Skip to main content
Mallory
Back to threat actors
7 malware families

EvilCorp

Also known asevilcorp

EvilCorp is a financially motivated cybercrime group with reported connections to the Russian government; the content states the group is sanctioned in connection with those ties, including sanctions implications for ransom payments. The reporting links EvilCorp to ransomware and intrusion activity and describes it as associated with UNC2165 and Microsoft’s DEV-0243 / Manatee Tempest naming. The content also references the alias Indrik Spider. The group is described as tied to or descended into multiple ransomware lines. The content states DoppelPaymer evolved from EvilCorp, and that Grief is an offshoot of DoppelPaymer, making Grief part of EvilCorp’s broader lineage. Separate reporting cited in the content says Mandiant associated UNC2165/EvilCorp activity with use of LockBit ransomware, and that EvilCorp allegedly used LockBit payloads without LockBit’s consent to evade sanctions. The content links EvilCorp-associated activity to malware delivery and persistence tooling. SocGholish / FAKEUPDATES is described as a key initial access vector used by major ransomware groups including those linked to EvilCorp. ViperTunnel, a Python backdoor observed in UK and US business networks, is assessed in the content as likely tied to UNC2165, a cluster closely linked to EvilCorp; ViperTunnel is often deployed after SocGholish infections, establishes persistent access, creates a SOCKS5 proxy over port 443, abuses Python sitecustomize.py for execution, and is often used alongside the ShadowCoil credential stealer. The content also notes ecosystem relationships and associations: Prodaft reporting mentioned possible association between Mikhail Matveev/Wazawaka and the EvilCorp group; and reporting on LockBit infiltration cited alleged ties between LockBit affiliate structures and FIN7, Wizard Spider, and EvilCorp. Additional contextual reporting in the content describes EvilCorp as a prominent Russian cybercriminal group that has publicly flaunted wealth in Moscow.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

6 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

5 of 15 tactics6 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1189
Drive-by Compromise
TA0005
Stealth
2 techniques
T1027
Obfuscated Files or Information
T1036
Masquerading
TA0011
Command and Control
1 technique
T1090×2
Proxy
TA0010
Exfiltration
1 technique
T1041
Exfiltration Over C2 Channel
TA0040
Impact
1 technique
T1486
Data Encrypted for Impact
ARSENAL

Associated malware families

7 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
VIPERTUNNELA new Python-based backdoor, named ViperTunnel, has been discovered infiltrating the networks of businesses in the UK and US.2Apr 14, 2026
Black Basta"Black Basta ransomware emerged in April 2022..."1Mar 18, 2026
DoppelPaymerGrief is an offshoot of the DoppelPaymer ransomware group that evolved from EvilCorp, said Gershuni.1May 26, 2026
GriefAfter the notorious Grief ransomware group added the National Rifle Association to its public list of victims, messages of the breach was reportedly amplified by a network of fake Twitter accounts.1May 26, 2026
LockBitThe LockBit gang began its operation in September 2019 and was first known as “ABCD ransomware.” ... Over the next six months, LockBit worked on a new project, internally referred to as “LockBit Red,” and publicly known as “LockBit 2.0.” ... LockBit officially announced another major release ... LockBit Black (publicly known as LockBit 3.0).1Mar 18, 2026

2 additional families tracked in Mallory.

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app
scworldNews
Apr 14, 2026
ViperTunnel backdoor targets UK, US businesses with advanced Python techniques | brief | SC Media

Referenced as the threat actor associated with UNC2165 in activity involving the ViperTunnel backdoor and ShadowCoil credential stealer.

Read more
hackreadNews
Apr 14, 2026
Ransomware-Linked ViperTunnel Malware Hits UK and US Businesses

Referenced as the threat actor closely linked to UNC2165 in relation to ViperTunnel activity.

Read more
securityaffairsNews
Nov 26, 2025
For the first time, a RomCom payload has been observed being distributed via SocGholish

Referenced as a ransomware ecosystem linked to groups that have used SocGholish as an initial access vector (no specific EvilCorp operation details provided in this content).

Read more
sentinelone labsNews
Apr 11, 2025
Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor | SentinelOne

Referenced as an example of a 'private' ransomware group model similar to Black Basta (no specific activity described in this content).

Read more
+6 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping6

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal7

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.