MalwareRansomwareUsed by 1 actor

Macaw Locker

Macaw Locker is a ransomware variant associated with the Russian cybercrime group Evil Corp, also tracked as GOLD DRAKE. The provided reporting identifies Macaw Locker as one of several ransomware families used by Evil Corp after U.S. Treasury sanctions were imposed in 2019, alongside WastedLocker, Hades, Phoenix CryptoLocker, and other variants. The context indicates Evil Corp repeatedly changed ransomware strains and tooling to hinder attribution and reduce the impact of sanctions on ransom payment collection. Macaw Locker is therefore described in the source material primarily as part of Evil Corp’s post-sanctions ransomware operations rather than through detailed technical behavior. The content does not provide specific infection vectors, encryption mechanics, targeted industries, or indicators of compromise unique to Macaw Locker itself. However, the broader Evil Corp intrusion ecosystem referenced in the material includes heavy use of the FakeUpdate/SocGholish infection chain, compromised WordPress sites serving fake browser updates, and delivery of follow-on payloads used to gain access to victim environments.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Indrik Spider

The malware has been previously linked to Evil Corp, a Russian cybercrime gang active since 2007 that has been associated with the Zeus and Dridex malware families and was behind the WastedLocker, Hades, Macaw Locker, and Phoenix CryptoLocker ransomware operations.

via bleeping computerbleepingcomputer.com

MITRE ATT&CK

Techniques & procedures

1 distinct technique documented for this family, organized by ATT&CK tactic.

Impact

1 technique

T1486Data Encrypted for ImpactEvidence1

Evil Corp is now using off-the-shelf ransomware, most recently the LockBit ransomware-as-a-service, to cover its tracks and make it easier to get the ransoms they demand from victims paid.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

bleeping computerNews

Jun 18, 2026

Police cleans nearly 15,000 SocGholish-infected sites tied to Evil Corp

Ransomware operation attributed in the article to Evil Corp.

secureworks threat profilesNews

Sep 30, 2024

GOLD DRAKE

Ransomware name listed among tools associated with GOLD DRAKE/Evil Corp (no additional detail provided in the content).

secureworks threat profilesNews

Sep 30, 2024

GOLD DRAKE

Ransomware name listed among tools associated with GOLD DRAKE/Evil Corp (no additional detail provided in the content).

Jun 3, 2022

Malware gang Evil Corp switches to software-as-a-service

Ransomware variant reportedly used by Evil Corp after sanctions.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping1

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.