Now Live: The CrowdStrike 2026 Financial Services Threat Landscape Report
The CrowdStrike 2026 Financial Services Threat Landscape Report highlights a 43% global increase in hands-on-keyboard intrusions against the financial sector. The threat landscape is dominated by eCrime ransomware operations, DPRK-nexus cryptocurrency theft via supply chain compromises, and China-nexus intelligence collection leveraging Operational Relay Box (ORB) networks and DLL search-order hijacking.
Authors: Counter Adversary Operations
Source:
CrowdStrike
Detection / HunterGoogle
What Happened
Cyberattacks against the financial services industry have increased significantly, with hackers increasingly targeting banks, insurance companies, and cryptocurrency platforms. Cybercriminals are using extortion tactics, while state-sponsored hackers from North Korea and China are stealing billions in digital currency and gathering economic intelligence. These attackers are using highly convincing tricks, such as fake job interviews and compromised software updates, to break into systems. Financial organizations should consider improving their ability to detect unusual activity and prepare for increasingly sophisticated attacks.
Key Takeaways
- Hands-on-keyboard intrusions against financial institutions increased by 43% globally over the past two years.
- DPRK-nexus groups stole $2.02 billion in digital assets, with PRESSURE CHOLLIMA executing a $1.46 billion supply chain compromise.
- eCrime big game hunting (BGH) named 423 financial entities on leak sites, representing a 27% increase.
- China-nexus actors heavily targeted financial entities in South and Southeast Asia for intelligence collection using ORB networks and DLL hijacking.
- Adversaries are increasingly using advanced social engineering, including recruiter impersonation and synthetic video environments.
Affected Systems
- Financial services
- Cryptocurrency exchanges
- Fintech platforms
- Insurance entities
- Traditional banks
- Internal payment systems
- Microsoft 365 cloud environments
Attack Chain
Adversaries targeting the financial sector employ a variety of initial access techniques, including financial transaction-themed phishing lures, recruiter impersonation, and supply chain compromises. Once inside, actors like China-nexus groups utilize DLL search-order hijacking to deploy malware such as KEYPLUG or VShell implants. Attackers then move laterally to access internal payment systems, cloud environments like Microsoft 365, or cryptocurrency wallets. The final stages involve massive data theft for extortion, fraudulent transactions, or the direct theft of billions in digital assets.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article is a strategic threat landscape report and does not provide specific detection rules or queries.
Detection Engineering Assessment
EDR Visibility: High — EDR solutions are highly effective at detecting DLL search-order hijacking, unauthorized remote access tools, and anomalous process executions like FScan. Network Visibility: Medium — Network visibility can detect C2 communications and ORB network traffic, though encrypted channels and compromised legitimate infrastructure may obscure malicious activity. Detection Difficulty: Moderate — While tools like FScan and KEYPLUG have known behavioral signatures, advanced social engineering, ORB networks, and supply chain compromises are difficult to detect proactively.
Required Log Sources
- Process Creation (Event ID 4688 / Sysmon 1)
- Image Load (Sysmon 7)
- Cloud Audit Logs (M365/Entra ID)
- Network Flow Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Hunt for anomalous DLL loads in unusual directories to identify potential DLL search-order hijacking associated with KEYPLUG deployments. | Image Load (Sysmon Event ID 7) | Defense Evasion | Medium |
| Monitor Microsoft 365 audit logs for impossible travel or logins from known Operational Relay Box (ORB) IP ranges. | Cloud Audit Logs | Initial Access | Low |
| Look for the execution of known network scanning utilities like FScan originating from unexpected servers or user endpoints. | Process Creation | Discovery | Low |
Control Gaps
- Lack of robust identity verification for remote hiring and interviews
- Insufficient monitoring of third-party software updates (supply chain risks)
Key Behavioral Indicators
- Execution of FScan or similar network scanners
- Unsigned DLLs loaded by legitimate signed executables
- M365 logins from highly distributed, anomalous IP addresses
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Consider reviewing Microsoft 365 access logs for anomalous logins or unauthorized mailbox access.
Infrastructure Hardening
- Evaluate implementing strict application control to prevent the execution of unauthorized tools like FScan.
- Consider enforcing Phishing-Resistant MFA across all external-facing services and cloud environments where supported.
User Protection
- Ensure EDR agents are deployed to all endpoints to monitor for DLL search-order hijacking and unauthorized remote access tools, if applicable.
Security Awareness
- Consider training HR and recruitment teams on the risks of synthetic video environments and recruiter impersonation.
- Evaluate rolling out awareness campaigns focused on financial transaction-themed phishing lures.
MITRE ATT&CK Mapping
- T1566 - Phishing
- T1195 - Supply Chain Compromise
- T1574.002 - Hijack Execution Flow: DLL Search Order Hijacking
- T1078.004 - Valid Accounts: Cloud Accounts
- T1090.002 - Proxy: External Proxy