{ "id": "ea05a762-0771-406c-b476-d23dd5970028", "created_at": "2026-04-06T00:07:08.90793Z", "updated_at": "2026-04-10T13:12:26.827005Z", "deleted_at": null, "sha1_hash": "1dc8ec41ccae95651e2062cef662ffcb6941c4d6", "title": "How Ransomware Adversaries Reacted to the DarkSide Attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 380554, "plain_text": "How Ransomware Adversaries Reacted to the DarkSide Attack\r\nBy CrowdStrike Threat Intel Team\r\nArchived: 2026-04-05 14:56:28 UTC\r\nThe repercussions from the Colonial Pipeline DarkSide ransomware incident have garnered global attention and\r\ncaused major shifts in the ransomware ecosystem. Many criminal forums have now banned ransomware, and as a\r\nresult, many ransomware-as-a-service (RaaS) operators have already ended their public communications regarding\r\naffiliate and partner recruitment. While this incident will have a significant short- to medium-term impact on the\r\npublic-facing operations of RaaS provisions,the RaaS operation model will unlikely be abandoned and will likely\r\ncontinue in more private and secure communication channels.\r\nRansomware Infection at Pipeline Company\r\nOn May 7, 2021, Colonial Pipeline — operator of 5,500 miles of pipeline from the Gulf Coast to the U.S. East\r\nCoast providing 45% of the gasoline to this region — was the victim of a ransomware infection. Initial details\r\nsurrounding the incident were very tightly controlled, and information filtered out slowly, likely due to the\r\nengagement of U.S. government and law enforcement agencies. On May 9, 2021, the FBI released a public\r\nstatement expressing they were “working closely with the company and our government partners.” The FBI’s\r\nfollow-up statement on May 10 publicly indicated the incident involved the DarkSide ransomware. It was later\r\nreported Colonial Pipeline had approximately 100GB of data stolen from their network, and the organization\r\nallegedly paid almost $5 million USD to a DarkSide affiliate.\r\nGovernment Statements Regarding Attribution\r\nOn May 10, President Biden stated the U.S. intelligence community had no evidence at the time that the Russian\r\ngovernment was involved in this incident — but evidence did exist that the actors responsible were located in\r\nRussia. In response to a question about possible state ties of the DarkSide operators, the United States National\r\nSecurity Council’s most senior cybersecurity official publicly described them as “a criminal actor.” On May 11,\r\n2021, the Russian Embassy in the U.S. released a statement that they “took note of the attempts of some media to\r\naccuse Russia of a cyberattack on Colonial Pipeline” and distanced themselves from the ransomware incident,\r\nstating they “categorically reject the baseless fabrications of individual journalists and reiterate that Russia does\r\nnot conduct 'malicious' activity in the virtual space.”\r\nCARBON SPIDER\r\nCrowdStrike Intelligence attributes the operation of the DarkSide RaaS to CARBON SPIDER, and is a skilled\r\neCrime (ECX) group, highly likely Eastern Europe- or Russia-based. CARBON SPIDER has been active since at\r\nleast 2013 and previously targeted the hospitality and retail sectors in pursuit of payment card data. In April 2020,\r\nCARBON SPIDER began conducting big game hunting (BGH) operations. The evolution from targeted eCrime to\r\nBGH is reminiscent of how other adversaries (such as INDRIK SPIDER and WIZARD SPIDER) have shifted\r\nhttps://www.crowdstrike.com/blog/how-ransomware-adversaries-reacted-to-the-darkside-pipeline-attack/\r\nPage 1 of 5\n\ntheir operations to focus primarily or exclusively on BGH. CARBON SPIDER’s BGH campaigns were likely\r\nmotivated by the COVID-19 pandemic and the reduction in point-of-sale (POS) transactions. The adversary used\r\nPINCHY SPIDER’s REvil RaaS prior to introducing their own ransomware, DarkSide, in August 2020, and were\r\namong the first ransomware operators to target VMWare ESXi systems. In November 2020, CARBON SPIDER\r\nmade the business decision to advertise their DarkSide ransomware to affiliates via a RaaS model and have been\r\nsuccessfully growing their operations since.\r\nCARBON SPIDER’s Reaction\r\nOn May 10, 2021, CARBON SPIDER posted a press release to the DarkSide dedicated leak site (DLS) stating\r\nthey are “apolitical,” do not participate in “geopolitics,” and their “goal is to make money, and not creating\r\nproblems for society” (Figure 1).\r\nFigure 1. CARBON SPIDER's press release on their DLS\r\nCARBON SPIDER further stated there is “no need” to associate the group with a “defined government,” and that\r\nthey are introducing a system to check potential affiliate victims of the RaaS before encryption to prevent “social\r\nconsequences.” CrowdStrike Intelligence assesses that CARBON SPIDER is highly likely located in Russia or\r\nneighboring countries, and there is currently no indication the group or any Darkside RaaS affiliates are associated\r\nwith any state-operated or politically motivated threat actors. The rapid response and introduction of a vetting\r\nprocess for affiliate victims suggests CARBON SPIDER is aware the Colonial Pipeline incident was conducted by\r\nan affiliate of the DarkSide RaaS as opposed to CARBON SPIDER themselves. This is based on the imposition of\r\nmoderation and checking of potential partner victims prior to infection with DarkSide. A statement on May 13,\r\n2021 — purportedly from CARBON SPIDER — claimed the adversary group lost access to the DarkSide DLS,\r\npayment servers and content delivery network (CDN) servers. The statement also claimed CARBON SPIDER\r\nservers had been blocked “at the request of law enforcement agencies.” Furthermore, cryptocurrency allegedly\r\nbelonging to CARBON SPIDER and their clients had been transferred to an unknown address. A revision to the\r\nstatement (subsequently made by the “Russian OSINT” Telegram channel) claimed that “no arrests were made”\r\nand “DarkSide has simply shut down.” Whether the DarkSide RaaS will remain closed permanently is currently\r\nunclear; however, new infrastructure for other CARBON SPIDER tools has been identified since the alleged\r\nDarkSide shutdown, indicating CARBON SPIDER will highly likely remain a sophisticated and active threat\r\nactor.\r\nhttps://www.crowdstrike.com/blog/how-ransomware-adversaries-reacted-to-the-darkside-pipeline-attack/\r\nPage 2 of 5\n\nForum Reactions\r\nOn May 13, 2021, XSS forum administrators made an extensive post detailing their prohibition of ransomware-related posts and ban on threads associated with ransomware affiliate programs, rental and sale. All future topics\r\nmeeting any of the criteria will reportedly be removed — threads related to Avaddon, DarkSide, LockBit, REvil\r\nand Trinage ransomware were all removed from the forum. The following reasons were provided for the change in\r\npolicy:\r\nThe main purpose of the forum is “technical education” and research, and these goals do not align with the\r\npurely financial motivations of ransomware operators.\r\n“Newbies” attract media attention under the pretense of making large sums of money without learning,\r\ncoding, or thinking, and with minimal effort and restraint.\r\nRansomware has become a hugely covered topic in the media and attracts negative attention through\r\n“hype,” “noise,” and “nonsense.”\r\nRansomware has become associated with a “number of unpleasant phenomenon,” including geopolitics,\r\nextortion and government hacking.\r\nThe following day, similar posts appeared on Exploit and RaidForums stating that due to the mass-media\r\nattention, it was no longer feasible to entertain posts relating to ransomware. The statement on Exploit suggested\r\nthat this restriction only applied to ransomware specifically, allowing other content — criminal or otherwise — to\r\ncontinue without restriction.\r\nRansomware Operators’ Reactions\r\nPINCHY SPIDER, developers and operators of the popular REvil RaaS, announced intentions to move away from\r\nthe forums to private communications, and additionally detailed “significant restrictions” on future REvil\r\noperations:\r\nSocial-sector victims (such as academic and healthcare organizations) are not to be infected.\r\nInfections against government-sector entities in any country are strictly prohibited.\r\nAffiliates must provide the owners of the RaaS with detailed information regarding any potential target and\r\nobtain permission prior to initiating ransomware operations.\r\nRIDDLE SPIDER, operators of the Avaddon RaaS, posted a similar announcement “due to the current situation”\r\nin the U.S., listing the following restrictions on future Avaddon operations:\r\nEntities in the Commonwealth of Independent States (CIS) are not to be infected.\r\nWork against public-sector victims (such as academic and healthcare organizations) is prohibited.\r\nPermission of the “administration” must be sought prior to infection.\r\nIn contrast, the operators of Babuk Locker ransomware criticized the reactions within the eCrime community,\r\npredicted RaaS “will die,” encouraged “pentesters” (likely a reference to eCrime actors specializing in\r\ncompromising networks) to abandon public RaaS programs, and announced intentions to launch a “huge platform\r\nfor independent leaks” — supposedly for use by “successful no-name teams” who do not run from the “ship like\r\nrats and change the policy” of their operations (Figure 2).\r\nhttps://www.crowdstrike.com/blog/how-ransomware-adversaries-reacted-to-the-darkside-pipeline-attack/\r\nPage 3 of 5\n\nFigure 2. Extract of an announcement by Babuk Locker operators on their DLS\r\nAccess Brokers\r\nThe changes on the criminal underground forums have also impacted other eCrime actors, including access\r\nbrokers. Access brokers are threat actors that gain backend access to various organizations and advertise this\r\naccess to other eCrime actors via criminal underground forums or private communication channels. Access broker\r\nofferings are heavily tailored toward BGH operators and their affiliates, often including the annual revenue of the\r\nvictim — acquired from public sources — as this can be used to calculate the potential ransom demand. Since the\r\nbeginning of 2021, CrowdStrike Intelligence has observed access brokers advertise initial access to entities in the\r\nenergy sector, including oil and gas companies. Entities in these sectors can be lucrative victims since they often\r\npossess relatively large annual revenues that are of interest to ransomware operators and affiliates. On Jan. 2,\r\n2021, a Ukraine-based access broker stated in a dual English- and Russian-language forum that they were\r\nplanning to deploy an unspecified ransomware variant against an oil and gas entity. A portion of funds received\r\nfrom this operation was later transferred to an associated group of Bitcoin (BTC) wallets that also received the\r\nransom from the Colonial Pipeline incident. On Feb. 13 and March 7, 2021, the access broker barf advertised\r\nadministrator and user access to two different entities in the energy and the oil and gas sectors on a dual English-and Russian-language forum. Since the Colonial Pipeline incident and the changes introduced by the forum\r\nadministrators, there has been a general decline in the number of access broker advertisements on the forums —\r\naside from one Brazil-based access broker targeting a Europe-based oil and gas company who is seemingly intent\r\non selling their access despite the ban on ransomware-related offerings. Similar to the reaction by RaaS operators,\r\naccess broker activity is unlikely to cease, but brokers will likely increasingly adopt the use of private\r\ncommunications for advertising and selling access in the near term. Access brokers will almost certainly continue\r\nto target entities within the energy sector as the vertical remains a lucrative target for ransomware operations, and\r\naccess brokers profit from providing initial access opportunities.\r\nLooking Forward\r\nThe intense attention surrounding the Colonial Pipeline incident has had a significant impact on the criminal\r\nmarketplace and the political landscape. Scrutiny of this event will almost certainly alter how ransomware\r\noperators conduct their activity and how government and law enforcement agencies respond to the ransomware\r\nthreat. RaaS operators, such as CARBON SPIDER (DarkSide), PINCHY SPIDER (REvil), and RIDDLE SPIDER\r\n(Avaddon), have apparently accepted blanket forum bans on the discussion and marketing of ransomware services.\r\nThese bans likely spell the end for most public communications regarding affiliate and partner recruitment. The\r\naforementioned groups have also issued warnings to their affiliates that they must request approval prior to\r\ndeploying ransomware across a victim environment. These new guidelines are a response to fallout from the\r\nColonial Pipeline incident — likely caused by an unseasoned DarkSide RaaS affiliate — who likely failed to\r\nhttps://www.crowdstrike.com/blog/how-ransomware-adversaries-reacted-to-the-darkside-pipeline-attack/\r\nPage 4 of 5\n\nconduct proper due diligence on Colonial Pipeline before infecting them. While the attack was certainly\r\ndeliberate, the significant social and economic consequences were either unconsidered or underestimated. This\r\nattack was likely not meant to intentionally disrupt gasoline supply to a wide swath of the U.S. East Coast:\r\nColonial Pipeline stated that it “proactively took certain systems offline to contain the threat, which temporarily\r\nhalted all pipeline operations.” While the operators of Babuk Locker have been defiant in the wake of the Colonial\r\nPipeline ransomware incident, other actors (such as WIZARD SPIDER) have not publicly responded to the\r\nattention on the ransomware marketplace. These adversaries already operate a private operation with only trusted\r\npartners and affiliates, and it is unlikely such groups will publicly respond at all. Most public RaaS vendors will\r\nlikely retreat for a short- to medium-timeframe and will continue to operate in a more closed and private fashion\r\n— a choice already demonstrated by PINCHY SPIDER. While CARBON SPIDER allegedly closed their\r\nDarkSide RaaS, the adversary is successful, sophisticated, and resourceful, and has not ceased all activity.\r\nCARBON SPIDER, and possibly other RaaS vendors, will likely take time to reevaluate their operations and\r\nreturn to eCrime activity — albeit not necessarily involving ransomware — under a new name or brand. The\r\nrecent developments surrounding the Colonial Pipeline incident and subsequent reactions from ransomware\r\noperators showcase the importance of maintaining situational awareness of quickly evolving threats. This is\r\nfacilitated by monitoring the shifting dynamics in underground criminal communities but also by understanding\r\nthe context and impact these activities have on the overall ecosystem. Proactive measures (such as active\r\nmonitoring) are critical to staying ahead of the adversary to protect your organization.\r\nAdditional Resources\r\nRead more about CARBON SPIDER’s tactics and DarkSide ransomware in this blog: Hypervisor\r\nJackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize\r\nImpact.\r\nDownload the CrowdStrike 2021 Global Threat Report for more information about big game hunting\r\nadversaries tracked by CrowdStrike Intelligence in 2020.\r\nTo learn more about how to incorporate intelligence on threat actors into your security strategy, visit the\r\nCROWDSTRIKE FALCON® INTELLIGENCE™ Premium Threat Intelligence page.\r\nSee how the powerful, cloud-native CrowdStrike Falcon® platform protects customers from DarkSide\r\nransomware in this blog: DarkSide Goes Dark: How CrowdStrike Falcon® Customers Were Protected.\r\nGet a full-featured free trial of CrowdStrike Falcon® Prevent™ and learn how true next-gen AV performs\r\nagainst today’s most sophisticated threats.\r\nSource: https://www.crowdstrike.com/blog/how-ransomware-adversaries-reacted-to-the-darkside-pipeline-attack/\r\nhttps://www.crowdstrike.com/blog/how-ransomware-adversaries-reacted-to-the-darkside-pipeline-attack/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.crowdstrike.com/blog/how-ransomware-adversaries-reacted-to-the-darkside-pipeline-attack/" ], "report_names": [ "how-ransomware-adversaries-reacted-to-the-darkside-pipeline-attack" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "8610b0d9-a6af-4010-818f-28671efc5d5e", "created_at": "2023-01-06T13:46:38.897477Z", "updated_at": "2026-04-10T02:00:03.138459Z", "deleted_at": null, "main_name": "PINCHY SPIDER", "aliases": [], "source_name": "MISPGALAXY:PINCHY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c84bbd2e-003d-4c43-8a46-d777455db2c7", "created_at": "2022-10-25T15:50:23.701006Z", "updated_at": "2026-04-10T02:00:05.378962Z", "deleted_at": null, "main_name": "GOLD SOUTHFIELD", "aliases": [ "GOLD SOUTHFIELD", "Pinchy Spider" ], "source_name": "MITRE:GOLD SOUTHFIELD", "tools": [ "ConnectWise", "REvil" ], "source_id": "MITRE", "reports": null }, { "id": "38e9c8e3-38f8-4500-8c5c-8349b3e9a998", "created_at": "2023-01-06T13:46:39.207556Z", "updated_at": "2026-04-10T02:00:03.246557Z", "deleted_at": null, "main_name": "RIDDLE SPIDER", "aliases": [], "source_name": "MISPGALAXY:RIDDLE SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "27e51b73-410e-4a33-93a1-49cf8a743cf7", "created_at": "2023-01-06T13:46:39.210675Z", "updated_at": "2026-04-10T02:00:03.247656Z", "deleted_at": null, "main_name": "GOLD DUPONT", "aliases": [ "SPRITE SPIDER" ], "source_name": "MISPGALAXY:GOLD DUPONT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "d706edf6-cb86-4611-99e1-4b464e9dc5b9", "created_at": "2023-01-06T13:46:38.839083Z", "updated_at": "2026-04-10T02:00:03.117987Z", "deleted_at": null, "main_name": "INDRIK SPIDER", "aliases": [ "Manatee Tempest" ], "source_name": "MISPGALAXY:INDRIK SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9df68733-9bcd-43b1-88f1-24b110fa3d56", "created_at": "2022-10-25T16:07:24.051993Z", "updated_at": "2026-04-10T02:00:04.851037Z", "deleted_at": null, "main_name": "Pinchy Spider", "aliases": [ "G0115", "Gold Garden", "Gold Southfield", "Pinchy Spider" ], "source_name": "ETDA:Pinchy Spider", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "GandCrab", "GrandCrab", "REvil", "Sodin", "Sodinokibi", "VIDAR", "Vidar Stealer", "certutil", "certutil.exe", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "7268a08d-d4d0-4ebc-bffe-3d35b3ead368", "created_at": "2022-10-25T16:07:24.225216Z", "updated_at": "2026-04-10T02:00:04.904162Z", "deleted_at": null, "main_name": "Sprite Spider", "aliases": [ "Gold Dupont", "Sprite Spider" ], "source_name": "ETDA:Sprite Spider", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Coroxy", "Defray 2018", "Defray777", "DroxiDat", "Glushkov", "LaZagne", "Metasploit", "PyXie", "PyXie RAT", "Ransom X", "RansomExx", "SharpHound", "Shifu", "SystemBC", "Target777", "Vatet", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "e6148aa7-4347-4444-a2a0-dbbf7c0f121c", "created_at": "2022-10-25T16:07:24.12696Z", "updated_at": "2026-04-10T02:00:04.875073Z", "deleted_at": null, "main_name": "Riddle Spider", "aliases": [ "Avaddon Team" ], "source_name": "ETDA:Riddle Spider", "tools": [ "Avaddon" ], "source_id": "ETDA", "reports": null }, { "id": "07775b09-acd9-498e-895f-f10063115629", "created_at": "2024-06-04T02:03:07.817613Z", "updated_at": "2026-04-10T02:00:03.650268Z", "deleted_at": null, "main_name": "GOLD DUPONT", "aliases": [ "Sprite Spider ", "Storm-2460 " ], "source_name": "Secureworks:GOLD DUPONT", "tools": [ "777", "ArtifactExx", "Cobalt Strike", "Defray", "Metasploit", "PipeMagic", "PyXie", "Shifu", "SystemBC", "Vatet" ], "source_id": "Secureworks", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434028, "ts_updated_at": 1775826746, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1dc8ec41ccae95651e2062cef662ffcb6941c4d6.pdf", "text": "https://archive.orkl.eu/1dc8ec41ccae95651e2062cef662ffcb6941c4d6.txt", "img": "https://archive.orkl.eu/1dc8ec41ccae95651e2062cef662ffcb6941c4d6.jpg" } }