In January 2016, a new financially motivated threat actor group made its debut. Dubbed FIN8, this group is known to have used a diverse array of techniques, from spear-phishing to zero-day exploits in Windows, to infect retail, hospitality and entertainment companies and steal payment card data from POS systems.

Our analysis reveals several differences between three deployed BADHATCH versions and to isolate the differences between versions, which helps us pinpoint campaigns on a timeline.