The sub-techniques beta is now live! Read the release blog post for more info.


FinFisher is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including Wingbird. [1] [2] [3] [4] [5]

ID: S0182
Associated Software: FinSpy
Platforms: Windows, Android
Version: 1.2
Created: 16 January 2018
Last Modified: 15 October 2019

Associated Software Descriptions

Name Description
FinSpy [3] [4]

Techniques Used

Domain ID Name Use
Enterprise T1134 Access Token Manipulation

FinFisher uses token manipulation with NtFilterToken as part of UAC bypass.[1][5]

Enterprise T1009 Binary Padding

FinFisher contains junk code in its functions in an effort to confuse disassembly programs.[1][5]

Enterprise T1067 Bootkit

Some FinFisher variants incorporate an MBR rootkit.[1][5]

Enterprise T1088 Bypass User Account Control

FinFisher performs UAC bypass.[1][5]

Enterprise T1140 Deobfuscate/Decode Files or Information

FinFisher extracts and decrypts stage 3 malware, which is stored in encrypted resources.[1][5]

Enterprise T1038 DLL Search Order Hijacking

A FinFisher variant uses DLL search order hijacking.[1][4]

Enterprise T1073 DLL Side-Loading

FinFisher uses DLL side-loading to load malicious programs.[1][5]

Enterprise T1083 File and Directory Discovery

FinFisher enumerates directories and scans for certain files.[1][5]

Enterprise T1179 Hooking

FinFisher hooks processes by modifying IAT pointers to CreateWindowEx.[1][6]

Enterprise T1070 Indicator Removal on Host

FinFisher clears the system event logs.[1][5]

Enterprise T1036 Masquerading

FinFisher renames one of its .dll files to uxtheme.dll in an apparent attempt to masquerade as a legitimate file.[1][5]

Enterprise T1050 New Service

FinFisher creates a new Windows service with the malicious executable for persistence.[1][5]

Enterprise T1027 Obfuscated Files or Information

FinFisher is heavily obfuscated in many ways, including through the use of spaghetti code in its functions in an effort to confuse disassembly programs. It also uses a custom XOR algorithm to obfuscate code.[1][5]

Enterprise T1057 Process Discovery

FinFisher checks its parent process for indications that it is running in a sandbox setup.[1][5]

Enterprise T1055 Process Injection

FinFisher injects itself into various processes depending on whether it is low integrity or high integrity.[1][5]

Enterprise T1012 Query Registry

FinFisher queries Registry values as part of its anti-sandbox checks.[1][5]

Enterprise T1060 Registry Run Keys / Startup Folder

FinFisher establishes persistence by creating the Registry key HKCU\Software\Microsoft\Windows\Run.[1][5]

Enterprise T1113 Screen Capture

FinFisher takes a screenshot of the screen and displays it on top of all other windows for few seconds in an apparent attempt to hide some messages showed by the system during the setup process.[1][5]

Enterprise T1063 Security Software Discovery

FinFisher probes the system to check for antimalware processes.[1][4]

Enterprise T1045 Software Packing

A FinFisher variant uses a custom packer.[1][4]

Enterprise T1082 System Information Discovery

FinFisher checks if the victim OS is 32 or 64-bit.[1][5]

Enterprise T1497 Virtualization/Sandbox Evasion

FinFisher probes the system to check for sandbox/virtualized environments.[1][5]

Mobile T1433 Access Call Log

FinFisher accesses and exfiltrates the call log.[7]

Mobile T1429 Capture Audio

FinFisher uses the device microphone to record phone conversations.[7]

Mobile T1412 Capture SMS Messages

FinFisher captures and exfiltrates SMS messages.[7]

Mobile T1436 Commonly Used Port

FinFisher exfiltrates data over commonly used ports, such as ports 21, 53, and 443.[7]

Mobile T1404 Exploit OS Vulnerability

FinFisher comes packaged with ExynosAbuse, an Android exploit that can gain root privileges.[7]

Mobile T1430 Location Tracking

FinFisher tracks the latitude and longitude coordinates of the infected device.[7]

Groups That Use This Software

ID Name References
G0070 Dark Caracal [7]