Financially Motivated3 malware families

Twisted Spider

Also known astwisted_spider

TWISTED SPIDER is a financially motivated eCrime threat actor associated with big game hunting ransomware and data extortion. The content links the group to Maze and Egregor and states that TWISTED SPIDER adopted data-leak extortion tactics in November 2019; CrowdStrike singled out this adoption as a key 2020 trend that catalyzed broader ransomware actor use of data extortion. CrowdStrike reported TWISTED SPIDER was the most prolific healthcare-targeting big game hunting actor in 2020, achieving at least 26 healthcare infections that year, predominantly in the United States, using Maze and Egregor. The content also states TWISTED SPIDER is part of the "Maze Cartel" alongside VIKING SPIDER and LockBit operators, and another reference lists TWISTED SPIDER among members alongside VIKING SPIDER, the LockBit gang, and the SunCrypt gang. EclecticIQ assessed with high confidence that the Russian-speaking financially motivated actor LUNAR SPIDER maintains affiliations with TA2101 (aka TWISTED SPIDER), and that TWISTED SPIDER has leveraged LUNAR SPIDER's IcedID malware to gain initial access to victim environments. One mention context also maps Storm-0216 to financially motivated TWISTED SPIDER and UNC2198.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

ARSENAL

Associated malware families

3 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

Egregor"...TWISTED SPIDER achieved at least 26 infections at healthcare sector victims with their Maze and Egregor ransomware families..."2Mar 18, 2026

Maze"...the most prolific being TWISTED SPIDER using Maze..."2Mar 18, 2026

LockBitThe LockBit gang began its operation in September 2019 and was first known as “ABCD ransomware.” ... Over the next six months, LockBit worked on a new project, internally referred to as “LockBit Red,” and publicly known as “LockBit 2.0.” ... LockBit officially announced another major release ... LockBit Black (publicly known as LockBit 3.0).1Mar 18, 2026

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app

web archiveNews

Dec 6, 2024

How Microsoft names threat actors - Microsoft Defender XDR | Microsoft Learn

Financially motivated threat actor tracked by Microsoft as a Storm cluster.

wikipedia cyber incidentsNews

May 18, 2021

Wizard Spider - Wikipedia

Listed as part of a broader 'Ransom Cartel/Maze Cartel' collection of criminals (per cited reporting) that use ransomware for extortion; no further specifics in this content.

eclecticiq blogNews

Feb 3, 2026

Inside Intelligence Center: LUNAR SPIDER Enabling Ransomware Attacks on Financial Sector with Brute Ratel C4 and Latrodectus

Named activity cluster referenced as affiliated with Lunar Spider and leveraging IcedID for initial access.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal3

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.