Financially Motivated2 malware families

SCULLY SPIDER

Also known asSCULLY SPIDER

SCULLY SPIDER is a cybercrime group. CrowdStrike described it as operating a malware-as-a-service model in which the group maintains command-and-control infrastructure and sells access to its malware and infrastructure to affiliates, who then distribute their own malware. Public reporting cited here also lists SCULLY SPIDER among eCrime relationships. A Five Eyes joint advisory on Russian state-sponsored and criminal cyber threats to critical infrastructure identified SCULLY SPIDER as one of several Russian-aligned cybercrime groups that pose a threat to critical infrastructure organizations, alongside groups including The CoomingProject, Killnet, Mummy Spider, Salty Spider, Smokey Spider, Wizard Spider, and The Xaknet Team. The content does not provide additional high-confidence detail on specific victim sectors, malware families, or sub-groups beyond that characterization.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

2 of 15 tactics3 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

1 technique

T1566

Phishing

TA0040

Impact

2 techniques

T1486

Data Encrypted for Impact

T1498×2

Network Denial of Service

ARSENAL

Associated malware families

2 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

DanaBotSCULLY SPIDER develops and operates the DanaBot botnet, which originated primarily as a banking Trojan but expanded beyond banking in 2021 and has since been used to facilitate access for other types of malware, including TrickBot, DoppelDridex, and Zloader.2May 26, 2026

RhadamanthysProofpoint in April, who suspected TA547 (aka "Scully Spider") of deploying an AI-written PowerShell loader for their final payload, Rhadamanthys info-stealer.1Mar 18, 2026

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app

malpediaNews

May 14, 2026

Turla (Threat Actor)

Named threat actor referenced in global threat reporting.

cso onlineNews

Apr 21, 2022

New Five Eyes alert warns of Russian threats targeting critical infrastructure | CSO Online

Russian cybercriminal group highlighted in the alert as part of the broader Russian cyber threat landscape.

Apr 21, 2022

Five Eyes fear fresh Russian attacks against infrastructure

Russian cybercrime group named in the alert as a threat to foreign targets and critical infrastructure.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping3

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal2

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.