โ† Back to Dashboard
May 05, 2026

Daily Threat Report โ€” French Financial Sector

4
IOCs
12
TTPs
8
KQL Queries
Executive Summary

French financial institutions face elevated risk from financially motivated threat actors including FIN7 and TA505 leveraging active C2 infrastructure and credential-harvesting phishing campaigns. Critical vulnerabilities in Linux kernel, cPanel/WHM, and ConnectWise ScreenConnect amplify the attack surface for initial access and lateral movement.

#1

FIN7 Active C2 Infrastructure Targeting Financial Endpoints

CRITICAL FIN7

FIN7, a sophisticated financially motivated threat actor, is actively operating C2 nodes known to target banking and financial services organizations across Europe. Immediate blocking and hunting across network telemetry is advised to detect beaconing activity from compromised endpoints.

๐Ÿ”ด Indicators of Compromise
IP 162.243.103.246 Active FIN7 C2 server
IP 50.16.16.211 Active FIN7 C2 server
IP 34.204.119.63 Active FIN7 C2 server
URL http://invest.credits-center.com/ Financial fraud phishing lure targeting investment credentials
URL https://closingaccountportaldata.weebly.com/ Account closure phishing portal harvesting banking credentials
๐ŸŸฃ MITRE ATT&CK TTPs
T1566.001 Spearphishing Attachment MITRE โ†’
T1071.001 Application Layer Protocol: Web Protocols MITRE โ†’
T1078 Valid Accounts MITRE โ†’
๐ŸŸข Hunt Queries
MDE Detect FIN7 C2 Beacon Connections

Identifies outbound connections from any device to known FIN7 C2 IP addresses within the last 7 days.

DeviceNetworkEvents | where TimeGenerated > ago(7d) | where RemoteIP in ('162.243.103.246','50.16.16.211','34.204.119.63') | project TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine | order by TimeGenerated desc
SENTINEL Detect FIN7 C2 Traffic via CommonSecurityLog

Correlates firewall and proxy logs for outbound connections to FIN7-associated C2 infrastructure.

CommonSecurityLog | where TimeGenerated > ago(7d) | where DestinationIP in ('162.243.103.246','50.16.16.211','34.204.119.63') | project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, ApplicationProtocol | order by TimeGenerated desc
โœ… Recommended Actions
โ†’ Immediately block all five C2 IPs at perimeter firewall and proxy layers
โ†’ Deploy KQL hunting queries across MDE and Sentinel to identify beaconing hosts
โ†’ Reset credentials for any accounts accessing systems that communicated with C2 IPs
โ†’ Review and block phishing domains at email gateway and DNS filtering layers
#2

TA505 Phishing Campaign Harvesting Financial and Meta Business Credentials

HIGH TA505

TA505 is conducting multi-lure phishing campaigns impersonating major brands including Meta Business and financial investment portals to harvest credentials from French financial sector employees. The campaign leverages disposable hosting infrastructure to evade takedowns and rapidly rotate phishing URLs.

๐Ÿ”ด Indicators of Compromise
URL https://meta-business.invoice-ads-process.com/ Meta Business impersonation phishing page targeting corporate credentials
URL http://newemessageimportantmain.wasmer.app/fansedge Credential harvesting phishing page using serverless hosting
URL https://rahul010620.github.io/amazon-clone/ Amazon clone phishing site for credential theft
URL http://amazon-clone-red-seven.vercel.app/ Amazon impersonation phishing hosted on Vercel
URL http://debi357.github.io/Netflix-clone-website Netflix clone credential harvesting phishing page
IP 178.62.3.223 TA505 associated C2 server
๐ŸŸฃ MITRE ATT&CK TTPs
T1566.002 Spearphishing Link MITRE โ†’
T1583.006 Acquire Infrastructure: Web Services MITRE โ†’
T1056.003 Input Capture: Web Portal Capture MITRE โ†’
๐ŸŸข Hunt Queries
MDE Detect Access to TA505 Phishing Domains

Identifies device DNS queries or web requests to known TA505 phishing infrastructure hosting fake brand portals.

DeviceNetworkEvents | where TimeGenerated > ago(7d) | where RemoteUrl has_any ('meta-business.invoice-ads-process.com','newemessageimportantmain.wasmer.app','amazon-clone-red-seven.vercel.app','rahul010620.github.io','debi357.github.io','closingaccountportaldata.weebly.com','shaw211.weebly.com','invest.credits-center.com') | project TimeGenerated, DeviceName, RemoteUrl, RemoteIP, InitiatingProcessAccountName | order by TimeGenerated desc
SENTINEL Detect Phishing Domain Visits via Proxy Logs

Hunts for employee access to TA505 phishing URLs captured in proxy or web filtering logs.

CommonSecurityLog | where TimeGenerated > ago(7d) | where RequestURL has_any ('meta-business.invoice-ads-process.com','newemessageimportantmain.wasmer.app','amazon-clone-red-seven.vercel.app','closingaccountportaldata.weebly.com','invest.credits-center.com') | project TimeGenerated, SourceUserName, SourceIP, RequestURL, DeviceAction | order by TimeGenerated desc
โœ… Recommended Actions
โ†’ Block all identified phishing URLs and associated domains at email gateway, DNS, and web proxy
โ†’ Alert SOC to any historical proxy log hits on phishing URLs and initiate user notification
โ†’ Enable MFA on all corporate portals to mitigate impact of credential harvesting
โ†’ Conduct targeted user awareness communication regarding brand impersonation phishing
#3

Lazarus Group Exploitation of ConnectWise ScreenConnect and Linux Kernel CVEs for Financial Sector Intrusion

HIGH Lazarus Group

Lazarus Group is actively exploiting critical vulnerabilities in ConnectWise ScreenConnect and the Linux kernel to achieve initial access and privilege escalation within financial sector environments. North Korean state-sponsored objectives include SWIFT system compromise, financial data theft, and ransomware deployment as observed in prior campaigns against European banks.

๐Ÿ”ด Indicators of Compromise
IP 27.133.154.218 Lazarus Group C2 server associated with post-exploitation activity
IP 178.62.3.223 Secondary C2 server used for lateral movement command and control
CVE ConnectWise ScreenConnect (CVE-2024-1709/CVE-2024-1708) Authentication bypass and path traversal enabling unauthenticated RCE
CVE Linux Kernel Local privilege escalation vulnerability enabling root access post-initial compromise
๐ŸŸฃ MITRE ATT&CK TTPs
T1190 Exploit Public-Facing Application MITRE โ†’
T1068 Exploitation for Privilege Escalation MITRE โ†’
T1021.004 Remote Services: SSH MITRE โ†’
๐ŸŸข Hunt Queries
MDE Detect Lazarus Group C2 and Post-Exploitation Connections

Identifies outbound connections to Lazarus Group C2 infrastructure from servers and workstations, particularly following ScreenConnect process activity.

DeviceNetworkEvents | where TimeGenerated > ago(7d) | where RemoteIP in ('27.133.154.218','178.62.3.223') | project TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName | order by TimeGenerated desc
SENTINEL Detect ScreenConnect Exploitation Indicators

Hunts for suspicious child process spawning from ConnectWise ScreenConnect service processes indicative of RCE exploitation.

SecurityEvent | where TimeGenerated > ago(7d) | where ParentProcessName has_any ('ScreenConnect.Service.exe','ScreenConnect.ClientService.exe') | where NewProcessName has_any ('cmd.exe','powershell.exe','wscript.exe','cscript.exe','mshta.exe','certutil.exe','bitsadmin.exe') | project TimeGenerated, Computer, Account, ParentProcessName, NewProcessName, CommandLine | order by TimeGenerated desc
โœ… Recommended Actions
โ†’ Apply ConnectWise ScreenConnect patches immediately (CVE-2024-1709/CVE-2024-1708) and audit all ScreenConnect instances for signs of compromise
โ†’ Apply Linux kernel security patches across all Linux-based servers in the financial environment
โ†’ Block C2 IPs 27.133.154.218 and 178.62.3.223 at all perimeter controls and conduct retrospective log analysis
โ†’ Audit privileged account usage and SSH authorized_keys files on Linux servers for unauthorized persistence mechanisms