Hades
Hades is a malware name used in the provided content primarily for a ransomware family associated with Evil Corp, also tracked as INDRIK SPIDER / GOLD DRAKE, and in some reporting linked to UNC2165 deployments. Multiple sources in the content state that Evil Corp adopted or developed Hades after U.S. Treasury OFAC sanctions, superseding or replacing WastedLocker in order to hinder attribution and circumvent sanctions-related payment restrictions. The content also notes Phoenix/Phoenix Locker as a variant or spinoff of Hades in some reporting.
For ransomware operations, the content states Hades was deployed in targeted intrusions, including attacks where UNC2165 used the FakeUpdate/SocGholish infection chain for access and in some cases stolen credentials as the initial access vector. During Hades attacks, GOLD DRAKE reportedly made extensive use of Cobalt Strike and post-exploitation tooling including Mimikatz, Advanced Port Scanner, PsExec, Metasploit, MSBuild, batch scripts to stop services and clear event logs, RDP, reverse SOCKS proxies, and MEGASync for data exfiltration. The content also states Hades was used in multiple attacks, including one against Forward Air.
The provided content also includes a distinct 2026 report describing a newly identified malware variant named Hades attributed to the Mini Shai-Hulud / Miasma lineage in a PyPI supply-chain campaign. In that reporting, Hades abuses Python .pth startup hooks so code executes when the Python interpreter initializes, even if the package is never imported. The loader installs the Bun JavaScript runtime and executes an obfuscated _index.js payload. Reported capabilities include theft of AWS credentials, GCP service account keys and project IDs, Azure Key Vault data, Kubernetes service account tokens, HashiCorp Vault access codes, CircleCI secrets, Docker config.json, GitHub tokens, GitLab keys, SSH private keys, package-manager credentials (.npmrc, .pypirc, RubyGems, JFrog), Anthropic API tokens, Claude/MCP configurations, .env files, shell histories, and localized crypto wallets. That variant reportedly exfiltrates data to attacker-created GitHub repositories via authenticated API calls such as POST /user/repos, stores encrypted results in paths like results/results-<timestamp>-<counter>.json, generates decoy HTTPS traffic to api.anthropic.com/v1/api, and establishes persistence via gh-token-monitor files, systemd user services on Linux, and LaunchAgents on macOS. Additional reported identifiers include the repository description "Hades - The End for the Damned," the commit flag string "IfYouYankThisTokenItWillNukeTheComputerOfTheOwnerFully," and a GitHub Actions fallback using artifact name format-results and workflow name Run Copilot.
The content also contains references to a separate threat actor called Hades in APT reporting, including claims of exploitation of Exim CVE-2019-10149 and possible links to Sofacy-related activity. Because the supplied material uses the same name for multiple distinct malware/threat contexts, attribution should be handled carefully. High-confidence associations directly supported by the content are that Hades is widely recognized as an Evil Corp-linked ransomware family used after WastedLocker, and that the name was also applied in separate reporting to a PyPI-delivered credential-stealing supply-chain malware variant.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Phoenix has ties to Hades ransomware, which are both run by Evil Corp., said Liska. Hades was developed by the ransomware gang to avoid the Treasury’s sanctions.
Techniques & procedures
13 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
2 techniques
Execution
Persistence
3 techniques
Persistence
Persistence Mechanisms: To guarantee access after reboot, it dynamically configures daemon jobs, systemd units, and launch agents
Privilege Escalation
3 techniques
Privilege Escalation
Persistence Mechanisms: To guarantee access after reboot, it dynamically configures daemon jobs, systemd units, and launch agents
Stealth
3 techniques
Stealth
Once Bun is executed, the highly obfuscated _index.js file runs. This file uses multiple nested layers of packaging to prevent static inspection and heuristic detection.
Credential Access
2 techniques
Credential Access
It searches specifically for: Cloud Providers: AWS credentials... Google Cloud Platform (GCP service account keys)... Microsoft Azure key vaults... Local Developer Configuration Files: .env config variables, shell histories...
Upon full memory execution, the Hades agent systematically crawls local profiles, process environments, CI runners, and system configurations. It searches specifically for: Cloud Providers: AWS credentials... GitHub access tokens... SSH private keys... Package Managers: Configuration tokens for npm (.npmrc), PyPI (.pypirc), RubyGems, and JFrog Artifactory.
Discovery
1 technique
Discovery
Command and Control
1 technique
Command and Control
Exfiltration
1 technique
Exfiltration
IOCs tracked for this family
5 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A cross-runtime PyPI supply-chain malware variant that abuses Python .pth startup hooks to execute on interpreter startup, installs the Bun JavaScript runtime, runs an obfuscated _index.js payload, harvests cloud credentials, developer secrets, and CI/CD tokens, and exfiltrates them to attacker-controlled GitHub repositories while using Anthropic API traffic as camouflage.
Hades is a ransomware family explicitly listed as a downstream payload associated with SocGholish access brokerage.
Ransomware family referenced as a follow-on payload associated with the SocGholish/TA569 initial-access ecosystem.
Ransomware used by GOLD DRAKE/Evil Corp; described alongside extensive post-exploitation tooling (e.g., Cobalt Strike, Mimikatz) and credential-based initial access in some 2021 cases.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.