{
	"id": "dbdce453-6e7b-41ab-a2b2-423f9d1b5a7a",
	"created_at": "2026-04-06T00:22:37.567937Z",
	"updated_at": "2026-04-10T03:35:56.752589Z",
	"deleted_at": null,
	"sha1_hash": "29f0d3fb11935b6922316bd01163d21b625f9ab5",
	"title": "Hades (Malware Family)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 85057,
	"plain_text": "Hades (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 17:37:18 UTC\r\nAccording to PCrisk, Hades Locker is an updated version of WildFire Locker ransomware that infiltrates systems\r\nand encrypts a variety of data types using AES encryption. Hades Locker appends the names of encrypted files\r\nwith the \".~HL[5_random_characters] (first 5 characters of encryption password)\" extension.\r\n2025-01-17 ⋅ Google Cloud Security ⋅ Office of the CISO\r\nThreat Horizons - H1 2025 Threat Horizons Report\r\nFAKEUPDATES Conti Hades LockBit Phoenix Locker RansomHub TRIPLESTRENGTH 2022-06-13 ⋅ Jorge Testa ⋅\r\nJorge Testa\r\nKilling The Bear - Evil Corp\r\nFAKEUPDATES Babuk Blister DoppelPaymer Dridex Entropy FriedEx Hades Macaw Phoenix Locker\r\nWastedLoader WastedLocker 2022-06-02 ⋅ Mandiant ⋅ Mandiant Intelligence\r\nTo HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions\r\nFAKEUPDATES Blister Cobalt Strike DoppelPaymer Dridex FriedEx Hades LockBit Macaw MimiKatz Phoenix\r\nLocker WastedLocker 2022-02-01 ⋅ Sentinel LABS ⋅ Antonio Pirozzi, Antonis Terefos, Idan Weizman\r\nSanctions be Damned | From Dridex To Macaw, The Evolution of Evil Corp\r\nDridex FriedEx Hades Phoenix Locker WastedLocker 2021-10-22 ⋅ HUNT \u0026 HACKETT ⋅ Krijn de Mik\r\nAdvanced IP Scanner: the preferred scanner in the A(P)T toolbox\r\nConti DarkSide Dharma Egregor Hades REvil Ryuk 2021-09-14 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team\r\nBig Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack\r\nBlackMatter DarkSide REvil Avaddon BlackMatter Clop Conti CryptoLocker DarkSide DoppelPaymer Hades\r\nREvil 2021-08-15 ⋅ Symantec ⋅ Threat Hunter Team\r\nThe Ransomware Threat\r\nBabuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike\r\nConti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex\r\nMimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker 2021-06-30 ⋅ Advanced Intelligence ⋅ AdvIntel\r\nSecurity \u0026 Development Team, Brandon Rudisel, Yelisey Boguslavskiy\r\nRansomware-\u0026-CVE: Industry Insights Into Exclusive High-Value Target Adversarial Datasets\r\nBlackKingdom Ransomware Clop dearcry Hades REvil 2021-06-29 ⋅ Accenture ⋅ Accenture Security\r\nHADES ransomware operators continue attacks\r\nCobalt Strike Hades MimiKatz 2021-06-15 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam\r\nHades Ransomware Operators Use Distinctive Tactics and Infrastructure\r\nCobalt Strike Hades 2021-05-10 ⋅ DarkTracer ⋅ DarkTracer\r\nIntelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware\r\ngangs released on the DarkWeb\r\nRansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze\r\nMedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.hades\r\nPage 1 of 2\n\nRansomEXX REvil Sekhmet SunCrypt ThunderX 2021-05-05 ⋅ TRUESEC ⋅ Mattias Wåhlén\r\nAre The Notorious Cyber Criminals Evil Corp actually Russian Spies?\r\nCobalt Strike Hades WastedLocker 2021-04-12 ⋅ Twitter (@inversecos) ⋅ inversecos\r\nTweet on TTPs associated with Hades Ransomware\r\nHades 2021-03-26 ⋅ Accenture ⋅ Eric Welling, Jeff Beley, Ryan Leininger\r\nIt's getting hot in here! Unknown threat group using Hades ransomware to turn up the heat on their victims\r\nHades 2021-03-25 ⋅ Bleeping Computer ⋅ Sergiu Gatlan\r\nEvil Corp switches to Hades ransomware to evade sanctions\r\nHades WastedLocker 2021-03-01 ⋅ AWAKE ⋅ Jason Bevis\r\nThe Unseen One: Hades Ransomware Gang or Hafnium\r\nHades 2021-01-01 ⋅ Secureworks ⋅ SecureWorks\r\nThreat Profile: GOLD WINTER\r\nCobalt Strike Hades Meterpreter GOLD WINTER\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.hades\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.hades\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://malpedia.caad.fkie.fraunhofer.de/details/win.hades"
	],
	"report_names": [
		"win.hades"
	],
	"threat_actors": [
		{
			"id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312",
			"created_at": "2024-06-07T02:00:03.998431Z",
			"updated_at": "2026-04-10T02:00:03.64336Z",
			"deleted_at": null,
			"main_name": "RansomHub",
			"aliases": [],
			"source_name": "MISPGALAXY:RansomHub",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "8670f370-1865-4264-9a1b-0dfe7617c329",
			"created_at": "2022-10-25T16:07:23.69953Z",
			"updated_at": "2026-04-10T02:00:04.716126Z",
			"deleted_at": null,
			"main_name": "Hades",
			"aliases": [
				"Operation TrickyMouse"
			],
			"source_name": "ETDA:Hades",
			"tools": [
				"Brave Prince",
				"Gold Dragon",
				"GoldDragon",
				"Lovexxx",
				"Olympic Destroyer",
				"Running RAT",
				"RunningRAT",
				"SOURGRAPE",
				"running_rat"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d0338f31-ace4-4fec-972b-d1ba9815d1de",
			"created_at": "2023-01-06T13:46:39.283728Z",
			"updated_at": "2026-04-10T02:00:03.273567Z",
			"deleted_at": null,
			"main_name": "GOLD WINTER",
			"aliases": [],
			"source_name": "MISPGALAXY:GOLD WINTER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "7c969685-459b-4c93-a788-74108eab6f47",
			"created_at": "2023-01-06T13:46:39.189751Z",
			"updated_at": "2026-04-10T02:00:03.241102Z",
			"deleted_at": null,
			"main_name": "HAFNIUM",
			"aliases": [
				"Red Dev 13",
				"Silk Typhoon",
				"MURKY PANDA",
				"ATK233",
				"G0125",
				"Operation Exchange Marauder"
			],
			"source_name": "MISPGALAXY:HAFNIUM",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "50068c14-343c-4491-b568-df41dd59551c",
			"created_at": "2022-10-25T15:50:23.253218Z",
			"updated_at": "2026-04-10T02:00:05.234464Z",
			"deleted_at": null,
			"main_name": "Indrik Spider",
			"aliases": [
				"Indrik Spider",
				"Evil Corp",
				"Manatee Tempest",
				"DEV-0243",
				"UNC2165"
			],
			"source_name": "MITRE:Indrik Spider",
			"tools": [
				"Mimikatz",
				"PsExec",
				"Dridex",
				"WastedLocker",
				"BitPaymer",
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2704d770-43b4-4bc4-8a5a-05df87416848",
			"created_at": "2022-10-25T15:50:23.306305Z",
			"updated_at": "2026-04-10T02:00:05.296581Z",
			"deleted_at": null,
			"main_name": "HAFNIUM",
			"aliases": [
				"HAFNIUM",
				"Operation Exchange Marauder",
				"Silk Typhoon"
			],
			"source_name": "MITRE:HAFNIUM",
			"tools": [
				"Tarrask",
				"ASPXSpy",
				"Impacket",
				"PsExec",
				"China Chopper"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b296f34c-c424-41da-98bf-90312a5df8ef",
			"created_at": "2024-06-19T02:03:08.027585Z",
			"updated_at": "2026-04-10T02:00:03.621193Z",
			"deleted_at": null,
			"main_name": "GOLD DRAKE",
			"aliases": [
				"Evil Corp",
				"Indrik Spider ",
				"Manatee Tempest "
			],
			"source_name": "Secureworks:GOLD DRAKE",
			"tools": [
				"BitPaymer",
				"Cobalt Strike",
				"Covenant",
				"Donut",
				"Dridex",
				"Hades",
				"Koadic",
				"LockBit",
				"Macaw Locker",
				"Mimikatz",
				"Payload.Bin",
				"Phoenix CryptoLocker",
				"PowerShell Empire",
				"PowerSploit",
				"SocGholish",
				"WastedLocker"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "3fb23d29-6c6c-459b-8985-e11f125cebcf",
			"created_at": "2025-03-07T02:00:03.805635Z",
			"updated_at": "2026-04-10T02:00:03.83403Z",
			"deleted_at": null,
			"main_name": "TRIPLESTRENGTH",
			"aliases": [],
			"source_name": "MISPGALAXY:TRIPLESTRENGTH",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "9806f226-935f-48eb-b138-6616c9bb9d69",
			"created_at": "2022-10-25T16:07:23.73153Z",
			"updated_at": "2026-04-10T02:00:04.729977Z",
			"deleted_at": null,
			"main_name": "Indrik Spider",
			"aliases": [
				"Blue Lelantos",
				"DEV-0243",
				"Evil Corp",
				"G0119",
				"Gold Drake",
				"Gold Winter",
				"Manatee Tempest",
				"Mustard Tempest",
				"UNC2165"
			],
			"source_name": "ETDA:Indrik Spider",
			"tools": [
				"Advanced Port Scanner",
				"Agentemis",
				"Babuk",
				"Babuk Locker",
				"Babyk",
				"BitPaymer",
				"Bugat",
				"Bugat v5",
				"Cobalt Strike",
				"CobaltStrike",
				"Cridex",
				"Dridex",
				"EmPyre",
				"EmpireProject",
				"FAKEUPDATES",
				"FakeUpdate",
				"Feodo",
				"FriedEx",
				"Hades",
				"IEncrypt",
				"LINK_MSIEXEC",
				"MEGAsync",
				"Macaw Locker",
				"Metasploit",
				"Mimikatz",
				"PayloadBIN",
				"Phoenix Locker",
				"PowerShell Empire",
				"PowerSploit",
				"PsExec",
				"QNAP-Worm",
				"Raspberry Robin",
				"RaspberryRobin",
				"SocGholish",
				"Vasa Locker",
				"WastedLoader",
				"WastedLocker",
				"cobeacon",
				"wp_encrypt"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "6c4f98b3-fe14-42d6-beaa-866395455e52",
			"created_at": "2023-01-06T13:46:39.169554Z",
			"updated_at": "2026-04-10T02:00:03.23458Z",
			"deleted_at": null,
			"main_name": "Evil Corp",
			"aliases": [
				"GOLD DRAKE"
			],
			"source_name": "MISPGALAXY:Evil Corp",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "529c1ae9-4579-4245-86a6-20f4563a695d",
			"created_at": "2022-10-25T16:07:23.702006Z",
			"updated_at": "2026-04-10T02:00:04.71708Z",
			"deleted_at": null,
			"main_name": "Hafnium",
			"aliases": [
				"G0125",
				"Murky Panda",
				"Red Dev 13",
				"Silk Typhoon"
			],
			"source_name": "ETDA:Hafnium",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "80300c2f-309a-43c2-9d01-0357a174ad20",
			"created_at": "2024-06-19T02:03:08.140588Z",
			"updated_at": "2026-04-10T02:00:03.6222Z",
			"deleted_at": null,
			"main_name": "GOLD WINTER",
			"aliases": [
				""
			],
			"source_name": "Secureworks:GOLD WINTER",
			"tools": [
				"Advanced Port Scanner",
				"Cobalt Strike",
				"Hades",
				"MEGAsync",
				"MSBuild",
				"Metasploit",
				"Mimikatz",
				"PsExec",
				"SocGholish"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434957,
	"ts_updated_at": 1775792156,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/29f0d3fb11935b6922316bd01163d21b625f9ab5.pdf",
		"text": "https://archive.orkl.eu/29f0d3fb11935b6922316bd01163d21b625f9ab5.txt",
		"img": "https://archive.orkl.eu/29f0d3fb11935b6922316bd01163d21b625f9ab5.jpg"
	}
}