โ† Back to Dashboard
May 07, 2026

Daily Threat Report โ€” French Financial Sector

4
IOCs
12
TTPs
8
KQL Queries
Executive Summary

French financial institutions face elevated risk from financially motivated threat actors including FIN7, TA505, and Lazarus Group, with active C2 infrastructure and phishing campaigns targeting credentials and payment systems. Exploitation of unpatched vulnerabilities in PAN-OS, Linux Kernel, and cPanel compounds the attack surface across sector-wide environments.

#1

FIN7 Active C2 Infrastructure Targeting Financial Payment Systems

CRITICAL FIN7

FIN7 continues to operate active command-and-control infrastructure posing direct risk to French financial institutions processing card and payment data. Immediate blocking of identified C2 IPs and hunting for lateral movement are critical priorities.

๐Ÿ”ด Indicators of Compromise
IP 162.243.103.246 Active C2 server associated with FIN7 campaigns
IP 50.16.16.211 Active C2 server used for payload delivery
URL http://www.watrbx.wtf/newlogin Phishing credential harvesting page
URL https://member131.digital-agency-partners.com/ Phishing landing page mimicking financial portal
๐ŸŸฃ MITRE ATT&CK TTPs
T1566.001 Spearphishing Attachment MITRE โ†’
T1071.001 Application Layer Protocol: Web Protocols MITRE โ†’
T1486 Data Encrypted for Impact MITRE โ†’
๐ŸŸข Hunt Queries
MDE Detect FIN7 C2 Connections

Identifies outbound connections from endpoints to known FIN7 C2 IP addresses within the last 7 days.

DeviceNetworkEvents | where RemoteIP in ('162.243.103.246','50.16.16.211') | where TimeGenerated > ago(7d) | project TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine
SENTINEL Detect FIN7 C2 Traffic via CommonSecurityLog

Detects firewall or proxy logs showing connections to FIN7-associated C2 infrastructure.

CommonSecurityLog | where DestinationIP in ('162.243.103.246','50.16.16.211') | where TimeGenerated > ago(7d) | project TimeGenerated, SourceIP, DestinationIP, DestinationPort, ApplicationProtocol, DeviceVendor
โœ… Recommended Actions
โ†’ Immediately block 162.243.103.246 and 50.16.16.211 at perimeter firewall and proxy
โ†’ Hunt for historical connections to C2 IPs using provided KQL queries across all endpoints
โ†’ Block phishing domains watrbx.wtf and digital-agency-partners.com at DNS and proxy layers
โ†’ Validate PAN-OS patch status per CISA advisory to prevent exploitation of initial access vectors
#2

Lazarus Group Phishing Campaign Targeting French Banking Credentials

CRITICAL Lazarus Group

Lazarus Group, linked to DPRK state sponsorship, is conducting credential phishing campaigns using lookalike financial and payment portal URLs to compromise banking sector accounts. The group's focus on financial gain makes French institutions high-priority targets for theft and disruption.

๐Ÿ”ด Indicators of Compromise
IP 34.204.119.63 Active C2 infrastructure linked to Lazarus Group operations
IP 178.62.3.223 Secondary C2 node used for exfiltration staging
URL https://txdmv.uphsx.shop/pay/a_index.html/ Payment-themed phishing page harvesting financial credentials
URL https://ad-account-authentication-office.pages.dev/e-zpass-us/about-/ Toll payment phishing lure targeting end users
URL https://projeto-dio.vercel.app/pages/login.html/ Credential phishing login page hosted on legitimate platform
๐ŸŸฃ MITRE ATT&CK TTPs
T1598.003 Phishing for Information: Spearphishing Link MITRE โ†’
T1078 Valid Accounts MITRE โ†’
T1041 Exfiltration Over C2 Channel MITRE โ†’
๐ŸŸข Hunt Queries
MDE Detect Lazarus Group C2 Connections

Identifies device connections to Lazarus Group C2 IPs indicative of active compromise or beacon activity.

DeviceNetworkEvents | where RemoteIP in ('34.204.119.63','178.62.3.223') | where TimeGenerated > ago(7d) | project TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessAccountName
SENTINEL Detect Access to Lazarus Phishing Domains

Identifies DNS queries or proxy requests to phishing domains associated with the Lazarus Group campaign targeting financial users.

DnsEvents | where Name has_any ('uphsx.shop','projet-dio.vercel.app','pages.dev') | where TimeGenerated > ago(7d) | project TimeGenerated, Computer, Name, IPAddresses | union (CommonSecurityLog | where RequestURL has_any ('uphsx.shop','vercel.app/pages/login') | where TimeGenerated > ago(7d) | project TimeGenerated, SourceIP, RequestURL)
โœ… Recommended Actions
โ†’ Block C2 IPs 34.204.119.63 and 178.62.3.223 at all network egress points immediately
โ†’ Submit phishing URLs to DNS sinkhole and proxy blocklists across all financial institution branches
โ†’ Enable MFA enforcement for all privileged and external-facing banking system accounts
โ†’ Conduct user awareness communication regarding payment-themed phishing lures targeting financial staff
#3

TA505 Exploiting cPanel and Linux Kernel Vulnerabilities for Financial Sector Intrusion

HIGH TA505

TA505 is actively exploiting vulnerabilities in cPanel/WHM and the Linux Kernel as highlighted in current CISA advisories to gain initial access to hosting and backend infrastructure used by financial institutions. Combined with known phishing infrastructure, this actor poses a significant risk to web-facing financial services and customer portals.

๐Ÿ”ด Indicators of Compromise
IP 27.133.154.218 Active C2 IP linked to TA505 post-exploitation activity
URL http://gemini.200399.xyz/ TA505-linked phishing and malware distribution URL
URL http://member439.meta-agency-center.com/ Credential phishing portal mimicking financial or social media brand
URL http://meta-authorized.invoice-ads-program.com/ Invoice-themed phishing lure targeting finance department employees
๐ŸŸฃ MITRE ATT&CK TTPs
T1190 Exploit Public-Facing Application MITRE โ†’
T1059.004 Command and Scripting Interpreter: Unix Shell MITRE โ†’
T1566.002 Spearphishing Link MITRE โ†’
๐ŸŸข Hunt Queries
MDE Detect TA505 C2 Beacon Activity

Identifies outbound connections to the TA505-associated C2 IP from any managed endpoint within the monitoring window.

DeviceNetworkEvents | where RemoteIP == '27.133.154.218' | where TimeGenerated > ago(7d) | project TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName
SENTINEL Detect Exploitation Attempts Against Linux and cPanel Assets

Correlates web application firewall and syslog events for exploitation patterns targeting cPanel and Linux kernel vulnerabilities flagged in current CISA advisories.

CommonSecurityLog | where DeviceEventClassID has_any ('exploit','CVE','cPanel','kernel') or RequestURL has_any ('/cpanel','/whm','/cgi-sys') | where TimeGenerated > ago(7d) | project TimeGenerated, SourceIP, DestinationIP, RequestURL, DeviceVendor, Activity | union (Syslog | where ProcessName in ('cpaneld','whmd') and SeverityLevel in ('err','crit','alert') | where TimeGenerated > ago(7d) | project TimeGenerated, Computer, ProcessName, SyslogMessage)
โœ… Recommended Actions
โ†’ Apply all available patches for cPanel/WHM and Linux Kernel immediately per CISA advisory guidance
โ†’ Block 27.133.154.218 and phishing domains 200399.xyz, meta-agency-center.com, and invoice-ads-program.com at perimeter
โ†’ Audit all internet-facing Linux servers for signs of unauthorized shell execution or new cron jobs
โ†’ Deploy email gateway rules to block invoice-themed and brand-impersonation phishing lures targeting finance teams