โ† Back to Dashboard
May 03, 2026

Daily Threat Report โ€” French Financial Sector

8
IOCs
3
TTPs
2
KQL Queries
Executive Summary

French financial institutions face active threats from financially motivated APT groups leveraging phishing campaigns, known C2 infrastructure, and critical vulnerabilities in widely deployed software. Immediate hunting and defensive actions are required to mitigate exposure to TA505, FIN7, and Lazarus Group activity.

#1

Active C2 Infrastructure and Meta-Themed Phishing Campaign Targeting Financial Sector

CRITICAL TA505

TA505, known for targeting financial institutions globally including French banks, is actively leveraging phishing URLs mimicking Meta invoice and advertising programs to harvest credentials and deliver malware. Multiple C2 IPs are actively observed in conjunction with this campaign infrastructure.

๐Ÿ”ด Indicators of Compromise
IP 162.243.103.246 Active C2 server
IP 50.16.16.211 Active C2 server
URL https://meta-user.invoice-ads-program.com/ Meta-themed phishing lure
URL https://meta-customer.invoice-ads-program.com/ Meta-themed phishing lure
URL https://meta-subscriber.invoice-ads-program.com/ Meta-themed phishing lure
URL http://confirmation.center-meta-agency.com/ Meta-themed phishing lure
๐ŸŸฃ MITRE ATT&CK TTPs
T1566.002 Spearphishing Link MITRE โ†’
T1071.001 Web Protocols MITRE โ†’
T1078 Valid Accounts MITRE โ†’
๐ŸŸข Hunt Queries
MDE Detect Connections to TA505 C2 IPs

Identifies any device communicating with known TA505 C2 infrastructure over the past 7 days.

DeviceNetworkEvents | where RemoteIP in ('162.243.103.246','50.16.16.211','34.204.119.63','178.62.3.223','27.133.154.218') | where Timestamp > ago(7d) | project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine
SENTINEL Detect Meta Phishing Domain Access

Identifies users accessing known Meta-themed phishing domains linked to TA505.

CommonSecurityLog | where TimeGenerated > ago(7d) | where DestinationHostName has_any ('invoice-ads-program.com','center-meta-agency.com') | project TimeGenerated, SourceIP, DestinationHostName, DestinationIP, RequestURL
โœ… Recommended Actions
โ†’ Block all meta-user.invoice-ads-program.com, meta-customer.invoice-ads-program.com, meta-subscriber.invoice-ads-program.com, and confirmation.center-meta-agency.com domains at proxy and DNS level immediately.
โ†’ Block C2 IPs 162.243.103.246 and 50.16.16.211 at perimeter firewall and SIEM alerting rules.
โ†’ Deploy email gateway rules to flag or quarantine messages containing invoice-ads-program.com links targeting financial staff.
#2

Exploitation of ConnectWise ScreenConnect and Linux Kernel Vulnerabilities for Financial Intrusion

CRITICAL Lazarus Group

Lazarus Group, a North Korean state-sponsored actor with a strong focus on financial theft, is known to exploit remote access tool vulnerabilities such as ConnectWise ScreenConnect (CVE-2024-1709/1708) to gain persistent access to financial institution networks. The concurrent CISA advisory for Linux Kernel vulnerabilities further expands the attack surface for lateral movement post-exploitation.

๐Ÿ”ด Indicators of Compromise
IP 34.204.119.63 Active C2 server
IP 178.62.3.223 Active C2 server
VULNERABILITY ConnectWise ScreenConnect CVE-2024-1709 CISA-advised critical authentication bypass
VULNERABILITY Linux Kernel CVE CISA-advised kernel privilege escalation
๐ŸŸฃ MITRE ATT&CK TTPs
T1190 Exploit Public-Facing Application MITRE โ†’
T1068 Exploitation for Privilege Escalation MITRE โ†’
T1021.001 Remote Desktop Protocol MITRE โ†’
๐ŸŸข Hunt Queries
MDE Detect ScreenConnect Exploitation Indicators

Identifies suspicious child processes spawned by ScreenConnect that may indicate exploitation activity.

DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName =~ 'ScreenConnect.ClientService.exe' or InitiatingProcessFileName =~ 'ScreenConnect.WindowsClient.exe' | where FileName in ('cmd.exe','powershell.exe','wscript.exe','cscript.exe','mshta.exe','rundll32.exe') | project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName
SENTINEL Detect C2 Traffic to Lazarus-Linked IPs

Flags outbound connections to Lazarus Group-associated C2 infrastructure from internal hosts.

CommonSecurityLog | where TimeGenerated > ago(7d) | where DestinationIP in ('34.204.119.63','178.62.3.223') | project TimeGenerated, SourceIP, DestinationIP, DestinationPort, ApplicationProtocol, DeviceAction
โœ… Recommended Actions
โ†’ Apply ConnectWise ScreenConnect patches immediately (CVE-2024-1709/CVE-2024-1708) and audit all ScreenConnect instances exposed to the internet.
โ†’ Apply all available Linux kernel security patches across servers hosting financial applications and restrict kernel module loading.
โ†’ Block C2 IPs 34.204.119.63 and 178.62.3.223 at network perimeter and hunt for existing connections in SIEM logs.
#3

cPanel/WHM and WordPress Exploitation Supporting FIN7 Financial Data Harvesting

HIGH FIN7

FIN7 is actively exploiting vulnerabilities in cPanel & WHM and WordPress (WP2) as highlighted in the current CISA advisory, targeting web-facing infrastructure to deploy skimmers and exfiltrate payment card data from financial services. Weebly-hosted phishing pages observed in current data indicate a parallel social engineering effort to supplement exploitation-based initial access.

๐Ÿ”ด Indicators of Compromise
IP 27.133.154.218 Active C2 server
URL http://my-site-106195-102460.weeblysite.com/ FIN7-linked phishing page
URL http://my-site-106282-103757.weeblysite.com/ FIN7-linked phishing page
URL http://datmymega.com/ Suspicious redirect/payload delivery site
VULNERABILITY cPanel & WHM / WP2 WebPros CISA-advised critical vulnerability in web hosting platforms
๐ŸŸฃ MITRE ATT&CK TTPs
T1595.002 Vulnerability Scanning MITRE โ†’
T1056.003 Web Portal Capture MITRE โ†’
T1566.003 Spearphishing via Service MITRE โ†’
๐ŸŸข Hunt Queries
MDE Detect Access to FIN7 Phishing and Payload Domains

Identifies endpoint connections to Weebly-hosted phishing pages and suspicious payload delivery sites associated with FIN7.

DeviceNetworkEvents | where Timestamp > ago(7d) | where RemoteUrl has_any ('my-site-106195-102460.weeblysite.com','my-site-106282-103757.weeblysite.com','datmymega.com') | project Timestamp, DeviceName, RemoteUrl, RemoteIP, InitiatingProcessFileName, InitiatingProcessAccountName
SENTINEL Detect Connections to FIN7 C2 and Phishing Infrastructure

Flags outbound traffic to FIN7-associated C2 IP and known phishing delivery domains.

union CommonSecurityLog, DnsEvents | where TimeGenerated > ago(7d) | where (DestinationIP == '27.133.154.218') or (Name has_any ('weeblysite.com','datmymega.com','789greeting.com')) | project TimeGenerated, SourceIP, DestinationIP, DestinationHostName, Name
โœ… Recommended Actions
โ†’ Patch all cPanel, WHM, and WordPress instances immediately per CISA advisory and audit for signs of webshell or skimmer injection.
โ†’ Block Weebly phishing domains my-site-106195-102460.weeblysite.com and my-site-106282-103757.weeblysite.com, and datmymega.com at DNS and proxy layers.
โ†’ Block C2 IP 27.133.154.218 at perimeter firewall and conduct retroactive log analysis for data exfiltration indicators.