 480w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_629205053.coreimg.82.768.png\/1682677899670\/cultloader---execution-chain.png 768w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_629205053.coreimg.82.992.png\/1682677899670\/cultloader---execution-chain.png 992w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_629205053.coreimg.82.1280.png\/1682677899670\/cultloader---execution-chain.png 1280w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_629205053.coreimg.82.1920.png\/1682677899670\/cultloader---execution-chain.png 1920w\" alt=\"\" \/><\/div>\n<\/div>\n<div class=\"text parbase aem-GridColumn aem-GridColumn--default--12\">\n<p>&nbsp;<\/p>\n<p>libcurl.dll, which is side-loaded by gup.exe, is a simple .NET loader that decodes and executes an on-disk payload that has been XORed. The on-disk payload filename as well as XOR key are hardcoded within the loader. This unique loader has not been previously seen in FIN7\u2019s attack arsenal, and we are now tracking it as DUBLOADER.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-7378 size-full\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/libcurl-main-method.png.webp\" alt=\"\" width=\"950\" height=\"569\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/libcurl-main-method.png.webp 950w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/libcurl-main-method-300x180.png.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/libcurl-main-method-768x460.png.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/libcurl-main-method-447x268.png.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/libcurl-main-method-244x146.png.webp 244w\" sizes=\"auto, (max-width: 950px) 100vw, 950px\" \/><\/p>\n<\/div>\n<div class=\"image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--0\">\n<div id=\"image-4ce69dea6f\" class=\"cmp-image\" data-cmp-is=\"image\" data-cmp-widths=\"480,768,992,1280,1920\" data-cmp-src=\"\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_1245759184.coreimg.82{.width}.png\/1682677914502\/libcurl-main-method.png\" data-cmp-hook-image=\"imageV3\"><img decoding=\"async\" class=\"cmp-image__image\" title=\"Figure11:DUBLOADER\" src=\"https:\/\/labs.withsecure.com\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_1245759184.coreimg.png\/1682677914502\/libcurl-main-method.png\" srcset=\"\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_1245759184.coreimg.82.480.png\/1682677914502\/libcurl-main-method.png 480w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_1245759184.coreimg.82.768.png\/1682677914502\/libcurl-main-method.png 768w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_1245759184.coreimg.82.992.png\/1682677914502\/libcurl-main-method.png 992w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_1245759184.coreimg.82.1280.png\/1682677914502\/libcurl-main-method.png 1280w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_1245759184.coreimg.82.1920.png\/1682677914502\/libcurl-main-method.png 1920w\" alt=\"\" \/><\/div>\n<\/div>\n<div class=\"text parbase aem-GridColumn aem-GridColumn--default--12\">\n<p>It is worth noting that the legitimate libcurl.dll used by GUP.exe is meant to be a native link library file, while the malicious variant used by the threat actor is a .NET DLL file. The crafted loader is designed to mimic the legitimate libcurl.dll file by including export function names found in the legitimate version and thus imported by the GUP executable. Only one of the export functions, namely \u201ccurl_easy_init\u201d contains malicious code. All other export functions are trivially implemented with \u201cretn 0\u201d instructions. The \u201ccurl_easy_init\u201d export function, which implements the malicious code, is the first function[9] from the library that is called by the GUP executable. Therefore, the malicious code is executed immediately when GUP.exe is launched.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-7377 size-full\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/libcurl-exports.png.webp\" alt=\"\" width=\"679\" height=\"351\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/libcurl-exports.png.webp 679w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/libcurl-exports-300x155.png.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/libcurl-exports-447x231.png.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/libcurl-exports-282x146.png.webp 282w\" sizes=\"auto, (max-width: 679px) 100vw, 679px\" \/><\/p>\n<\/div>\n<div class=\"image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--0\">\n<div id=\"image-603827be52\" class=\"cmp-image\" data-cmp-is=\"image\" data-cmp-widths=\"480,768,992,1280,1920\" data-cmp-src=\"\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_515685002.coreimg.82{.width}.png\/1682677929515\/libcurl-exports.png\" data-cmp-hook-image=\"imageV3\"><img decoding=\"async\" class=\"cmp-image__image\" title=\"Figure 12: DUBLOADER export functions\" src=\"https:\/\/labs.withsecure.com\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_515685002.coreimg.png\/1682677929515\/libcurl-exports.png\" srcset=\"\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_515685002.coreimg.82.480.png\/1682677929515\/libcurl-exports.png 480w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_515685002.coreimg.82.768.png\/1682677929515\/libcurl-exports.png 768w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_515685002.coreimg.82.992.png\/1682677929515\/libcurl-exports.png 992w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_515685002.coreimg.82.1280.png\/1682677929515\/libcurl-exports.png 1280w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_515685002.coreimg.82.1920.png\/1682677929515\/libcurl-exports.png 1920w\" alt=\"\" \/><\/div>\n<\/div>\n<div class=\"text parbase aem-GridColumn aem-GridColumn--default--12\">\n<h2><a id=\"_Toc133327371\" name=\"_Toc133327371\"><\/a>Lateral Movement<\/h2>\n<p>The threat actor performed a series of remote WMI method invocations as well as \u2018net share\u2019 commands to test for lateral movement on a target host with the exfiltrated credentials. A few hours after issuing these commands, the threat actor returned to perform a successful lateral movement.<\/p>\n<p>Lateral tool transfer was achieved through the usage of SMB to drop two PowerShell scripts into the remote host\u2019s ADMIN$ share. Execution was achieved through remote service creation.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-7380 size-full\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/remote-service-creation.png.webp\" alt=\"\" width=\"841\" height=\"517\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/remote-service-creation.png.webp 841w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/remote-service-creation-300x184.png.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/remote-service-creation-768x472.png.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/remote-service-creation-447x275.png.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/remote-service-creation-237x146.png.webp 237w\" sizes=\"auto, (max-width: 841px) 100vw, 841px\" \/><\/p>\n<\/div>\n<div class=\"image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--0\">\n<div id=\"image-b77bf2644c\" class=\"cmp-image\" data-cmp-is=\"image\" data-cmp-widths=\"480,768,992,1280,1920\" data-cmp-src=\"\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_910682558.coreimg.82{.width}.png\/1682677944116\/remote-service-creation.png\" data-cmp-hook-image=\"imageV3\"><img decoding=\"async\" class=\"cmp-image__image\" title=\"Figure 13: Remote Service execution\" src=\"https:\/\/labs.withsecure.com\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_910682558.coreimg.png\/1682677944116\/remote-service-creation.png\" srcset=\"\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_910682558.coreimg.82.480.png\/1682677944116\/remote-service-creation.png 480w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_910682558.coreimg.82.768.png\/1682677944116\/remote-service-creation.png 768w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_910682558.coreimg.82.992.png\/1682677944116\/remote-service-creation.png 992w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_910682558.coreimg.82.1280.png\/1682677944116\/remote-service-creation.png 1280w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_910682558.coreimg.82.1920.png\/1682677944116\/remote-service-creation.png 1920w\" alt=\"\" \/><\/div>\n<\/div>\n<div class=\"text parbase aem-GridColumn aem-GridColumn--default--12\">\n<p>The threat actor launched a custom PowerShell script (explained above) to gather information about the target host. This was followed by the execution of another PowerShell script, which was another POWERTRASH sample. This script performed remote injection into the \u2018PlugPlay\u2019 service, which made a network connection to a remote host on port 443. While we were unable to fetch the full contents of the secondary script to determine the exact payload used, we believe the payload was likely another backdoor\/command-and-control agent (i.e., a CobaltStrike beacon). The command line patterns were previously seen in activity associated with FIN7[4].<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-7379 size-large\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/process-injection-1024x831.png.webp\" alt=\"\" width=\"1024\" height=\"831\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/process-injection-1024x831.png.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/process-injection-300x243.png.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/process-injection-768x623.png.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/process-injection-447x363.png.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/process-injection-180x146.png.webp 180w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/process-injection.png.webp 1152w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<\/div>\n<div class=\"image aem-GridColumn aem-GridColumn--default--12\">\n<h2 id=\"image-30d044467b\" class=\"cmp-image\" data-cmp-is=\"image\" data-cmp-widths=\"480,768,992,1280,1920\" data-cmp-src=\"\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_1186650828.coreimg.82{.width}.png\/1682677963246\/process-injection.png\" data-cmp-hook-image=\"imageV3\"><a id=\"_Toc133327372\" style=\"font-family: 'Titling Gothic FB', serif; font-size: 28px;\" name=\"_Toc133327372\"><\/a><span style=\"font-family: 'Titling Gothic FB', serif; font-size: 28px;\">Outlook and Implications<\/span><\/h2>\n<\/div>\n<div class=\"text parbase aem-GridColumn aem-GridColumn--default--12\">\n<p>WithSecure Intelligence has so far identified two instances of such attacks conducted by FIN7 or a threat actor utilizing FIN7 tradecraft. As the initial activity across both instances were initiated from the same public IP address on the same day, it is likely that these incidents were part of a larger campaign. However, given the probable rarity of Veeam backup servers with TCP port 9401 publicly exposed, we believe the scope of this attack is limited.<\/p>\n<p>Nonetheless, we advise affected companies to follow the recommendations and guidelines to patch and configure their backup servers appropriately as outlined in KB4424: CVE-2023-27532[1]. The information in this report as well as our IOCs GitHub repository[10] \u00a0can also help organizations look for signs of compromise.<\/p>\n<p>The goal of these attacks were unclear at the time of writing, as they were mitigated before fully materializing. However, the research sheds additional light on FIN7, their tradecraft, and potential affiliations for future research.<\/p>\n<p>WithSecure\u2122 Elements\u00a0<a href=\"https:\/\/www.withsecure.com\/en\/solutions\/software-and-services\/elements#trial\">Endpoint Detection and Response<\/a>\u00a0as well as WithSecure\u2122\u00a0<a href=\"https:\/\/www.withsecure.com\/en\/solutions\/managed-services\/countercept\">Countercept Detection and Response<\/a>\u00a0detects multiple stages of the attack lifecycle. These will generate incidents with detailed detections. WithSecure\u2122 Elements Endpoint protection offers multiple detections that detect the malware and its behavior. Ensure that real-time protection as well as DeepGuard are enabled. You may run a full scan on your endpoint.<\/p>\n<p>If you believe your business has been targeted or fallen victim to this or similar attacks and require assistance, you can reach out to our 24\/7 incident\u00a0<a href=\"https:\/\/www.withsecure.com\/en\/about-us\/company-contacts\/24-7-incident-hotline\">hotline<\/a>.<\/p>\n<p>&nbsp;<\/p>\n<h2><a id=\"_Toc133327373\" name=\"_Toc133327373\"><\/a>Incidents\u2019 timeline breakdown<\/h2>\n<h2><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-7381 size-large\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/incident1-new-789x1024.png.webp\" alt=\"\" width=\"789\" height=\"1024\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/incident1-new-789x1024.png.webp 789w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/incident1-new-231x300.png.webp 231w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/incident1-new-768x997.png.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/incident1-new-1183x1536.png.webp 1183w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/incident1-new-1577x2048.png.webp 1577w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/incident1-new-447x580.png.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/incident1-new-112x146.png.webp 112w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/incident1-new.png.webp 1920w\" sizes=\"auto, (max-width: 789px) 100vw, 789px\" \/><\/h2>\n<\/div>\n<div class=\"image aem-GridColumn aem-GridColumn--default--12\">\n<div id=\"image-b63ebffcfd\" class=\"cmp-image\" data-cmp-is=\"image\" data-cmp-widths=\"480,768,992,1280,1920\" data-cmp-src=\"\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_725326517.coreimg.82{.width}.png\/1682677996309\/incident1-new.png\" data-cmp-hook-image=\"imageV3\"><img decoding=\"async\" class=\"cmp-image__image\" title=\"Figure15: Incident with Lateral movement\" src=\"https:\/\/labs.withsecure.com\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_725326517.coreimg.png\/1682677996309\/incident1-new.png\" srcset=\"\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_725326517.coreimg.82.480.png\/1682677996309\/incident1-new.png 480w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_725326517.coreimg.82.768.png\/1682677996309\/incident1-new.png 768w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_725326517.coreimg.82.992.png\/1682677996309\/incident1-new.png 992w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_725326517.coreimg.82.1280.png\/1682677996309\/incident1-new.png 1280w,\/publications\/fin7-target-veeam-servers\/_jcr_content\/root\/responsivegrid\/responsivegrid\/responsivegrid\/image_725326517.coreimg.82.1920.png\/1682677996309\/incident1-new.png 1920w\" alt=\"\" \/><\/div>\n<\/div>\n<div class=\"text parbase aem-GridColumn aem-GridColumn--default--12\">\n<h3><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-7382 size-large\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/incident2-new-1024x1020.png.webp\" alt=\"\" width=\"1024\" height=\"1020\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/incident2-new-1024x1020.png.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/incident2-new-300x300.png.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/incident2-new-150x150.png.webp 150w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/incident2-new-768x765.png.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/incident2-new-1536x1530.png.webp 1536w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/incident2-new-447x445.png.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/incident2-new-147x146.png.webp 147w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/incident2-new.png.webp 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/h3>\n<h3><\/h3>\n<h3><\/h3>\n<h2><a id=\"_Toc133327374\" style=\"font-family: 'Titling Gothic FB', serif; font-size: 24px;\" name=\"_Toc133327374\"><\/a><span style=\"font-family: 'Titling Gothic FB', serif; font-size: 24px;\">Indicators of Compromise (IOCs)<\/span><\/h2>\n<\/div>\n<div class=\"text parbase aem-GridColumn aem-GridColumn--default--12\">\n<p><a href=\"https:\/\/github.com\/WithSecureLabs\/iocs\/tree\/master\/FIN7VEEAM\" target=\"_blank\" rel=\"noopener\">https:\/\/github.com\/WithSecureLabs\/iocs\/tree\/master\/FIN7VEEAM<\/a><\/p>\n<h2><a id=\"_Toc133327374\" name=\"_Toc133327374\"><\/a>References<\/h2>\n<p>[1]\u00a0<a href=\"https:\/\/www.veeam.com\/kb4424\" target=\"_blank\" rel=\"noopener\">https:\/\/www.veeam.com\/kb4424<\/a><\/p>\n<p>[2]\u00a0<a href=\"https:\/\/www.mandiant.com\/resources\/blog\/evolution-of-fin7\" target=\"_blank\" rel=\"noopener\">https:\/\/www.mandiant.com\/resources\/blog\/evolution-of-fin7<\/a><\/p>\n<p>[3]\u00a0<a href=\"https:\/\/www.crowdstrike.com\/blog\/carbon-spider-embraces-big-game-hunting-part-1\/\" target=\"_blank\" rel=\"noopener\">https:\/\/www.crowdstrike.com\/blog\/carbon-spider-embraces-big-game-hunting-part-1\/<\/a><\/p>\n<p>[4]\u00a0<a href=\"https:\/\/www.sentinelone.com\/wp-content\/uploads\/2022\/11\/S1_-SentinelLabs_BlackBasta_02.pdf\" target=\"_blank\" rel=\"noopener\">https:\/\/www.sentinelone.com\/wp-content\/uploads\/2022\/11\/S1_-SentinelLabs_BlackBasta_02.pdf<\/a><\/p>\n<p>[5]\u00a0<a href=\"https:\/\/github.com\/sfewer-r7\/CVE-2023-27532\" target=\"_blank\" rel=\"noopener\">https:\/\/github.com\/sfewer-r7\/CVE-2023-27532<\/a><\/p>\n<p>[6]\u00a0<a href=\"https:\/\/www.pwndefend.com\/2021\/02\/15\/retrieving-passwords-from-veeam-backup-servers\/\" target=\"_blank\" rel=\"noopener\">https:\/\/www.pwndefend.com\/2021\/02\/15\/retrieving-passwords-from-veeam-backup-servers\/<\/a><\/p>\n<p>[7]\u00a0<a href=\"https:\/\/www.prodaft.com\/m\/reports\/FIN7_TLPCLEAR.pdf\" target=\"_blank\" rel=\"noopener\">https:\/\/www.prodaft.com\/m\/reports\/FIN7_TLPCLEAR.pdf<\/a><\/p>\n<p>[8]\u00a0<a href=\"https:\/\/www.fortypoundhead.com\/showcontent.asp?artid=24022\" target=\"_blank\" rel=\"noopener\">https:\/\/www.fortypoundhead.com\/showcontent.asp?artid=24022<\/a><\/p>\n<p>[9]\u00a0<a href=\"https:\/\/curl.se\/libcurl\/c\/curl_easy_init.html\" target=\"_blank\" rel=\"noopener\">https:\/\/curl.se\/libcurl\/c\/curl_easy_init.html<\/a><\/p>\n<p>[10]\u00a0<a href=\"https:\/\/github.com\/WithSecureLabs\/iocs\/tree\/master\/FIN7VEEAM\" target=\"_blank\" rel=\"noopener\">https:\/\/github.com\/WithSecureLabs\/iocs\/tree\/master\/FIN7VEEAM<\/a><\/p>\n<\/div>\n<\/div>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/fin7-target-veeam-servers\/&#038;title=FIN7%20tradecraft%20seen%20in%20attacks%20against%20Veeam%20backup%20servers\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Auf LinkedIn teilen\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=FIN7 tradecraft seen in attacks against Veeam backup servers&#038;url=https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/fin7-target-veeam-servers\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Auf X (Twitter) teilen\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                        <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-cta-banner edwp-block js-wp-block-cta-banner wp-block-cta-banner--style-icon wp-block-cta-banner--no-image layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cta-banner__container\">\n        <div class=\"wp-block-cta-banner__box row-load\">\n            <div class=\"wp-component-content wp-component-content--help-text wp-component-content--dark wp-block-cta-banner__content\">\n                        <div class=\"wp-component-content__inner\">\n                <h2 class=\"wp-component-heading text--h2 wp-component-heading--dark wp-component-content__title\">\n    What <span class=\"blue-text\">next?<\/span><\/h2>                                    <div class=\"wp-component-content__content wysiwyg wysiwyg--dark\">\n                        <div class=\"wp-component-paragraph wp-component-paragraph--dark\">\n    <p class=\"text--p-medium\">Discover WithSecure\u2122 Elements Exposure Management.<br \/>\n&#8211; No credit card required. No obligations.No complexity.<\/p>\n<\/div>\n                    <\/div>\n                            <\/div>\n                            <div class=\"wp-component-content__buttons\">\n                <a class=\"wp-component-button btn btn--primary btn--dark\" href=\"https:\/\/www.withsecure.com\/en\/contact-us\/\">Contact us<\/a>            <\/div>\n                <\/div>                    <\/div>\n    <\/div>\n<\/section>\n\n\n\n\n<section\n    class=\"wp-block-cards edwp-block wp-block-cards--col-3 js-wp-block-cards wp-block-cards--show-overflow wp-block-cards--auto-slides-per-view layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cards__container\">\n        <div class=\"wp-component-content wp-component-content--default wp-block-cards__content\">\n            <h2 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Related <span class=\"blue-text\">Labs content<\/span><\/h2>                    <div class=\"wp-component-content__inner\">\n                                    <div class=\"wp-component-content__content wysiwyg\">\n                        <div class=\"wp-component-paragraph \">\n    <p class=\"text--p-medium\"><span data-teams=\"true\">Find related content relating to this topic.<\/span><\/p>\n<\/div>\n                    <\/div>\n                                                            <\/div>\n                <\/div>                            <div\n                class=\"swiper wp-block-cards__swiper js-wp-block-cards-swiper\"\n                data-slides-per-view-desktop=\"auto\"\n                data-slides-per-view-tablet=\"auto\"\n                data-slides-per-view-mobile=\"auto\"\n            >\n                <div class=\"swiper-wrapper wp-block-cards__swiper-wrapper row-load\">\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">DarkGate Rises: New version of DarkGate malware hunts like a Duck but bites like a RAT<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Source: https:\/\/labs.withsecure.com\/publications\/darkgate-rises<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/darkgate-rises\/\">Mehr erfahren<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Reverse engineering a Lumma infection<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Lumma is an information stealer that the WithSecure Detection and Response Team (DRT) have encountered several times. It has seen wider use over the past couple of years, and makes for an interesting threat to monitor.<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/reverse-engineering-a-lumma-infection\/\">Mehr erfahren<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">AI security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Machine learning-driven malware analysis<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">With the rapid emergence of new malware variants, accurately classifying and attributing malware samples has become more challenging than ever<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/machine-learning-driven-malware-analysis\/\">Mehr erfahren<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                    <\/div>\n                <div class=\"wp-block-cards__nav fade-in\">\n                    <div class=\"wp-block-cards__pagination js-wp-block-cards-pagination\">\n                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-prev\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-next\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                <\/div>\n            <\/div>\n                                    <\/div>\n<\/section>\n","protected":false},"excerpt":{"rendered":"<p>WithSecure Intelligence identified attacks which occurred in late March 2023 against internet-facing servers running Veeam Backup &#038; Replication software.<\/p>\n","protected":false},"author":3,"featured_media":0,"template":"","categories":[310,312],"labs_content_type":[313,331],"class_list":["post-10434","lab_item","type-lab_item","status-publish","hentry","category-attack-detection","category-threat-intelligence"],"acf":[],"card":"<div class=\"wp-component-card-insight js-card-link wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg\" class=\"wp-component-card-insight__image\" alt=\"\" decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg 618w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-300x214.jpg 300w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-447x318.jpg 447w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-205x146.jpg 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">FIN7 tradecraft seen in attacks against Veeam backup servers<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">WithSecure Intelligence identified attacks which occurred in late March 2023 against internet-facing servers running Veeam Backup &amp; Replication software.<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/fin7-target-veeam-servers\/\">Mehr erfahren<\/a>            <\/div>\n            <\/div>\n<\/div>","_links":{"self":[{"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/lab_item\/10434","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/lab_item"}],"about":[{"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/types\/lab_item"}],"author":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/users\/3"}],"wp:attachment":[{"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/media?parent=10434"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/categories?post=10434"},{"taxonomy":"labs_content_type","embeddable":true,"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/labs_content_type?post=10434"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}