Cybersecurity researchers have uncovered new infrastructure linked to a financially motivated threat group known as FIN7, indicating that the group is continuing its operations despite previous attempts to disrupt its activities. The findings, which were detailed in a report by Team Cymru, reveal two distinct clusters of potential FIN7 activity associated with IP addresses in Russia and Estonia.

The first cluster of suspicious activity is linked to Post Ltd, a broadband provider operating in Southern Russia. The second cluster involves IP addresses assigned to SmartApe, a cloud hosting provider based in Estonia. These clusters appear to be communicating with infrastructure previously identified by the threat research group Silent Push, which recently reported that FIN7 is using Stark Industries IP addresses to host its malicious infrastructure.

Silent Push's investigation revealed upwards of 4,000 domains attributed to the group or its imitators. A significant number of these domains were hosted on Stark Industries infrastructure, with 74% of the related IP addresses obscured by Cloudflare services. This tactic is likely used to conceal the true locations of FIN7’s servers.

By analyzing network telemetry data, Team Cymru identified the communication patterns between the newly discovered clusters and the previously known Stark-assigned hosts. In the past 30 days alone, the Post Ltd cluster was observed engaging in outbound communications with at least 15 Stark-assigned hosts, while the SmartApe cluster communicated with at least 16.

Furthermore, there is significant overlap between the two clusters, with 12 of the hosts identified in the Russian Post Ltd cluster also appearing in the Estonian SmartApe cluster. This suggests a coordinated effort by FIN7 to use multiple providers across different countries to support its criminal activities.

According to Team Cymru, many large virtual private server (VPS) providers offer reseller services, allowing customers to procure infrastructure while adhering to the parent company's terms of service. The latest analysis suggests that some of FIN7's infrastructure may have been obtained through Stark Industries resellers.

Following responsible disclosure by the researchers, Stark Industries has suspended the services linked to the identified malicious activity.