{ "id": "7d028311-9e48-4336-bada-647f1de81a42", "created_at": "2026-04-06T00:15:18.610996Z", "updated_at": "2026-04-10T03:33:15.434601Z", "deleted_at": null, "sha1_hash": "331d21f3eedc1d0f1659945426fd3ded4143b695", "title": "Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48467, "plain_text": "Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal\r\nGroup Behind Dridex Malware\r\nPublished: 2026-02-13 · Archived: 2026-04-05 14:02:34 UTC\r\nWashington – Today the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) took action\r\nagainst Evil Corp, the Russia-based cybercriminal organization responsible for the development and distribution\r\nof the Dridex malware.  Evil Corp has used the Dridex malware to infect computers and harvest login credentials\r\nfrom hundreds of banks and financial institutions in over 40 countries, causing more than $100 million in theft.\r\n This malicious software has caused millions of dollars of damage to U.S. and international financial institutions\r\nand their customers.  Concurrent with OFAC’s action, the Department of Justice charged two of Evil Corp’s\r\nmembers with criminal violations, and the Department of State announced a reward for information up to $5\r\nmillion leading to the capture or conviction of Evil Corp’s leader.  These U.S. actions were carried out in close\r\ncoordination with the United Kingdom’s National Crime Agency (NCA).  Additionally, based on information\r\nobtained by the Treasury Department’s Financial Crimes Enforcement Network (FinCEN), the Treasury\r\nDepartment’s Office of Cybersecurity and Critical Infrastructure Protection (OCCIP) released previously\r\nunreported indicators of compromise associated with the Dridex malware and its use against the financial services\r\nsector.   \r\n“Treasury is sanctioning Evil Corp as part of a sweeping action against one of the world’s most prolific\r\ncybercriminal organizations.  This coordinated action is intended to disrupt the massive phishing campaigns\r\norchestrated by this Russian-based hacker group,” said Steven T. Mnuchin, Secretary of the Treasury.  “OFAC’s\r\naction is part of a multiyear effort with key NATO allies, including the United Kingdom.  Our goal is to shut down\r\nEvil Corp, deter the distribution of Dridex, target the “money mule” network used to transfer stolen funds, and\r\nultimately to protect our citizens from the group’s criminal activities.”\r\nWorldwide, cybercrime results in losses that total in the billions of dollars, while in the United States, financial\r\ninstitutions and other businesses remain prime targets for cybercriminals.  Today’s action clarifies that, in addition\r\nto his involvement in financially motivated cybercrime, the group’s leader, Maksim Yakubets, also provides direct\r\nassistance to the Russian government’s malicious cyber efforts, highlighting the Russian government’s enlistment\r\nof cybercriminals for its own malicious purposes.  Maksim Yakubets is not the first cybercriminal to be tied to the\r\nRussian government.  In 2017, the Department of Justice indicted two Russian Federal Security Service (FSB)\r\nofficers and their criminal conspirators for compromising millions of Yahoo email accounts.  The United States\r\nGovernment will not tolerate this type of activity by another government or its proxies and will continue to hold\r\nall responsible parties accountable.\r\nToday’s designations and indictments were issued in furtherance of previous international actions targeting Evil\r\nCorp in an effort to further disrupt and degrade the group’s ability to operate.  In October 2015, the Department of\r\nJustice indicted Andrey Ghinkul for spreading the Dridex malware.  At that same time, the Federal Bureau of\r\nInvestigation and the NCA disrupted the global infrastructure utilized at the time by Evil Corp.  Over the past\r\nseveral years, the NCA and the United Kingdom’s Metropolitan Police Service have arrested multiple individuals\r\nhttps://home.treasury.gov/news/press-releases/sm845\r\nPage 1 of 4\n\nwho enabled the activities of Evil Corp, including laundering stolen proceeds acquired through the Dridex\r\nmalware.\r\nAs a result of today’s designations, all property and interests in property of these persons subject to U.S.\r\njurisdiction are blocked, and U.S. persons are generally prohibited from engaging in transactions with them.\r\n Additionally, any entities 50 percent or more owned by one or more designated persons are also blocked.  Foreign\r\npersons may be subject to secondary sanctions for knowingly facilitating a significant transaction or transactions\r\nwith these designated persons.\r\nDesignation Targets\r\nToday’s action targets 17 individuals and seven entities to include Evil Corp, its core cyber operators, multiple\r\nbusinesses associated with a group member, and financial facilitators utilized by the group.  OFAC designated\r\nthese persons pursuant to Executive Order (E.O.) 13694, as amended, which targets malicious cyber-enabled\r\nactors around the world, and as codified by the Countering America’s Adversaries Through Sanctions Act.\r\nDRIDEX infection chain photo\r\nEvil Corp is the Russia-based cybercriminal organization responsible for the development and distribution of the\r\nDridex malware.  The Dridex malware is a multifunctional malware package that is designed to automate the theft\r\nof confidential information, to include online banking credentials from infected computers.  Dridex is traditionally\r\nspread through massive phishing email campaigns that seek to entice victims to click on malicious links or\r\nattachments embedded within the emails.  Once a system is infected, Evil Corp uses compromised credentials to\r\nfraudulently transfer funds from victims’ bank accounts to those of accounts controlled by the group.  As of 2016,\r\nEvil Corp had harvested banking credentials from customers at approximately 300 banks and financial institutions\r\nin over 40 countries, making the group one of the main financial threats faced by businesses.  In particular, Evil\r\nCorp heavily targets financial services sector organizations located in the United States and the United Kingdom.\r\n Through their use of the Dridex malware, Evil Corp has illicitly earned at least $100 million, though it is likely\r\nthat the total of their illicit proceeds is significantly higher.  As a result of this activity, Evil Corp is being\r\ndesignated pursuant to E.O. 13694, as amended, for engaging in cyber-enabled activities that have the effect of\r\ncausing a significant misappropriation of funds or economic resources for private financial gain. \r\nEvil Corp operates as a business run by a group of individuals based in Moscow, Russia, who have years of\r\nexperience and well-developed, trusted relationships with each other.  Maksim Yakubets (Yakubets) serves as\r\nEvil Corp’s leader and is responsible for managing and supervising the group’s malicious cyber activities.  For\r\nexample, as of 2017, Yakubets supervised Evil Corp actors who were attempting to target U.S. companies.  As of\r\n2015, Yakubets maintained control of the Dridex malware and was in direct communication with Andrey Ghinkul\r\nprior to the unsealing of his indictment.  As a result, Yakubets is being designated pursuant to E.O. 13694, as\r\namended, for having acted for or on behalf of and for providing material assistance to Evil Corp.  Prior to serving\r\nin this leadership role for Evil Corp, Yakubets was also directly associated with Evgeniy Bogachev, a previously\r\ndesignated Russian cybercriminal responsible for the distribution of the Zeus, Jabber Zeus, and GameOver Zeus\r\nmalware schemes.  In particular, Yakubets was responsible for recruiting and managing a network of individuals\r\nresponsible for facilitating the movement of money illicitly gained through the efforts spearheaded by Evgeniy\r\nBogachev.  Yakubets is the subject of an indictment and criminal complaint unsealed today by the Department of\r\nhttps://home.treasury.gov/news/press-releases/sm845\r\nPage 2 of 4\n\nJustice, while the Department of State announced a $5 million reward for information leading to the capture of\r\nYakubets. \r\nIn addition to his leadership role within Evil Corp, Yakubets has also provided direct assistance to the Russian\r\ngovernment.  As of 2017, Yakubets was working for the Russian FSB, one of Russia’s leading intelligence\r\norganizations that was previously sanctioned pursuant to E.O. 13694, as amended, on December 28, 2016.   As of\r\nApril 2018, Yakubets was in the process of obtaining a license to work with Russian classified information from\r\nthe FSB.  As a result, Yakubets is also being designated pursuant to E.O. 13694, as amended, for providing\r\nmaterial assistance to the FSB.  Additionally, as of 2017, Yakubets was tasked to work on projects for the Russian\r\nstate, to include acquiring confidential documents through cyber-enabled means and conducting cyber-enabled\r\noperations on its behalf.\r\nAnother key Evil Corp figure targeted today is Igor Turashev (Turashev).  As of 2017, Turashev was involved in\r\nhelping Evil Corp exploit victims’ networks.  As of 2015, Turashev served as an administrator for Yakubets and\r\nhad control over the Dridex malware.  As a result, Turashev is being designated pursuant to E.O. 13694, as\r\namended, for having acted for or on behalf of and for providing material assistance to Evil Corp.  Turashev is also\r\nthe subject of an indictment unsealed today by the Department of Justice.\r\nDenis Gusev (Gusev), a senior member of Evil Corp, is also being designated today for his active role in\r\nfurthering Evil Corp’s activities.  As of 2017, Gusev was involved in helping Evil Corp move to a new office\r\nlocation and as of 2018, Gusev served as a financial facilitator for Evil Corp and its members.  As a result, Gusev\r\nis being designated pursuant to E.O. 13694, as amended, for having acted for or on behalf of and for providing\r\nmaterial assistance to Evil Corp.\r\nGusev also serves as the General Director for six Russia-based businesses. These entities include Biznes-Stolitsa,\r\nOOO, Optima, OOO, Treid-Invest, OOO, TSAO, OOO, Vertikal, OOO, and Yunikom, OOO.  As a result,\r\nthese entities are being designated pursuant to E.O. 13694, as amended, for being owned or controlled by Gusev.\r\nIn addition to Yakubets, Turashev, and Gusev, Evil Corp relies upon a cadre of core individuals to carry out critical\r\nlogistical, technical, and financial functions such as managing the Dridex malware, supervising the operators\r\nseeking to target new victims, and laundering the proceeds derived from the group’s activities.  These additional\r\ncore members of the group include Dmitriy Smirnov, Artem Yakubets, Ivan Tuchkov, Andrey Plotnitskiy,\r\nDmitriy Slobodskoy, and Kirill Slobodskoy.  As a result, these six individuals are being designated pursuant to\r\nE.O. 13694, as amended, for having acted for or on behalf of and for providing material assistance to Evil Corp.\r\nTo transfer the proceeds gained through their use of the Dridex malware, Evil Corp relies upon a network of\r\nmoney mules who are involved in transferring stolen funds obtained from victims’ bank accounts to accounts\r\ncontrolled by members of Evil Corp.  Previously, the NCA arrested multiple individuals in the United Kingdom\r\nsuspected of laundering the criminal profits of cybercrime schemes, including those perpetrated by Evil Corp,\r\nthrough hundreds of accounts at various banks in the United Kingdom.  Today, OFAC is designating eight\r\nMoscow-based individuals who have served as financial facilitators for Evil Corp.  These individuals include\r\nAleksei Bashlikov, Ruslan Zamulko, David Guberman, Carlos Alvares, Georgios Manidis, Tatiana\r\nShevchuk, Azamat Safarov, and Gulsara Burkhonova.  As a result, these eight individuals are being designated\r\npursuant to E.O. 13694, as amended, for providing financial and material assistance to Evil Corp.\r\nhttps://home.treasury.gov/news/press-releases/sm845\r\nPage 3 of 4\n\nThe Treasury Department’s FinCEN and OCCIP announcement can be found here.  \r\n####\r\nSource: https://home.treasury.gov/news/press-releases/sm845\r\nhttps://home.treasury.gov/news/press-releases/sm845\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia", "ETDA" ], "references": [ "https://home.treasury.gov/news/press-releases/sm845" ], "report_names": [ "sm845" ], "threat_actors": [ { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434518, "ts_updated_at": 1775791995, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/331d21f3eedc1d0f1659945426fd3ded4143b695.pdf", "text": "https://archive.orkl.eu/331d21f3eedc1d0f1659945426fd3ded4143b695.txt", "img": "https://archive.orkl.eu/331d21f3eedc1d0f1659945426fd3ded4143b695.jpg" } }