Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors
3 malware familiesExploits CVEs in the wild

Hades

Also known ashades

Hades is referenced in the provided content as both a ransomware actor/family and an APT/intrusion-set name, and the available information is not sufficient to fully disambiguate all uses. High-confidence reporting in the content shows Hades was identified by Infoblox as one of several ransomware groups that used SocGholish/FakeUpdates infections as an entry point. Separately, Socket Threat Research tracks a broader software supply-chain campaign across the Mini Shai-Hulud, Miasma, and Hades threat clusters; in that reporting, the Hades-family payload is delivered via malicious npm and PyPI artifacts and harvests secrets from developer workstations and CI/CD environments, including package-registry tokens, cloud credentials, Kubernetes material, SSH keys, Docker configurations, shell histories, .env files, and AI developer tool configurations. The content also describes Hades as an elusive, highly dynamic threat actor in NSA reporting on exploitation of Exim CVE-2019-10149 for potentially large-scale mass access. Additional reporting in the content associates Hades with Russia-nexus activity: Kaspersky’s Q2 2019 summary refers to Sofacy/Hades as a Russian-speaking APT grouping, and other cited material says activity resembled earlier “hack and leak” campaigns associated with SOFACY and HADES. One cited source says researchers connected OlympicDestroyer with Hades, and another says Hades is possibly connected to Sofacy and notable for being behind Olympic Destroyer, ExPetr, and disinformation campaigns such as the Macron leaks. The content also mentions Hades among APT actors exploiting COVID-19-themed lures. Known alias in the provided content: hades. Related or associated names mentioned in the content include Sofacy and the sub-clusters Mini Shai-Hulud and Miasma.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

26 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

12 of 15 tactics38 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
3 techniques
T1078
Valid Accounts
T1190
Exploit Public-Facing Application
T1195×4
Supply Chain Compromise
TA0002
Execution
5 techniques
T1059
Command and Scripting Interpreter
T1059.007×2
JavaScript
T1106
Native API
T1129
Shared Modules
T1203
Exploitation for Client Execution
T1574×2
Hijack Execution Flow
T1574.008
Path Interception by Search Order Hijacking
TA0003
Persistence
4 techniques
T1037
Boot or Logon Initialization Scripts
T1078
Valid Accounts
T1543
Create or Modify System Process
T1546
Event Triggered Execution
TA0004
Privilege Escalation
5 techniques
T1037
Boot or Logon Initialization Scripts
T1055
Process Injection
T1078
Valid Accounts
T1543
Create or Modify System Process
T1546
Event Triggered Execution
TA0005
Stealth
6 techniques
T1027×3
Obfuscated Files or Information
T1027.016
Junk Code Insertion
T1036×2
Masquerading
T1055
Process Injection
T1078
Valid Accounts
T1497
Virtualization/Sandbox Evasion
T1497.001
System Checks
T1574×2
Hijack Execution Flow
T1574.008
Path Interception by Search Order Hijacking
TA0006
Credential Access
3 techniques
T1528
Steal Application Access Token
T1555×3
Credentials from Password Stores
T1649
Steal or Forge Authentication Certificates
TA0007
Discovery
1 technique
T1497
Virtualization/Sandbox Evasion
T1497.001
System Checks
TA0008
Lateral Movement
1 technique
T1570
Lateral Tool Transfer
TA0009
Collection
1 technique
T1119
Automated Collection
TA0011
Command and Control
1 technique
T1105×3
Ingress Tool Transfer
TA0010
Exfiltration
1 technique
T1567
Exfiltration Over Web Service
TA0040
Impact
1 technique
T1485
Data Destruction
ARSENAL

Associated malware families

3 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
HadesOnce executed via any of the three delivery branches, the Hades-family payload aggressively harvests secrets from developer workstations and CI/CD environments.1Jun 9, 2026
OlympicDestroyerIn the past, we have seen sophisticated attacks such as OlympicDestroyer confusing the industry and complicating attribution.1Mar 18, 2026
Shai-HuludA new wave of the Shai-Hulud supply chain campaign, adding 23 newly discovered malicious PyPI package-version artifacts to an already alarming operation that previously compromised 37 packages.1Jun 9, 2026
WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2019-10149Exim deliver_message() recipient address validation RCEIn the wildEvidence1

On May 28, the US National Security Agency (NSA) published an alert detailing the use by Hades of an Exim vulnerability (CVE-2019-10149) for what appears to be a potentially large hacking operation designed for mass access.

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app
the record mediaNews
Jun 19, 2026
Police raid malware network tied to Russia's Evil Corp hacker group | The Record from Recorded Future News

Named as one of several ransomware groups that used SocGholish infections as an entry point for follow-on attacks.

Read more
register securityNews
Jun 14, 2026
AI is code - and can't be prompted into being smarter

A payload associated with the reported worm activity, protected by anti-analysis prompt-injection style comments intended to disrupt AI-assisted malware scanning.

Read more
cyber security newsNews
Jun 9, 2026
New Shai-Hulud Attack Compromises 23 PyPI Packages to Target MCP Developers

Threat cluster in the Shai-Hulud supply chain campaign associated with payloads that steal secrets from developer workstations and CI/CD environments.

Read more
sekoia blogNews
Jun 22, 2022
CALISTO continues its credential harvesting campaign

Referenced as a Russia-nexus intrusion set previously associated with hack-and-leak campaigns between 2015 and 2019.

Read more
+5 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping26

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal3

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.