Financially Motivated41 malware familiesExploits CVEs in the wild

Indrik Spider

Also known asDEV-0206DEV-0243Evil CorpGOLD PRELUDEgold_drakeINDRIK SPIDERManatee TempestMustard TempestTA569UNC1543UNC2165

Indrik Spider is a financially motivated, Russia-based cybercriminal threat actor tracked under aliases including Evil Corp, Gold Drake, Gold Prelude, Manatee Tempest, Mustard Tempest, DEV-0206, DEV-0243, TA569, UNC1543, and UNC2165. The content directly links Indrik Spider/Evil Corp to the Dridex malware ecosystem and describes Evil Corp as a Russia-based cybercriminal group sanctioned by the U.S. Treasury in December 2019. Multiple sources in the content state that U.K. authorities assess links between the actors and the Russia-based group Evil Corp, and that the FSB cultivates and co-opts criminal hackers including Evil Corp. The group is associated in the content with ransomware operations including BitPaymer, WastedLocker, Hades, Grief, Macaw Locker, and Phoenix, with reporting that Hades superseded WastedLocker to circumvent OFAC sanctions and that Evil Corp later shifted toward using ransomware-as-a-service offerings such as LockBit to hinder attribution and reduce sanctions pressure. Operationally, the content states that Indrik Spider used fake Flash Player and Google Chrome updates as initial infection vectors and served fake updates via compromised legitimate websites. It used malicious JavaScript files in several attack components and PowerShell Empire for malware execution. The actor performed reconnaissance using implants and remote execution via WMIC/WMI, and used RDP for lateral movement. For credential access and collection, the content states that Indrik Spider searched files to obtain and exfiltrate credentials, stored collected data in .tmp files, and used a service account to extract copies of the Security registry hive. For defense evasion, it used batch scripts, PsExec to leverage Windows Defender settings to disable scanning of downloaded files and restrict real-time monitoring, MpCmdRun to revert Microsoft Defender definitions, and WMI to stop, uninstall, or reset antivirus products and other defensive services. The content also notes overlaps between Evil Corp and clusters such as UNC2165, including use of the FakeUpdate infection chain, Hades ransomware, Beacon payloads, and shared command-and-control infrastructure. Reporting cited in the content identifies DEV-0243 activity as falling under Evil Corp and states that UNC2165 has numerous overlaps with Evil Corp. Known associated sub-groups or rebrands mentioned in the content include Grief and Phoenix.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

61 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

15 of 15 tactics76 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0043

Reconnaissance

1 technique

T1595×2

Active Scanning

TA0042

Resource Development

2 techniques

T1584

Compromise Infrastructure

T1608

Stage Capabilities

T1608.001

Upload Malware

T1608.002

Upload Tool

TA0001

Initial Access

5 techniques

T1078

Valid Accounts

T1078.004

Cloud Accounts

T1189×3

Drive-by Compromise

T1190

Exploit Public-Facing Application

T1195

Supply Chain Compromise

T1566×3

Phishing

T1566.001×3

Spearphishing Attachment

T1566.002×2

Spearphishing Link

TA0002

Execution

6 techniques

T1047×3

Windows Management Instrumentation

T1059×3

Command and Scripting Interpreter

T1059.001×4

PowerShell

T1059.003×2

Windows Command Shell

T1059.005

Visual Basic

T1059.007

JavaScript

T1129

Shared Modules

T1203

Exploitation for Client Execution

T1204

User Execution

T1204.001

Malicious Link

T1204.002×5

Malicious File

T1574

Hijack Execution Flow

TA0003

Persistence

3 techniques

T1078

Valid Accounts

T1078.004

Cloud Accounts

T1112×2

Modify Registry

T1136

Create Account

TA0004

Privilege Escalation

3 techniques

T1078

Valid Accounts

T1078.004

Cloud Accounts

T1484

Domain or Tenant Policy Modification

T1484.001

Group Policy Modification

T1548

Abuse Elevation Control Mechanism

TA0005

Stealth

6 techniques

T1027

Obfuscated Files or Information

T1036

Masquerading

T1036.003

Rename Legitimate Utilities

T1078

Valid Accounts

T1078.004

Cloud Accounts

T1480

Execution Guardrails

T1480.001

Environmental Keying

T1564

Hide Artifacts

T1564.006

Run Virtual Instance

T1574

Hijack Execution Flow

TA0112

Defense Impairment

2 techniques

T1112×2

Modify Registry

T1484

Domain or Tenant Policy Modification

T1484.001

Group Policy Modification

TA0006

Credential Access

3 techniques

T1003

OS Credential Dumping

T1056

Input Capture

T1056.001

Keylogging

T1056.003

Web Portal Capture

T1555

Credentials from Password Stores

TA0007

Discovery

3 techniques

T1012×2

Query Registry

T1018

Remote System Discovery

T1082×2

System Information Discovery

TA0008

Lateral Movement

2 techniques

T1021

Remote Services

T1021.001

Remote Desktop Protocol

T1021.002

SMB/Windows Admin Shares

T1210

Exploitation of Remote Services

TA0009

Collection

4 techniques

T1056

Input Capture

T1056.001

Keylogging

T1056.003

Web Portal Capture

T1074

Data Staged

T1113

Screen Capture

T1185

Browser Session Hijacking

TA0011

Command and Control

3 techniques

T1071×2

Application Layer Protocol

T1095

Non-Application Layer Protocol

T1105×2

Ingress Tool Transfer

TA0010

Exfiltration

3 techniques

T1048

Exfiltration Over Alternative Protocol

T1537

Transfer Data to Cloud Account

T1567

Exfiltration Over Web Service

T1567.002×3

Exfiltration to Cloud Storage

TA0040

Impact

4 techniques

T1485

Data Destruction

T1486×12

Data Encrypted for Impact

T1565

Data Manipulation

T1657

Financial Theft

ARSENAL

Associated malware families

41 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

SocGholishWe also now increasingly observe this vulnerability within attack chains of threat actors that rely on compromising legitimate websites via web inject, such as TA569 (SocGholish).11May 27, 2026

WastedLockerIn DEV-0243’s initial partnerships with DEV-0206, the group deployed a custom ransomware payload known as WastedLocker...11May 26, 2026

DridexThe agency established sanctions for paying ransoms to specific threat groups identified by OFAC and designated sanctions against actors linked to Cryptolocker, SamSam, WannaCry (linked to the Lazarus Group) and Dridex (linked to Evil Corp.).9May 26, 2026

LockBitAround November 2021, DEV-0243 started to deploy the LockBit 2.0 RaaS payload in their intrusions. ... In a notable shift ... DEV-0401 started deploying LockBit 2.0 ransomware payloads in April 2022.8May 26, 2026

Cobalt StrikeThis industrialization of the cybercrime economy has made it easier for attackers to use ready-made penetration testing and other tools to perform their attacks. Within this category ... attackers using off-the-shelf tools, such as Cobalt Strike...6May 26, 2026

36 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

4 CVEs this actor has used in observed campaigns. 4 of them exploited in the wild.

CVE-2025-9491Microsoft Windows LNK File UI Misrepresentation Remote Code Execution VulnerabilityIn the wildEvidence3

This detection identifies instances where Windows Explorer.exe spawns PowerShell or cmd.exe processes, particularly focusing on executions initiated by LNK files. This behavior is associated with the ZDI-CAN-25373 Windows shortcut zero-day vulnerability, where specially crafted LNK files are used to trigger malicious code execution through cmd.exe or powershell.exe. This technique has been actively exploited by multiple APT groups in targeted attacks through both HTTP and SMB delivery methods.

CVE-2024-37085VMware ESXi Active Directory Integration Authentication BypassIn the wildEvidence1

The vulnerability, identified as CVE-2024-37085, involves a domain group whose members are granted full administrative access to the ESXi hypervisor by default without proper validation... VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named “ESX Admins” to have full administrative access by default.

CVE-2025-8088WinRAR Windows Path Traversal via NTFS Alternate Data StreamsIn the wildEvidence1

GTIG identified UNC2165... leveraging CVE-2025-8088 to distribute malware in mid-July 2025.

CVE-2026-41940cPanel & WHM Authentication Bypass via Session-File CRLF InjectionIn the wildEvidence1

CVE-2026-41940, the cPanel authentication bypass, illustrates the opportunistic mass-exploitation pattern most clearly. What began as exploratory probing evolved into a multi-actor campaign combining ransomware deployment, website defacement, and — in at least one documented case — targeted cyber-espionage.

IOCS

Observables

448 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

448 IOCsView more in app

hash.sha256

202 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+194

Domains

127 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru+119

ip.v4

63 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+55

hash.md5

25 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+17

Email addresses

16 total

••••@•••••.••••••••@••••••.•••••••••@•••••••.••••••••••@••••••••.•••••••••••@•••••.•••••••@••••••.••••••••@•••••••.•••••••••@••••••••.•••+8

uri

15 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+7

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

proofpointNews

May 26, 2026

More CVEs, Same Playbook: 2026 Vulnerability Exploitation in the Wild | Proofpoint US

Uses compromised legitimate websites and web inject-based attack chains, leveraging non-malicious email communications to direct victims to compromised assets.

splunk researchNews

Apr 22, 2026

Detection: PowerShell PInvoke Process Injection API Chain | Splunk Security Content

Listed as a threat actor associated with the PowerShell P/Invoke process injection API chain detection and related ATT&CK techniques.

splunk researchNews

Apr 20, 2026

Detection: PowerShell Environment Variable Execution | Splunk Security Content

Listed as a threat actor associated with PowerShell execution behavior relevant to this detection analytic.

splunk researchNews

Apr 16, 2026

Detection: Windows Anomalous Registry Value Length in Environment Key | Splunk Security Content

Referenced as a threat actor associated with registry modification behavior (MITRE ATT&CK T1112: Modify Registry) in the context of this detection analytic.

+195 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping61

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal41

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs4

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables448

Domains, IPs, and hashes tied to this actor, refreshed continuously.