Cyber Threat Actor: TheFamily

TheFamily is a threat actor operating from Russia, primarily engaged in financially motivated cyberattacks targeting the hospitality, retail, and food service sectors. This group focuses on compromising payment systems to harvest credit card data, including card numbers, expiration dates, and cardholder names, often through point-of-sale (POS) malware deployments. Their campaigns consistently affect U.S.-based entities, with notable breaches impacting restaurant chains, hotels, and entertainment venues. TheFamily leverages malware such as ShellTea and PoSeidon (FindPOS), employing fileless techniques, registry-based persistence, and process injection into explorer.exe to evade detection. Initial access is frequently achieved via phishing campaigns, with infrastructure mimicking legitimate content delivery networks (CDNs) to obscure malicious activity.

The actor’s operations demonstrate a pattern of targeting third-party vendors and poorly segmented networks to infiltrate payment environments. Significant incidents include the 2019 attack on a hotel-entertainment entity using ShellTea malware, which featured proxy-aware command-and-control communication over HTTPS and attempted POS-focused payload deployment. Earlier campaigns compromised multiple restaurant brands (2018), a rail ticket booking service (2017), and self-service food kiosks (2017), where biometric data and stored-value card details were also exposed. TheFamily’s infrastructure overlaps with tactics attributed to FIN7 and FIN8 groups, though direct affiliations remain unconfirmed. Their activities highlight persistent exploitation of weak encryption, insufficient network segmentation, and third-party vulnerabilities in payment ecosystems.