{ "id": "29992705-55f8-4d05-8ef4-d3d107f349aa", "created_at": "2026-04-06T00:10:12.417954Z", "updated_at": "2026-04-10T13:12:40.103567Z", "deleted_at": null, "sha1_hash": "13cd40f80ecf6dcd2638eafd0d0af3bd63b9757f", "title": "Timelining GRIM SPIDER's Big Game Hunting Tactics | CrowdStrike", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 78790, "plain_text": "Timelining GRIM SPIDER's Big Game Hunting Tactics |\r\nCrowdStrike\r\nBy Eric.John.and.Harlan.Carvey\r\nArchived: 2026-04-05 13:05:36 UTC\r\nThe tactic of singling out large organizations for high ransom payouts has signaled a shift in the eCrime\r\necosystem, with a focus on targeted, low-volume, high-return criminal activity. It’s a type of cybercrime operation\r\nwe refer to as “big game hunting.” CrowdStrike® Services has observed that the time from gaining initial access\r\nin the victim’s environment to launching ransomware can range from days to months. During this time, there are\r\nseveral opportunities to detect an adversary in the process of learning your network – and potentially stop their\r\nattack before it occurs. This blog uses the MITRE ATT\u0026CK™ Framework to map WIZARD SPIDER and GRIM\r\nSPIDER tactics, techniques and procedures (TTPs) observed across several CrowdStrike Services engagements,\r\nillustrating how an attack unfolds and the different stages involved.\r\nIncreased Activity Observed\r\nAn uptick in activity from GRIM SPIDER, a subgroup of the criminal enterprise CrowdStrike Intelligence tracks\r\nas WIZARD SPIDER, has led to the identification of consistent actions employed to carry out their attacks. As\r\npart of their initial compromise — usually as a download from a spam email — they gain a foothold with their\r\nmodular TrickBot malware, which was developed and is principally operated by WIZARD SPIDER. Once\r\nTrickBot is executed, new enumeration modules are downloaded onto the compromised machine to facilitate\r\nWIZARD SPIDER’s spread in search of credentials with the aim of gaining access to the domain controller. The\r\ncriminal actors use RDP to perform lateral movement and explore the victim environment, with an end result of\r\ngaining access to the domain controller. Once this access has been achieved, GRIM SPIDER is able to deploy the\r\nRyuk ransomware to the entire network. These observations come from system log data, CrowdStrike Falcon®®\r\nsensor telemetry, and the output of the Falcon Forensic Collector (a customized version of CrowdStrike’s freely\r\ndistributed community tool, CrowdResponse).\r\nInitial Access and Execution\r\nWhile the use of malicious attachments in spam emails is the most common initial access vector — determined\r\nacross multiple CrowdStrike investigations — the available data from these investigations had either been\r\nremoved or “aged off” the systems (i.e., dispersed due to the passage of time) before CrowdStrike Services could\r\nconfirm the source. In cases where spam attachments could be verified — once a user has opened the attachment\r\nand enabled macro functionality — a PowerShell script downloads either Emotet, Bokbot or Trickbot, with the\r\nend payload being TrickBot. Within hours of TrickBot being executed, additional TrickBot modules are installed\r\nfor network reconnaissance and credential theft.\r\nPersistence\r\nhttps://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/\r\nPage 1 of 5\n\nTrickbot is installed as a scheduled task, using names like “WinDotNet,” “GoogleTask,” or “Sysnetsf” to\r\nmasquerade as legitimate-appearing processes. These point to various copies of TrickBot installed in the system,\r\nusually within the user profile under %USER_DIR%\\AppData\\Roaming\\ or a subdirectory. The subdirectories also\r\nuse similarly misleading names like “WinDefrag” or “NetSocket” to appear innocuous. TrickBot may also be\r\ninstalled as a service with names like “ControlServiceA” that points to a copy in the system drive root. WIZARD\r\nSPIDER uses a module named NewBCtestnDll64 as a reverse SOCKS proxy that allows for the download and\r\ninstallation of the open source\r\nPowerShell Empire post-exploitation framework. These services launch a Base64-encoded PowerShell script that\r\nwill fetch the full PowerShell Empire code from a remote IP. Each instance of the Updater service connects to a\r\nsingle IP address, and multiple versions may be added at the same time, pointing to different IPs and requesting a\r\n.php resource.\r\nCredential Access\r\nThe TrickBot module used for credential harvesting is pwgrab64 . As with all modules launched by the TrickBot\r\ncore, pwgrab64 is installed into a subfolder, usually named either “modules” or “data,” and modified the\r\nfollowing registry value: Registry Key:\r\nHKLM\\System\\CurrentControlSet\\Control\\SecurityProviders\\WDigest Value: UseLogonCredential Data: 1\r\nSetting the “UseLogonCredential” value to “1” configures the Windows operating system to store credentials as\r\ncleartext in memory, where they can then be retrieved via the use of credential dumping tools. Older versions of\r\nthe pwgrab module has a limited scope that targets mail clients, web browsers, FileZilla and WinSCP. Newer\r\nversions also dump passwords for applications such as PuTTY, VNC and RDP. In the investigations reviewed by\r\nCrowdStrike Services, the UseLogonCredential registry value was observed having been set to “1” on systems\r\nthroughout the infrastructure, often in conjunction with TrickBot’s first deployment to the host.\r\nDiscovery\r\nThe TrickBot modules used for discovery include networkdll and psfin . TrickBot downloads modules for\r\ncollecting local system information and scouting the network, primarily part of the networkdll module. This\r\nmodule has a battery of command line, WMI and LDAP queries to gather information, and then exfiltrate the data\r\nto GRIM SPIDER for review. The psfin module has a similar purpose but specifically searches for financial and\r\npoint-of-sales indicators.\r\nLateral Movement\r\nFollowing initial access, GRIM SPIDER focuses on collecting credentials from the compromised hosts and uses\r\nexisting RDP in an attempt to get a domain administrator account and access to the Windows Domain Controller.\r\nThis process can take several iterations of harvesting credentials, connecting to new systems and establishing\r\npersistence. For the incidents observed, this stage of the attack can last from a few days to a few months. GRIM\r\nSPIDER also has been observed selecting a server to be the primary staging point. Subsequently, the adversary\r\ncopies the Microsoft SysInternals PSTools archive to this system, and executes PsExec.exe , a utility that allows\r\nthem to move laterally and execute commands on other Windows systems within the infrastructure. Using this\r\ncommon administrator tool, GRIM SPIDER can traverse the network, remotely installing TrickBot and adding\r\nhttps://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/\r\nPage 2 of 5\n\npersistence to new targets. TrickBot also has the shareDll module for propagating to other hosts using the\r\ncurrent, active user credentials.\r\nDeploying Ransomware\r\nOnce GRIM SPIDER has gained access to credentials and a Domain Controller, or other host management server,\r\nthey would then stage the Ryuk ransomware on that system and deploy to targets via PsExec. Being the “noisiest”\r\npart of the operation, it is usually accomplished as quickly as possible to minimize chances of detection, as all of\r\nthe necessary preliminary work has already been completed. In observed instances, the deployment and execution\r\nof Ryuk occurred in one session, typically lasting 3 to 8 hours.\r\nSummary\r\nPutting the pieces together gives a view into WIZARD SPIDER'S and GRIM SPIDER’s methodology, but it also\r\nprovides some useful detection points that can give defenders advanced notice by setting up monitoring and\r\nconfigurations to thwart the goals of these eCrime actors. With this knowledge, we aim to equip you to stop the\r\nWIZARD SPIDER and GRIM SPIDER threat actors well before they have an opportunity to encrypt your data or\r\ncause serious harm to your business.\r\nAdditional Resources\r\nTable 1 below contains a mapping of WIZARD SPIDER and GRIM SPIDER tactics to the MITRE ATT\u0026CK™\r\nFramework.\r\nTactic Technique Observable\r\nInitial Access Spear-Phishing Attachment Not observed, due to time frame and data decay\r\nExecution\r\nCommand Line Interface,\r\nPowerShell, Scheduled Task,\r\nService Execution, Windows\r\nRemote Management\r\nExecution of TrickBot via PsExec or PSEXESVC and\r\nscheduled tasks. Services and powershell used for\r\nPowerShell Empire\r\nPersistence\r\nNew Service, Scheduled Task,\r\nValid Accounts\r\nPowerShell Empire service, Trickbot Scheduled Task,\r\nrecording passwords of valid uses for remote\r\nauthentication\r\nPrivilege\r\nEscalation\r\nValid Accounts TrickBot pwgrab modules to get privileged accounts\r\nDefense\r\nEvasion\r\nObfuscated Files or Information,\r\nFile Deletion\r\nPowerShell Empire service is Base64-encoded, services\r\nand files are generated with innocuous names. Some\r\nmodules and configurations are removed after use.\r\nCredential\r\nAccess\r\nCredential Dumping\r\nIndications of TrickBot pwgrab64 module having been\r\nexecuted\r\nhttps://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/\r\nPage 3 of 5\n\nDiscovery Remote System Discovery Use of TrickBot modules for network discover\r\nLateral\r\nMovement\r\nWindows Admin Shares,\r\nRemote File Copy and Remote\r\nDesktop Protocol (RDP)\r\nUse of PsExec to deploy Trickbot/PowerShell Empire,\r\ncopy credentials, other information from compromised\r\ninfrastructure, RDP for exploring, copy tools to\r\ncompromised infrastructure\r\nCollection Data Staged Credential/network enumeration information\r\nExfiltration\r\nExfiltration via Command and\r\nControl Channel\r\nDomain credentials, network enumeration information\r\nis sent back to GRIM SPIDER via http\r\nCommand\r\nand Control\r\nCustom Command and Control\r\nProtocol\r\nPowerShell Empire, TrickBot modules communicate\r\nover http\r\nImpact Data Encrypted for Impact Ryuk ransomware\r\nTable 1: MITRE ATT\u0026CK Mapping Indicators of compromise (IOCs) associated with WIZARD SPIDER\r\ninvestigations are available in Table 2.\r\nIndicator Purpose\r\nUseLogonCredential = 1\r\nRegistry value set for storing\r\npasswords (plaintext) in memory, used\r\nto harvest credentials\r\n“Updater”, “Technoservice”\r\nService file name contains encoded\r\nPowerShell commands, service\r\npointing to TrickBot\r\n%COMSPEC% /C start /b\r\nC:\\Windows\\System32\\WindowsPowershell\\v1.0\\powershell -noP -\r\nsta -w 1 -enc \u003cBASE64\u003e\r\nService File Name content for\r\nPowerShell Empire loader\r\nC:\\Windows\\tetup.exe , C:\\mswvc.exe\r\nTrickbot binary paths in C:\\ or\r\nC:\\Windows\\, observed as a 5-\r\ncharacter alphabetical name, or a long\r\nalphanumeric string with underscores\r\nC:\\Users\\Default\\AppData\\Roaming\\mssert\\mtwvc.exe\r\nTrickbot binary paths in home\r\ndirectories, observed as a 5-character\r\nalphabetical name under an\r\nalphabetical folder in\r\nAppData\\Roaming\\ , or a long\r\nalphanumeric string with underscores\r\nhttps://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/\r\nPage 4 of 5\n\nTable 2: IOCs Associated with GRIM SPIDER\r\nLearn More\r\nLearn how CrowdStrike can help your organization answer its most important security questions: Visit the\r\nCrowdStrike Services web page.\r\nDownload the 2020 CrowdStrike Global Threat Report.\r\nDownload the 2018 CrowdStrike Services Cyber Intrusion Casebook and read up on real-world IR\r\ninvestigations, with details on attacks and preventative recommendations.\r\nLearn more about CrowdStrike’s next-gen endpoint protection by visiting the Falcon platform product\r\npage.\r\nTest CrowdStrike next-gen AV for yourself: Start your free trial of Falcon Prevent™ today.\r\nSource: https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/\r\nhttps://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/" ], "report_names": [ "timelining-grim-spiders-big-game-hunting-tactics" ], "threat_actors": [ { "id": "12211366-1f14-4eed-9d91-46b6a2ede618", "created_at": "2025-08-07T02:03:25.014713Z", "updated_at": "2026-04-10T02:00:03.624097Z", "deleted_at": null, "main_name": "GOLD ULRICK", "aliases": [ "Grim Spider ", "UNC1878 " ], "source_name": "Secureworks:GOLD ULRICK", "tools": [ "Bloodhound", "Buer Loader", "Cobalt Strike", "Conti", "Diavol", "PowerShell Empire", "Ryuk", "SystemBC", "Team9 (aka BazarLoader)", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "8492b1a0-126f-4113-b8f7-101d28559629", "created_at": "2023-01-06T13:46:38.864213Z", "updated_at": "2026-04-10T02:00:03.126178Z", "deleted_at": null, "main_name": "GRIM SPIDER", "aliases": [ "GOLD ULRICK" ], "source_name": "MISPGALAXY:GRIM SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434212, "ts_updated_at": 1775826760, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/13cd40f80ecf6dcd2638eafd0d0af3bd63b9757f.pdf", "text": "https://archive.orkl.eu/13cd40f80ecf6dcd2638eafd0d0af3bd63b9757f.txt", "img": "https://archive.orkl.eu/13cd40f80ecf6dcd2638eafd0d0af3bd63b9757f.jpg" } }