FIN7 (also tracked as Carbon Spider and Sangria Tempest) has resumed targeted activity against European financial institutions after a period of relative quiet following multiple arrests of group members in 2023. New phishing infrastructure observed in April and May 2026 indicates the group has rebuilt its operational capability and is targeting mid-tier financial services organisations — specifically wealth managers, independent brokers, payment processors, and trade finance firms.
What Has Changed
FIN7 has historically relied on carefully crafted spear-phishing emails that impersonate regulators, auditors, and trade bodies. This campaign continues that pattern, but with a new loader component — dubbed “SideDoor” by threat intelligence analysts — that establishes persistence and communicates with command-and-control infrastructure through legitimate-looking HTTPS traffic designed to blend with normal business network activity.
The loader is delivered via malicious Microsoft Word documents attached to emails that purport to be regulatory filings or compliance documents. The lure content is contextually convincing: references to FCA reporting deadlines, DORA compliance requirements, and Basel IV calculations have all been used as cover material.
Once the loader is active, FIN7 operators conduct manual reconnaissance before deploying additional tooling — taking days or weeks to understand the target environment before taking action.
Who Is Being Targeted
This campaign is not targeting the major retail banks, which typically have detection capabilities sufficient to catch this class of attack. The focus is on the mid-market:
- Wealth management firms with UHNW client data and significant liquid assets under management
- Brokers and market makers with direct connectivity to trading infrastructure
- Payment processors that sit within the payment chain without full Tier 1 security investment
- Trade finance and commodities firms with access to large transaction flows
The common thread is access to funds or data that can be monetised quickly.
Recommendations
Finance sector security and risk leaders should ensure:
- Email filtering rules are updated to flag documents containing macro-enabled Office files from external senders
- Staff in client-facing and compliance roles receive targeted phishing awareness training with examples that reflect current lures
- Endpoint detection is tuned to flag anomalous outbound HTTPS connections from Office application processes
- Privileged accounts used for banking systems have MFA enforced — credential theft remains the goal once the loader is active
The FCA has been made aware and is expected to issue a Dear CEO letter to mid-tier firms in the coming weeks.