โ† Back to Dashboard
May 08, 2026

Daily Threat Report โ€” French Financial Sector

2
IOCs
6
TTPs
4
KQL Queries
Executive Summary

French financial institutions face active threats from financially motivated and nation-state actors leveraging phishing campaigns, unpatched vulnerabilities in Ivanti EPMM and PAN-OS, and confirmed C2 infrastructure. Immediate patching, IOC blocking, and threat hunting are strongly recommended across all environments.

#1

Active C2 Infrastructure Targeting Financial Networks

CRITICAL FIN7

FIN7, a highly capable financially motivated threat actor, is actively operating C2 infrastructure observed in current threat feeds targeting financial sector organizations. Immediate blocking of identified C2 IPs and network-level hunting are critical to prevent data exfiltration and ransomware deployment.

๐Ÿ”ด Indicators of Compromise
IP 162.243.103.246 Active C2 server
IP 50.16.16.211 Active C2 server
IP 34.204.119.63 Active C2 server
URL http://mitrra-pgn-gas.lyanan-mrkt.shop/ Phishing/malware delivery URL
URL http://payltterdanaxids.tubersis.biz.id/ Phishing credential harvesting
๐ŸŸฃ MITRE ATT&CK TTPs
T1566.001 Spearphishing Attachment MITRE โ†’
T1071.001 Application Layer Protocol: Web Protocols MITRE โ†’
T1041 Exfiltration Over C2 Channel MITRE โ†’
๐ŸŸข Hunt Queries
MDE Detect Connections to FIN7 C2 IPs

Identifies devices connecting to known FIN7 C2 IP addresses in the last 7 days.

DeviceNetworkEvents | where TimeGenerated > ago(7d) | where RemoteIP in ('162.243.103.246','50.16.16.211','34.204.119.63','178.62.3.223','27.133.154.218') | project TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine | order by TimeGenerated desc
SENTINEL Detect C2 Traffic via CommonSecurityLog

Detects outbound connections to known FIN7 C2 infrastructure across network security appliances.

CommonSecurityLog | where TimeGenerated > ago(7d) | where DestinationIP in ('162.243.103.246','50.16.16.211','34.204.119.63','178.62.3.223','27.133.154.218') | project TimeGenerated, SourceIP, DestinationIP, DestinationPort, ApplicationProtocol, DeviceVendor | order by TimeGenerated desc
โœ… Recommended Actions
โ†’ Immediately block all five C2 IPs at perimeter firewall and proxy layers
โ†’ Deploy KQL hunting queries across MDE and Sentinel environments
โ†’ Review EDR telemetry for lateral movement following any confirmed C2 beaconing
โ†’ Ensure endpoint protection signatures are up to date for FIN7 toolsets including CARBANAK
#2

Phishing Campaign Impersonating Financial and Payment Platforms

HIGH TA505

TA505, known for large-scale phishing operations against financial institutions, is operating multiple phishing URLs mimicking payment and identity services to harvest credentials from banking customers and employees. Several active URLs target French-speaking users and leverage legitimate cloud infrastructure for evasion.

๐Ÿ”ด Indicators of Compromise
URL http://xlayaanid-paylternewz.tiaoxsid.my.id/ Payment platform phishing page
URL http://member437.meta-agency-center.com/ Credential harvesting phishing site
URL https://ntirety.it-admincenter.com/s/63BZGFSVBWSFCDX7Y9/584dd8/90eab167-7429-489f-99f6-ce86e8d0d81a IT admin phishing lure
URL https://aumento51.s3.us-east-005.backblazeb2.com/aumento.html Cloud-hosted phishing page abusing Backblaze S3
URL https://aumento72.s3.us-east-005.backblazeb2.com/aumento.html Cloud-hosted phishing page abusing Backblaze S3
IP 178.62.3.223 Active C2 associated with phishing infrastructure
๐ŸŸฃ MITRE ATT&CK TTPs
T1566.002 Spearphishing Link MITRE โ†’
T1583.006 Acquire Infrastructure: Web Services MITRE โ†’
T1056.003 Input Capture: Web Portal Capture MITRE โ†’
๐ŸŸข Hunt Queries
MDE Detect Access to TA505 Phishing Domains

Identifies endpoint DNS queries or web requests to known TA505 phishing domains and URLs.

DeviceNetworkEvents | where TimeGenerated > ago(7d) | where RemoteUrl has_any ('meta-agency-center.com','tiaoxsid.my.id','lyanan-mrkt.shop','tubersis.biz.id','it-admincenter.com') | project TimeGenerated, DeviceName, RemoteUrl, RemoteIP, InitiatingProcessFileName, InitiatingProcessAccountName | order by TimeGenerated desc
SENTINEL Detect Phishing URL Access via Proxy Logs

Identifies user access to phishing URLs hosted on cloud infrastructure or known phishing domains through proxy or firewall logs.

CommonSecurityLog | where TimeGenerated > ago(7d) | where RequestURL has_any ('meta-agency-center.com','tiaoxsid.my.id','lyanan-mrkt.shop','tubersis.biz.id','backblazeb2.com/aumento','it-admincenter.com') | project TimeGenerated, SourceUserName, SourceIP, RequestURL, DeviceAction | order by TimeGenerated desc
โœ… Recommended Actions
โ†’ Block all identified phishing URLs and associated domains at web proxy and email gateway
โ†’ Alert SOC to monitor for credential reuse attempts following any confirmed phishing clicks
โ†’ Enforce MFA on all financial systems and VPN access to mitigate credential theft impact
โ†’ Educate staff on phishing lures impersonating payment and IT administration portals
#3

Exploitation of Unpatched Ivanti EPMM and PAN-OS Vulnerabilities

HIGH Lazarus Group

Lazarus Group has been observed exploiting critical vulnerabilities in Ivanti Endpoint Manager Mobile and Palo Alto Networks PAN-OS, both currently flagged in active CISA advisories, to gain initial access to financial sector networks. The Linux Kernel vulnerability further expands the attack surface for privilege escalation post-exploitation in environments running affected systems.

๐Ÿ”ด Indicators of Compromise
IP 27.133.154.218 Active C2 associated with Lazarus Group operations
IP 34.204.119.63 Secondary C2 server used for post-exploitation
๐ŸŸฃ MITRE ATT&CK TTPs
T1190 Exploit Public-Facing Application MITRE โ†’
T1068 Exploitation for Privilege Escalation MITRE โ†’
T1572 Protocol Tunneling MITRE โ†’
๐ŸŸข Hunt Queries
MDE Detect Lazarus Group C2 and Post-Exploitation Activity

Identifies connections to Lazarus-associated C2 IPs and flags suspicious process activity consistent with post-exploitation behavior.

DeviceNetworkEvents | where TimeGenerated > ago(7d) | where RemoteIP in ('27.133.154.218','34.204.119.63') | join kind=leftouter (DeviceProcessEvents | where TimeGenerated > ago(7d) | project DeviceName, ProcessCommandLine, FileName, AccountName) on DeviceName | project TimeGenerated, DeviceName, RemoteIP, RemotePort, ProcessCommandLine, AccountName | order by TimeGenerated desc
SENTINEL Detect Exploitation Attempts Against Ivanti EPMM and PAN-OS

Detects anomalous HTTP requests and authentication events targeting Ivanti EPMM and PAN-OS management interfaces indicative of CVE exploitation.

CommonSecurityLog | where TimeGenerated > ago(7d) | where DeviceVendor in ('Palo Alto Networks','Ivanti') or ApplicationProtocol == 'HTTPS' | where Activity has_any ('exploit','CVE','authentication bypass','unauthenticated') or DestinationIP in ('27.133.154.218','34.204.119.63') | project TimeGenerated, SourceIP, DestinationIP, Activity, DeviceVendor, Message | order by TimeGenerated desc
โœ… Recommended Actions
โ†’ Apply all available patches for Ivanti EPMM, Palo Alto PAN-OS, and Linux Kernel immediately per CISA advisories
โ†’ Isolate and forensically review any systems running unpatched Ivanti EPMM or PAN-OS exposed to the internet
โ†’ Block Lazarus-associated C2 IPs at perimeter and inspect all outbound traffic for tunneling anomalies
โ†’ Conduct privileged account audit and reset credentials on systems potentially exposed to exploitation