{ "id": "1d5510a8-674c-42c2-ac3d-0ef03df9376c", "created_at": "2026-04-06T00:22:24.605612Z", "updated_at": "2026-04-10T13:11:56.170441Z", "deleted_at": null, "sha1_hash": "2bd4330cf769f9a90c5c591112ef2a9546884e59", "title": "Dharma Ransomware Intrusions Exhibit Consistent Techniques", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 85864, "plain_text": "Dharma Ransomware Intrusions Exhibit Consistent Techniques\r\nBy Eric Loui - Karl Scheuerman - Aaron Pickett - Brendon Feeley\r\nArchived: 2026-04-05 15:41:23 UTC\r\nSince at least 2018, criminal actors have been conducting big game hunting (BGH) campaigns, deploying\r\nransomware on a targeted scale against large corporations or governments in pursuit of lucrative payouts. These\r\nBGH campaigns have netted millions of dollars (USD) for major criminal actors like WIZARD SPIDER and\r\nINDRIK SPIDER. However, BGH is not exclusive to sophisticated adversaries deploying advanced malware. One\r\nexample is a series of BGH intrusions where criminal actors used common tactics to deploy Dharma ransomware.\r\nThroughout 2019 and into 2020, the CrowdStrikes Falcon OverWatch™ and Intelligence teams have identified\r\nongoing attempts by criminal actors to install Dharma ransomware across a diverse range of organizations\r\nworldwide. Dharma has been in operation since 2016 under a ransomware-as-a-service (RaaS) model, where\r\ndevelopers license or sell ransomware to other criminals who then carry out an attack using the malware. Dharma\r\naffiliates do not appear to discriminate among industries. Victims have been identified in the following sectors:\r\nAcademic\r\nAutomotive\r\nEnergy\r\nExtractive\r\nFinancial Services\r\nGovernment\r\nHealthcare\r\nHospitality\r\nLegal\r\nLogistics\r\nManufacturing\r\nMedia\r\nRetail\r\nTechnology\r\nTelecommunications\r\nTransportation\r\nThese intrusions have exhibited consistent techniques that include gaining initial access over Remote Desktop\r\nProtocol (RDP) brute forcing or password spraying, using publicly available utilities to attempt to identify and\r\nuninstall security software, harvesting credentials, and mapping network shares.\r\nBackground: Dharma Status and Code Similarity Across Variants\r\nCrowdStrike identified that the original author of Dharma released the source code in 2016 before ceasing activity.\r\nSince this threat actor’s departure, Dharma has been marketed and sold by multiple, apparently independent\r\nhttps://www.crowdstrike.com/blog/targeted-dharma-ransomware-intrusions-exhibit-consistent-techniques/\r\nPage 1 of 6\n\nactors, two of which were active in 2019 — and at least one remains active as of January 2020. Separately, while\r\nthe Phobos ransomware is likely to have been inspired by Dharma, the codebase of Phobos appears separate from\r\nDharma. Although Dharma is not centrally controlled — in contrast to major RaaS families, such as REvil, which\r\nis operated by PINCHY SPIDER — the code has not been forked or meaningfully altered across distribution\r\nchannels. CrowdStrike® Intelligence analyzed Dharma variants from multiple sources, including BGH incidents\r\ntracked by the OverWatch team as well as separately identified Dharma samples. (For example, several samples\r\nwere observed being dropped by Smoke Bot, a loader that is developed by an adversary tracked as SMOKY\r\nSPIDER by CrowdStrike Intelligence.) Code comparison of these Dharma samples rendered a 100% match of the\r\nfunctions in all analyzed samples. The sample files compared are 99% similar in their entirety. This analysis\r\nrevealed that, across all samples, the only differences were the encryption keys, ransom note content, contact\r\nemail, appended file extension, and ransom note file name, which are commonly customizable in RaaS operations.\r\nDue to the overlapping nature of these variants, it is not currently possible to distinguish Dharma used in BGH\r\ncampaigns from other Dharma operations, so there is a lack of visibility into the operational clusters and operating\r\nactors.\r\nInitial Access\r\nBased on CrowdStrike’s observations, Dharma affiliates running BGH operations gain access to victims primarily\r\nthrough RDP. These actors use brute forcing or password spraying to compromise accounts. Dharma affiliates\r\nhave also been observed authenticating using valid credentials, which were likely obtained by the threat actor\r\ndirectly or purchased on underground forums. It is likely that brute forcing or password spraying are performed by\r\nautomated tools, such as NLBrute, which is discussed in more detail below. Administrator accounts have\r\nspecifically been targeted in multiple Dharma incidents, likely because they provide a higher-privilege level of\r\naccess, which increases the actor’s chances of a successful Dharma intrusion — particularly the infection of many\r\nhosts in one deployment. Outside of RDP, Dharma affiliates have likely exploited internet-facing software\r\nvulnerabilities, primarily in SQL servers. Following successful initial access, the Falcon OverWatch team has\r\nidentified execution of the “Mouse Lock” utility, likely to prevent legitimate users from authenticating and\r\ninterrupting an interactive session. If initial access was not gained over RDP, Dharma actors have been observed\r\nenabling remote desktop from the command line with the following command, probably to enable persistent\r\naccess: reg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v\r\nfDenyTSConnections /t reg_dword /d 0 /f.\r\nDefense Evasion\r\nAcross observed Dharma cases, the operators used a consistent set of tools to identify and terminate security\r\nsoftware, such as endpoint protection products or security information and event management (SIEM) alert\r\nforwarders. The presence of more than one of these tools may be an indicator of malicious activity and can be\r\nused to detect BGH Dharma attacks. Dharma affiliates have primarily used two publicly available utilities for this\r\npurpose — PCHunter and ProcessHacker. These powerful utilities allow actors to not only view and terminate\r\nprocesses, but also to directly interface with the Windows kernel itself. In most cases, these tools are actually\r\nsaved and run with their default names, as PCHunter32.exe, PCHunter64.exe or Processhacker.exe. In at least\r\none instance, PCHunter was downloaded by an adversary using a web browser and saved into the user’s\r\nDownloads directory before being executed. Dharma affiliates have tried a variety of other free utilities for\r\nhttps://www.crowdstrike.com/blog/targeted-dharma-ransomware-intrusions-exhibit-consistent-techniques/\r\nPage 2 of 6\n\nterminating security software. These include: PowerTool x64, GMER, Total Uninstall Portable and Defender\r\nControl. The first two include kernel manipulation functionality similar to the capabilities of PCHunter and\r\nProcessHacker. Total Uninstall is designed for uninstalling software, while Defender Control specifically seeks to\r\ndisable Windows Defender. CrowdStrike has also identified Dharma affiliates attempting to use PowerShell and\r\nWMIC for similar purposes. One observed example of a WMIC command is: wmic product where name=\"\" call\r\nuninstall /nointeractive. In addition to the above techniques, Dharma affiliates have attempted to modify\r\npertinent registry keys to disable security protections. In one instance, the actors ran the following command line\r\ninterface (CLI) instruction to disable user account control (UAC): REG ADD\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /t REG_DWORD /d 0 /f\r\nOther instances of registry tampering have focused on disabling Windows Defender functions.\r\nCredential Access and Lateral Movement\r\nDharma affiliates tracked by CrowdStrike use typical methods to obtain credentials and propagate laterally within\r\na network.Most Dharma cases include Mimikatz, and multiple cases included the use of NirSoft\r\nCredentialsFileView, which allows for the recovery of passwords stored in encrypted credential files. Any\r\nobtained credentials are likely used to attempt privilege escalation — if actors don’t already have administrator\r\naccess — as well as lateral movement. Dharma affiliates typically use a distinctive utility to map network shares,\r\nwhich can subsequently be encrypted by the ransomware. Additionally, the tool NLBrute has been identified in\r\nmultiple Dharma incidents. This RDP brute-forcing tool has been available on underground forums since at least\r\n2016 and is likely used to gain access to additional systems within a network. In multiple cases, CrowdStrike\r\nidentified the presence of the free Advanced IP Scanner utility, which can be used to map a local area network\r\n(LAN) and enable control of systems via RDP.\r\nRansomware Execution\r\nPrior to executing the ransomware, Dharma affiliates use scripts to disable and delete volume shadow copies or\r\nhost file backups in order to prevent easy recovery. The actors have also used scripts to wipe system logs. To\r\nensure Dharma has the maximum impact, affiliates have used IObit Unlocker to release locked files on shared\r\ndrives so that these files may be encrypted. Similarly, Dharma actors commonly use scripts to terminate running\r\nservices (e.g., by using net stop ) to release files used by these services, therefore allowing them to be\r\nencrypted. CrowdStrike OverWatch has detected attempts to specifically stop database services, likely because\r\ndatabase storage files are of high value. Dharma is then typically written to disk as an executable file (EXE) and\r\nsubsequently executed. In an unsuccessful Dharma installation attempt identified on September 1, 2019, the\r\nransomware was contained in a 7-zip, self-extracting executable. This file format is an EXE that can unpack an\r\nembedded .7z archive without the use of 7-zip software.\r\nOutlook and Implications\r\nThese Dharma campaigns resemble other recent BGH campaigns. Attempts to disable security products running\r\non victim hosts continued to be an observed tactic, technique and procedure (TTP) for BGH actors during 2019\r\nand into 2020. One of the first instances of this TTP occurred during a February 2019 PINCHY SPIDER affiliate\r\nhttps://www.crowdstrike.com/blog/targeted-dharma-ransomware-intrusions-exhibit-consistent-techniques/\r\nPage 3 of 6\n\ncampaign. ProcessHacker has also been used in DOPPEL SPIDER BGH campaigns to terminate security\r\nsoftware. It is likely Dharma campaigns will continue for the foreseeable future.\r\nRecommendations\r\nSecurity solutions such as the CrowdStrike Falcon®® endpoint protection platform come with many preventive\r\nfeatures to protect against threats like Dharma. These features — which include machine learning (ML),\r\nbehavioral preventions and executable quarantining — are highly effective at stopping ransomware and other\r\ncommon techniques criminal organizations employ.\r\nMITRE ATT\u0026CK Tactic and Technique Mapping\r\nThe following table maps Dharma BGH affiliates’ intrusion methods to the MITRE ATT\u0026CK® framework.\r\nTactic Technique Description\r\nInitial\r\nAccess\r\nExploit Public-Facing Application\r\n(T1190), Valid Accounts (T1078)\r\nDharma operatives primarily access accounts using\r\nRDP brute force and password spraying attempts, which\r\nwill result in authentication failure events. In multiple\r\ninstances, Dharma affiliates gained an initial foothold\r\nfollowing successful exploitation of a SQL server\r\napplication.\r\nExecution\r\nCommand Line Interface (T1059),\r\nGraphical User Interface (T1061),\r\nPowerShell (T1086), Scheduled\r\nTask (T1053), Scripting (T1064),\r\nWindows Management\r\nInstrumentation (T1047)\r\nDharma is deployed during interactive RDP sessions.\r\nDuring these sessions, the actors both pass instructions\r\nto the CLI and use the graphical user interfaces (GUIs)\r\nbuilt into the aforementioned utilities. The CLI may be\r\nused to execute dropped scripts (such as with Wscript)\r\nor to run PowerShell and WMI commands. In at least\r\none intrusion, actors used the schtasks utility to\r\nschedule an executable to run every 60 minutes.\r\nPersistence Valid Accounts (T1078)\r\nAuthentication credentials enable Dharma affiliates to\r\nmaintain access to target systems without using\r\nmalware.\r\nPrivilege\r\nEscalation\r\nValid Accounts (T1078),\r\nScheduled Task (T1053)\r\nIn the bulk of Dharma intrusions, the operators\r\nspecifically attempt to gain access to administrator\r\naccounts over RDP. Dharma actors may also attempt to\r\nuse schtasks with the /RL HIGHEST flag to execute a\r\nfile with the highest privilege level.\r\nDefense\r\nEvasion\r\nBypass UAC (T1088), Disabling\r\nSecurity Tools (T1089), Modify\r\nDharma affiliates use a variety of free utilities to\r\nattempt to uninstall security products, as well as using\r\nPowerShell (e.g., powershell.exe Set-MpPreference -\r\nhttps://www.crowdstrike.com/blog/targeted-dharma-ransomware-intrusions-exhibit-consistent-techniques/\r\nPage 4 of 6\n\nRegistry (T1112), Valid Accounts\r\n(T1078)\r\nDisableRealtimeMonitoring $true ) or WMI for this\r\npurpose. Additionally, in some circumstances Dharma\r\nactors will modify registry keys to disable UAC, disable\r\nWindows Defender or enable RDP access. The use of\r\nadministrative accounts allows actors to bypass access\r\ncontrols throughout all phases of the intrusion.\r\nCredential\r\nAccess\r\nBrute Force (T1110), Credential\r\nDumping (T1003), Credentials in\r\nFiles (T1081)\r\nMimikatz allows actors to retrieve credentials from\r\nmemory. Mimikatz and NirSoft CredentialsFileView\r\neach allow collection of credentials from various types\r\nof files, including Windows credential files specifically.\r\nAdditionally, Dharma affiliates use brute force and\r\npassword spraying over RDP to gain access to systems\r\nwithin a network.\r\nDiscovery\r\nFile and Directory Discovery\r\n(T1083), Network Share\r\nDiscovery (T1135), Network\r\nService Scanning (T1046),\r\nProcess Discovery (T1057),\r\nRemote System Discovery\r\n(T1018), Security Software\r\nDiscovery (T1063), System\r\nNetwork Configuration Discovery\r\n(T1016), System Network\r\nConnections Discovery (T1049)\r\nDharma affiliates routinely deploy tools to map the\r\nLAN that a compromised system is on — including\r\nnetwork shares. These actors also likely identify\r\nsecurity services in order to attempt to terminate these\r\nservices. These actors have also used the free\r\nEverything indexer tool to enumerate the contents of a\r\nvictim system.\r\nLateral\r\nMovement\r\nRemote Desktop Protocol\r\n(T1076), Windows Admin Shares\r\n(T1077)\r\nRDP provides the main lateral movement vector for\r\nDharma affiliates, who both use previously collected\r\nlegitimate credentials and attempt brute force or\r\npassword spraying. Additionally, Dharma affiliates seek\r\nto map and authenticate to network shares in order to\r\nencrypt them.\r\nCollection N/A\r\nThere is no evidence Dharma actors seek to steal\r\ninformation from compromised systems.\r\nExfiltration N/A\r\nThere is no evidence Dharma actors seek to steal\r\ninformation from compromised systems.\r\nCommand\r\nand Control\r\nRemote File Copy (T1105),\r\nStandard Application Layer\r\nProtocol (T1071)\r\nThe actors typically download a variety of utilities to\r\ninterfere with security software. As mentioned above,\r\nsystems are controlled through manual RDP sessions\r\nrather than beaconing malware.\r\nhttps://www.crowdstrike.com/blog/targeted-dharma-ransomware-intrusions-exhibit-consistent-techniques/\r\nPage 5 of 6\n\nImpact\r\nData Encrypted for Impact\r\n(T1486), Inhibit System Recovery\r\n(T1490), Service Stop (T1489)\r\nPrior to attempting to execute Dharma, threat actors\r\nwill typically attempt to delete shadow copies or disable\r\nhost file backups, and may attempt to stop services\r\nrunning on servers in order to be able to encrypt files\r\naccessed by those services.\r\nTable 1. MITRE ATT\u0026CK Mapping\r\nAdditional Resources\r\nDownload the CrowdStrike 2020 Global Threat Report.\r\nTo learn more about how to incorporate intelligence on threat actors and their tactics techniques and\r\nprocedures (TTPs) into your security strategy, please visit the CROWDSTRIKE FALCON®\r\nINTELLIGENCE™ Threat Intelligence page.\r\nGet a full-featured free trial of CrowdStrike Falcon® Prevent™ and learn how true next-gen AV performs\r\nagainst today’s most sophisticated threats.\r\nSource: https://www.crowdstrike.com/blog/targeted-dharma-ransomware-intrusions-exhibit-consistent-techniques/\r\nhttps://www.crowdstrike.com/blog/targeted-dharma-ransomware-intrusions-exhibit-consistent-techniques/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.crowdstrike.com/blog/targeted-dharma-ransomware-intrusions-exhibit-consistent-techniques/" ], "report_names": [ "targeted-dharma-ransomware-intrusions-exhibit-consistent-techniques" ], "threat_actors": [ { "id": "539855ac-def3-46a0-a490-f33abde7976f", "created_at": "2025-08-07T02:03:24.802704Z", "updated_at": "2026-04-10T02:00:03.718613Z", "deleted_at": null, "main_name": "GOLD ANDREW", "aliases": [ "Smoky Spider " ], "source_name": "Secureworks:GOLD ANDREW", "tools": [ "Smoke Loader" ], "source_id": "Secureworks", "reports": null }, { "id": "058823d4-60c2-42ab-a3aa-4c10f0ff37c9", "created_at": "2022-10-25T16:07:24.57064Z", "updated_at": "2026-04-10T02:00:05.036609Z", "deleted_at": null, "main_name": "Smoky Spider", "aliases": [], "source_name": "ETDA:Smoky Spider", "tools": [ "Dofoil", "Oficla", "Sasfis", "Sharik", "Smoke Loader", "SmokeLoader" ], "source_id": "ETDA", "reports": null }, { "id": "8610b0d9-a6af-4010-818f-28671efc5d5e", "created_at": "2023-01-06T13:46:38.897477Z", "updated_at": "2026-04-10T02:00:03.138459Z", "deleted_at": null, "main_name": "PINCHY SPIDER", "aliases": [], "source_name": "MISPGALAXY:PINCHY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c84bbd2e-003d-4c43-8a46-d777455db2c7", "created_at": "2022-10-25T15:50:23.701006Z", "updated_at": "2026-04-10T02:00:05.378962Z", "deleted_at": null, "main_name": "GOLD SOUTHFIELD", "aliases": [ "GOLD SOUTHFIELD", "Pinchy Spider" ], "source_name": "MITRE:GOLD SOUTHFIELD", "tools": [ "ConnectWise", "REvil" ], "source_id": "MITRE", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "fdf30f70-537c-458d-82b2-54b4f09cea48", "created_at": "2023-01-06T13:46:39.119613Z", "updated_at": "2026-04-10T02:00:03.221272Z", "deleted_at": null, "main_name": "SMOKY SPIDER", "aliases": [], "source_name": "MISPGALAXY:SMOKY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "d706edf6-cb86-4611-99e1-4b464e9dc5b9", "created_at": "2023-01-06T13:46:38.839083Z", "updated_at": "2026-04-10T02:00:03.117987Z", "deleted_at": null, "main_name": "INDRIK SPIDER", "aliases": [ "Manatee Tempest" ], "source_name": "MISPGALAXY:INDRIK SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9df68733-9bcd-43b1-88f1-24b110fa3d56", "created_at": "2022-10-25T16:07:24.051993Z", "updated_at": "2026-04-10T02:00:04.851037Z", "deleted_at": null, "main_name": "Pinchy Spider", "aliases": [ "G0115", "Gold Garden", "Gold Southfield", "Pinchy Spider" ], "source_name": "ETDA:Pinchy Spider", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "GandCrab", "GrandCrab", "REvil", "Sodin", "Sodinokibi", "VIDAR", "Vidar Stealer", "certutil", "certutil.exe", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "ccd0f6b5-6d20-4d28-9796-88ab6deb4087", "created_at": "2024-06-19T02:03:08.067518Z", "updated_at": "2026-04-10T02:00:03.671628Z", "deleted_at": null, "main_name": "GOLD HERON", "aliases": [ "Doppel Spider " ], "source_name": "Secureworks:GOLD HERON", "tools": [ "Cobalt Strike", "DoppelPaymer", "Dridex", "Grief", "PowerShell Empire" ], "source_id": "Secureworks", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "a0d0e1ef-3562-40a8-a021-321db92644d9", "created_at": "2023-01-06T13:46:39.104046Z", "updated_at": "2026-04-10T02:00:03.2146Z", "deleted_at": null, "main_name": "DOPPEL SPIDER", "aliases": [ "GOLD HERON" ], "source_name": "MISPGALAXY:DOPPEL SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d555c5da-abe4-42aa-a8cf-77b68905891a", "created_at": "2022-10-25T16:07:23.548385Z", "updated_at": "2026-04-10T02:00:04.65211Z", "deleted_at": null, "main_name": "Doppel Spider", "aliases": [ "Gold Heron", "Grief Group" ], "source_name": "ETDA:Doppel Spider", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "DoppelPaymer", "Pay OR Grief", "Pay or Grief", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434944, "ts_updated_at": 1775826716, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2bd4330cf769f9a90c5c591112ef2a9546884e59.pdf", "text": "https://archive.orkl.eu/2bd4330cf769f9a90c5c591112ef2a9546884e59.txt", "img": "https://archive.orkl.eu/2bd4330cf769f9a90c5c591112ef2a9546884e59.jpg" } }