{
	"id": "c95b932d-51de-4286-940a-fd5b579edafc",
	"created_at": "2026-04-06T00:16:35.402175Z",
	"updated_at": "2026-04-10T03:33:15.478033Z",
	"deleted_at": null,
	"sha1_hash": "7c191107fadf7d4326a1539d50889d4244605753",
	"title": "New Evil Corp ransomware mimics PayloadBin gang to evade US sanctions",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3070221,
	"plain_text": "New Evil Corp ransomware mimics PayloadBin gang to evade US\r\nsanctions\r\nBy Lawrence Abrams\r\nPublished: 2021-06-06 · Archived: 2026-04-05 19:33:39 UTC\r\nThe new PayloadBIN ransomware has been attributed to the Evil Corp cybercrime gang, rebranding to evade sanctions\r\nimposed by the US Treasury Department's Office of Foreign Assets Control (OFAC).\r\nThe Evil Corp gang, also known as Indrik Spider and the Dridex gang, started as an affiliate for the ZeuS botnet. Over time,\r\nthey formed a group that focused on distributing the banking trojan and downloader called Dridex via phishing emails.\r\nAs cybergangs started to transition to highly profitable ransomware attacks, Evil Corp launched a ransomware operation\r\ncalled BitPaymer, which was delivered via the Dridex malware in compromised corporate networks.\r\nhttps://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nAfter being sanctioned by the US government in 2019, ransomware negotiation firms refused to facilitate ransom payments\r\nfor Evil Corp ransomware attacks to avoid facing fines or legal action from the Treasury Department.\r\nEvil Corp began renaming their ransomware operations to different names such as WastedLocker, Hades, and Phoenix to\r\nbypass these sanctions.\r\nThe threat actors used Phoenix in an attack on insurance firm CNA.\r\nEvil Corp impersonates Payload Bin hacking group\r\nAfter breaching the Metropolitan Police Department in Washington, DC, and stealing unencrypted data, the Babuk gang said\r\nthey were quitting ransomware encryption and instead focus on data theft and extortion.\r\nAt the end of May, the Babuk data leak site had a design refresh where the ransomware gang rebranded as a new group\r\ncalled 'payload bin,' shown below.\r\nOn Thursday, BleepingComputer found a new ransomware sample called PayloadBIN [VirusTotal] that we immediately\r\nassumed was related to the rebranding of Babuk Locker.\r\nWhen installed, the ransomware will append the .PAYLOADBIN extension to encrypted files, as shown below.\r\nFiles encrypted by PayloadBIN\r\nFurthermore, the ransom note is named 'PAYLOADBIN-README.txt' and states that the victim's \"networks is LOCKED\r\nwith PAYLOADBIN ransomware.\"\r\nhttps://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/\r\nPage 3 of 5\n\nPayloadBIN ransom note\r\nAfter finding the sample, BleepingComputer thought Babuk was lying about their intentions to move away from\r\nransomware and rebranded to a new name.\r\nHowever, after analyzing the new ransomware, both Fabian Wosar of Emsisoft and Michael Gillespie of ID Ransomware\r\nconfirmed that the ransomware is a rebranding of Evil Corp's previous ransomware operations.\r\nWhile discussing why they would have impersonated another cybercrime group, Wosar felt that they saw and took an\r\nopportunity to impersonate a hacking group that is not sanctioned.\r\n\"Now they had a gang rebranding and just took the opportunity.\" - Fabian Wosar.\r\nAs the ransomware is now attributed to a sanctioned hacking group, most ransomware negotiation firms will likely not help\r\nfacilitate payments for victims affected by the PayloadBIN ransomware.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nhttps://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/\r\nPage 4 of 5\n\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/\r\nhttps://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/"
	],
	"report_names": [
		"new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions"
	],
	"threat_actors": [
		{
			"id": "8670f370-1865-4264-9a1b-0dfe7617c329",
			"created_at": "2022-10-25T16:07:23.69953Z",
			"updated_at": "2026-04-10T02:00:04.716126Z",
			"deleted_at": null,
			"main_name": "Hades",
			"aliases": [
				"Operation TrickyMouse"
			],
			"source_name": "ETDA:Hades",
			"tools": [
				"Brave Prince",
				"Gold Dragon",
				"GoldDragon",
				"Lovexxx",
				"Olympic Destroyer",
				"Running RAT",
				"RunningRAT",
				"SOURGRAPE",
				"running_rat"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "50068c14-343c-4491-b568-df41dd59551c",
			"created_at": "2022-10-25T15:50:23.253218Z",
			"updated_at": "2026-04-10T02:00:05.234464Z",
			"deleted_at": null,
			"main_name": "Indrik Spider",
			"aliases": [
				"Indrik Spider",
				"Evil Corp",
				"Manatee Tempest",
				"DEV-0243",
				"UNC2165"
			],
			"source_name": "MITRE:Indrik Spider",
			"tools": [
				"Mimikatz",
				"PsExec",
				"Dridex",
				"WastedLocker",
				"BitPaymer",
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b296f34c-c424-41da-98bf-90312a5df8ef",
			"created_at": "2024-06-19T02:03:08.027585Z",
			"updated_at": "2026-04-10T02:00:03.621193Z",
			"deleted_at": null,
			"main_name": "GOLD DRAKE",
			"aliases": [
				"Evil Corp",
				"Indrik Spider ",
				"Manatee Tempest "
			],
			"source_name": "Secureworks:GOLD DRAKE",
			"tools": [
				"BitPaymer",
				"Cobalt Strike",
				"Covenant",
				"Donut",
				"Dridex",
				"Hades",
				"Koadic",
				"LockBit",
				"Macaw Locker",
				"Mimikatz",
				"Payload.Bin",
				"Phoenix CryptoLocker",
				"PowerShell Empire",
				"PowerSploit",
				"SocGholish",
				"WastedLocker"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "d706edf6-cb86-4611-99e1-4b464e9dc5b9",
			"created_at": "2023-01-06T13:46:38.839083Z",
			"updated_at": "2026-04-10T02:00:03.117987Z",
			"deleted_at": null,
			"main_name": "INDRIK SPIDER",
			"aliases": [
				"Manatee Tempest"
			],
			"source_name": "MISPGALAXY:INDRIK SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "9806f226-935f-48eb-b138-6616c9bb9d69",
			"created_at": "2022-10-25T16:07:23.73153Z",
			"updated_at": "2026-04-10T02:00:04.729977Z",
			"deleted_at": null,
			"main_name": "Indrik Spider",
			"aliases": [
				"Blue Lelantos",
				"DEV-0243",
				"Evil Corp",
				"G0119",
				"Gold Drake",
				"Gold Winter",
				"Manatee Tempest",
				"Mustard Tempest",
				"UNC2165"
			],
			"source_name": "ETDA:Indrik Spider",
			"tools": [
				"Advanced Port Scanner",
				"Agentemis",
				"Babuk",
				"Babuk Locker",
				"Babyk",
				"BitPaymer",
				"Bugat",
				"Bugat v5",
				"Cobalt Strike",
				"CobaltStrike",
				"Cridex",
				"Dridex",
				"EmPyre",
				"EmpireProject",
				"FAKEUPDATES",
				"FakeUpdate",
				"Feodo",
				"FriedEx",
				"Hades",
				"IEncrypt",
				"LINK_MSIEXEC",
				"MEGAsync",
				"Macaw Locker",
				"Metasploit",
				"Mimikatz",
				"PayloadBIN",
				"Phoenix Locker",
				"PowerShell Empire",
				"PowerSploit",
				"PsExec",
				"QNAP-Worm",
				"Raspberry Robin",
				"RaspberryRobin",
				"SocGholish",
				"Vasa Locker",
				"WastedLoader",
				"WastedLocker",
				"cobeacon",
				"wp_encrypt"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "6c4f98b3-fe14-42d6-beaa-866395455e52",
			"created_at": "2023-01-06T13:46:39.169554Z",
			"updated_at": "2026-04-10T02:00:03.23458Z",
			"deleted_at": null,
			"main_name": "Evil Corp",
			"aliases": [
				"GOLD DRAKE"
			],
			"source_name": "MISPGALAXY:Evil Corp",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434595,
	"ts_updated_at": 1775791995,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7c191107fadf7d4326a1539d50889d4244605753.pdf",
		"text": "https://archive.orkl.eu/7c191107fadf7d4326a1539d50889d4244605753.txt",
		"img": "https://archive.orkl.eu/7c191107fadf7d4326a1539d50889d4244605753.jpg"
	}
}