โ† Back to Dashboard
May 06, 2026

Daily Threat Report โ€” French Financial Sector

4
IOCs
12
TTPs
8
KQL Queries
Executive Summary

French financial institutions face active threats from financially motivated and nation-state actors leveraging phishing infrastructure, unpatched vulnerabilities, and known C2 endpoints. Immediate action is required to block active IOCs and hunt for compromise across endpoint and network telemetry.

#1

FIN7 Active C2 Infrastructure Targeting Financial Sector

CRITICAL FIN7

FIN7, a highly sophisticated financially motivated threat actor, is actively leveraging C2 infrastructure to conduct campaigns against financial institutions in Europe including France. Their toolset includes CARBANAK and other banking malware capable of large-scale fraud and data exfiltration.

๐Ÿ”ด Indicators of Compromise
IP 162.243.103.246 Active C2 server
IP 50.16.16.211 Active C2 server
IP 34.204.119.63 Active C2 server
URL https://netflix-clone-eta-six.vercel.app/ Phishing page mimicking streaming service for credential harvesting
URL https://amazon-clone-ruby-eight.vercel.app/ Phishing page mimicking e-commerce platform for credential harvesting
๐ŸŸฃ MITRE ATT&CK TTPs
T1566.002 Spearphishing Link MITRE โ†’
T1071.001 Application Layer Protocol: Web Protocols MITRE โ†’
T1078 Valid Accounts MITRE โ†’
๐ŸŸข Hunt Queries
MDE Detect Connections to FIN7 C2 IPs

Identifies outbound connections from endpoints to known FIN7 C2 IP addresses.

DeviceNetworkEvents | where TimeGenerated > ago(7d) | where RemoteIP in ('162.243.103.246','50.16.16.211','34.204.119.63') | project TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine
SENTINEL Detect FIN7 C2 Traffic via CommonSecurityLog

Detects firewall or proxy traffic destined for known FIN7 C2 infrastructure.

CommonSecurityLog | where TimeGenerated > ago(7d) | where DestinationIP in ('162.243.103.246','50.16.16.211','34.204.119.63') | project TimeGenerated, SourceIP, DestinationIP, DestinationPort, ApplicationProtocol, DeviceAction
โœ… Recommended Actions
โ†’ Immediately block 162.243.103.246, 50.16.16.211, and 34.204.119.63 at perimeter firewall and proxy
โ†’ Block access to known phishing domains on Vercel and GitHub Pages via web filtering
โ†’ Hunt for lateral movement and credential use following any confirmed C2 beacon
#2

Lazarus Group Cryptocurrency and Banking Phishing Campaign

CRITICAL Lazarus Group

The Lazarus Group, a North Korean state-sponsored actor, is conducting phishing campaigns using cryptocurrency and banking-themed lure pages targeting financial sector employees to steal credentials and deploy implants. IPFS-hosted phishing infrastructure and crypto-themed lure pages are actively in use.

๐Ÿ”ด Indicators of Compromise
IP 178.62.3.223 Active C2 server
IP 27.133.154.218 Active C2 server
URL https://kishanmgr2022-crypto.github.io/Netflix-and-primevideo/ Crypto-themed phishing lure page
URL https://ipfs.io/ipfs/bafkreicxnopjfeag6qgjgjcpgyctpqpqr2i4uglpw2j5aiezgtqpwrtgg4 IPFS-hosted phishing page evading takedowns
URL https://kuukanlooggin.webflow.io/ Suspicious credential harvesting page
๐ŸŸฃ MITRE ATT&CK TTPs
T1566.002 Spearphishing Link MITRE โ†’
T1219 Remote Access Software MITRE โ†’
T1496 Resource Hijacking MITRE โ†’
๐ŸŸข Hunt Queries
MDE Detect Connections to Lazarus Group C2 IPs

Identifies endpoint connections to Lazarus Group C2 servers associated with banking and crypto campaigns.

DeviceNetworkEvents | where TimeGenerated > ago(7d) | where RemoteIP in ('178.62.3.223','27.133.154.218') | project TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessAccountName
SENTINEL Detect IPFS Phishing Page Access

Identifies user access to IPFS-hosted phishing infrastructure used by Lazarus Group.

DeviceNetworkEvents | where TimeGenerated > ago(7d) | where RemoteUrl has 'ipfs.io/ipfs' or RemoteUrl has 'kuukanlooggin.webflow.io' or RemoteUrl has 'kishanmgr2022-crypto.github.io' | project TimeGenerated, DeviceName, RemoteUrl, InitiatingProcessFileName
โœ… Recommended Actions
โ†’ Block C2 IPs 178.62.3.223 and 27.133.154.218 at all network egress points
โ†’ Implement DNS and proxy blocking for IPFS gateway domains and identified phishing URLs
โ†’ Alert SOC for any SWIFT or high-value transaction activity following detection of these IOCs
#3

TA505 Exploitation of ConnectWise ScreenConnect and cPanel Vulnerabilities

HIGH TA505

TA505, known for large-scale financial malware distribution including Dridex and FlawedAmmyy, is actively exploiting vulnerabilities in ConnectWise ScreenConnect and cPanel/WHM as highlighted in recent CISA advisories to gain initial access to financial sector networks. Linux kernel vulnerabilities are also being leveraged for privilege escalation post-compromise.

๐Ÿ”ด Indicators of Compromise
IP 50.16.16.211 Active C2 associated with TA505 campaigns
URL https://raysu929.github.io/facebook-sign-up-form/ Social engineering phishing page for credential harvesting
URL http://personal-run-388667.framer.app/ Suspicious phishing/malware delivery page
URL https://emanwebdv.github.io/EPICODE_M3-W4D4/ Suspected phishing delivery page
๐ŸŸฃ MITRE ATT&CK TTPs
T1190 Exploit Public-Facing Application MITRE โ†’
T1068 Exploitation for Privilege Escalation MITRE โ†’
T1105 Ingress Tool Transfer MITRE โ†’
๐ŸŸข Hunt Queries
MDE Detect ScreenConnect and cPanel Exploitation Attempts

Identifies suspicious process execution originating from ConnectWise ScreenConnect or cPanel web server processes indicating exploitation.

DeviceProcessEvents | where TimeGenerated > ago(7d) | where InitiatingProcessFileName in~ ('ScreenConnect.Service.exe','ScreenConnect.ClientService.exe','httpd','apache2','cpaneld') | where FileName in~ ('cmd.exe','powershell.exe','bash','sh','python','python3','wget','curl') | project TimeGenerated, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine
SENTINEL Detect Linux Privilege Escalation via Kernel Exploit

Detects suspicious privilege escalation activity on Linux hosts consistent with kernel vulnerability exploitation.

Syslog | where TimeGenerated > ago(7d) | where Facility == 'auth' or Facility == 'authpriv' | where SyslogMessage has_any ('uid=0','sudo','su root','privilege','escalat') | where SyslogMessage has_any ('exploit','kernel','overflow') | project TimeGenerated, HostName, SyslogMessage
โœ… Recommended Actions
โ†’ Apply emergency patches for ConnectWise ScreenConnect (CVE-2024-1709) and cPanel/WHM as per CISA advisory guidance immediately
โ†’ Apply latest Linux kernel security patches and restrict kernel module loading on financial sector servers
โ†’ Hunt for webshells and unauthorized remote access tools on internet-facing servers using KQL queries