{ "id": "69055ff9-ff2a-41a3-8d94-a7498a0a6b4b", "created_at": "2026-04-06T00:18:08.830059Z", "updated_at": "2026-04-10T03:36:37.090492Z", "deleted_at": null, "sha1_hash": "84fb4151154b1cb5cc9c06eafb1e624e10969ac1", "title": "Big Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 243659, "plain_text": "Big Game Hunting TTPs Continue to Shift After DarkSide Pipeline\r\nAttack\r\nBy CrowdStrike Intelligence Team\r\nArchived: 2026-04-05 14:40:04 UTC\r\nThe eCrime ecosystem is an active and diverse economy of financially motivated threat actors\r\nengaging in a myriad of criminal activities to generate revenue. With the CrowdStrike eCrime Index (ECX),\r\nCrowdStrike’s Intelligence team maintains a composite score to track changes to this ecosystem. The ECX is\r\ncomposed of several key observables covering different aspects of criminal activity that are combined using a\r\nmathematical model. In recent weeks, the Intelligence team observed a notable shift in big game hunting (BGH)\r\nactivity and tactics, techniques and procedures (TTPs) that resulted in a downward trend of the ECX. As noted in a\r\nprevious CrowdStrike Intelligence blog, the intense attention surrounding the Colonial Pipeline and JBS incidents\r\nhad a significant impact on the criminal marketplace and the political landscape. Get more Intel updates on the\r\nlatest eCrime activity and TTPs at Fal.Con, our annual cybersecurity conference, Oct. 12-14 — register for free\r\ntoday.\r\nECX Suggests Downward Trend in Ransomware Operations Following Colonial\r\nPipeline Attack\r\nBy the time of the Colonial Pipeline attack on May 7, 2021, observed BGH ransomware incidents had reached a\r\nyearly high. However, publicly observable BGH activity declined throughout early June 2021, immediately after\r\nthe incident, amid reports of mounting U.S. pressure to pursue BGH actors. A similar decline was also observed in\r\nthe number of specific leaks posted to adversaries’ dedicated leak sites (DLS). Despite the decline in the ECX,\r\nthere has been sustained ransomware activity, likely indicating that a number of adversaries are remaining active\r\nhttps://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/\r\nPage 1 of 4\n\ndespite the dismantling of other groups.\r\nBGH Actor Developments\r\nBGH adversaries responded to the Colonial Pipeline ransomware incident and the resulting widespread media\r\ncoverage in many ways. Some named actors shuttered ransomware-as-a-service (RaaS) affiliate programs — at\r\nleast publicly — while others have continued deploying ransomware.\r\nCARBON SPIDER (operators of DarkSide ransomware) continues to create active command-and-control (C2)\r\nservers to deploy their Domenus PS backdoor and Cobalt Strike post-exploitation framework. The activation of\r\nnew C2 servers demonstrates that CARBON SPIDER has not halted activities despite allegedly losing control of\r\nDarkSide-related infrastructure and having their ransomware funds seized by the U.S. government.1\r\n However, in\r\nlate July 2021, CrowdStrike Intelligence observed a new ransomware called BlackMatter being distributed. Code\r\noverlaps indicate that BlackMatter is highly likely the successor of CARBON SPIDER’s DarkSide ransomware.\r\nCARBON SPIDER has also created a Linux version of BlackMatter that resembles the Linux version of DarkSide\r\nin multiple ways. After taking a short break, CARBON SPIDER reinstated their BGH operations involving this\r\nRaaS and have stated that they have an interest in purchasing and executing unauthorized access to corporate\r\nnetworks. RIDDLE SPIDER (operators of Avaddon ransomware) closed down their operations in late June.\r\nEarlier in June 2021, media sources allegedly received emails containing a password and links to 7zip files\r\ncontaining Avaddon ransomware decryption keys.2\r\n RIDDLE SPIDER’s DLS also went offline in June. While\r\nCrowdStrike Intelligence cannot confirm RIDDLE SPIDER’s motivations for closing down the Avaddon RaaS,\r\nthe decision was likely influenced by the Colonial Pipeline incident and its resulting effects throughout the\r\nransomware industry. GRACEFUL SPIDER had several members of their group arrested on June 16, 2021, by a\r\njoint international law enforcement operation.3 These members were involved in laundering cryptocurrency funds\r\nacquired through the use of GRACEFUL SPIDER’s Clop ransomware.\r\nhttps://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/\r\nPage 2 of 4\n\nThe immediate impact to GRACEFUL SPIDER operations resulting from these arrests is currently unclear.\r\nGRACEFUL SPIDER’s DLS site remains active after the arrests, with two new listings in June, indicating they\r\nhave not ceased their activity. PINCHY SPIDER (developers and operators of the popular REvil RaaS) continued\r\noperating at a high pace throughout June and early July 2021, and the group introduced a new ransomware named\r\nREvix, which is used to target ESXi and Linux environments. However, on the morning of July 13, 2021,\r\nPINCHY SPIDER’s REvil infrastructure supporting their DLS and payment portal went offline. On the same day,\r\nthe forum administrator of the Russian-language criminal forum XSS banned the actor Unknown (aka UNKN),\r\nwho has acted as the public spokesperson for PINCHY SPIDER since 2019. PINCHY SPIDER had released REvil\r\nversion 2.08 a few days prior, confirming the ransomware was under active development, and version 1.2 of REvix\r\nwas observed on July 23. On Sept. 7, after an approximately three month hiatus, CrowdStrike Intelligence\r\nobserved PINCHY SPIDER’s REvil infrastructure come back online. Financial activity in terms of BTC\r\ntransactions from previously identified REvil addresses was also detected on Sept. 5. On June 4, a sample of\r\nINDRIK SPIDER’s Hades ransomware was identified using the name PAYLOADBIN, similar to Babuk Locker’s\r\nDLS site Payload.bin. INDRIK SPIDER likely switched the names in an effort to avoid attribution by law\r\nenforcement and therefore avoid Office of Foreign Assets Control (OFAC) sanctions. Prior to this recent name\r\nchange, INDRIK SPIDER attempted to change the names of Hades and their Phoenix CryptoLocker ransomware\r\nat least one other time to avoid OFAC sanctions. The changes made to avoid these sanctions indicates that\r\nINDRIK SPIDER desires to continue their deployment of ransomware. In July 2021, CrowdStrike Intelligence\r\ndetermined that Grief ransomware is developed by DOPPEL SPIDER, likely as an intended successor to\r\nDoppelPaymer ransomware. The cessation in DoppelPaymer activity coincided with the emergence of the Grief\r\nDLS that was first observed in May. Analysis of recently identified Grief samples indicates a number of technical\r\noverlaps with DOPPEL SPIDER’s wider toolset that provides a definitive link to the adversary. WIZARD\r\nSPIDER continues to actively deploy Conti ransomware and update the Conti DLS. In June 2021, WIZARD\r\nSPIDER continued to target large entities in Europe and the United States, including organizations in real estate,\r\neducation and local government. Recent developments related to the Colonial Pipeline and JBS incidents have not\r\nslowed down WIZARD SPIDER’s ransomware operations. This indicates WIZARD SPIDER remains largely\r\nunaffected by external pressure, similar to their response to the September 2020 takedown efforts targeting\r\nTrickBot infrastructure.\r\nOutlook\r\nThe confluence of U.S. and international law enforcement pressure and forum bans on ransomware activity has\r\nled to a highly fluid and chaotic situation in the eCrime ecosystem. The ECX has indicated a change in BGH\r\nactivity May through June 2021 as well as the persistence of ongoing BGH incidents at a level observed in the\r\nfirst quarter of 2021. However, the downward trend in BGH victims posted to DLSs in June likely indicates that\r\nsome BGH actors have shifted TTPs to make tracking their activity more difficult. Numerous adversaries have\r\nshown themselves keen to take advantage of the situation and to attract new affiliates. These adversaries have\r\nexplicitly expressed their intent to continue ransomware operations despite reports of possible U.S.-Russian\r\ncollaboration — or more aggressive unilateral enforcement actions by the U.S. — in response to incidents,\r\nsuggesting that a complete drop in BGH activity is highly unlikely to occur in the near future.\r\nThe ECX remains a valuable tool used to identify significant events affecting the eCrime ecosystem. The ECX\r\nprovides an easily referenced index to mark areas of disruption or change in the eCrime ecosystem in real time.\r\nhttps://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/\r\nPage 3 of 4\n\nMonitor the ECX regularly in the CrowdStrike Adversary Universe to make sure you stay up-to-date on eCrime\r\ntrends.\r\nEndnotes\r\n1. https\u003c:\u003e//www.justice\u003c.\u003egov/opa/pr/department-justice-seizes-23-million-cryptocurrency-paid-ransomware-extortionists-darkside\r\n2. https\u003c:\u003e//www.bleepingcomputer.com/news/security/avaddon-ransomware-shuts-down-and-releases-decryption-keys/\r\n3. https\u003c:\u003e//www.npu.gov\u003c.\u003eua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/\r\nAdditional Resources\r\nLearn how CrowdStrike Falcon® Intelligence Recon™ mitigates digital risk from the deep, dark web and\r\nbeyond.\r\nRead about BGH adversaries tracked by CrowdStrike Intelligence in 2020 in the CrowdStrike 2021 Global\r\nThreat Report.\r\nTo find out how to incorporate intelligence on threat actors into your security strategy, visit the\r\nCROWDSTRIKE FALCON® INTELLIGENCE™ Threat Intelligence page.\r\nLearn about the powerful, cloud-native CrowdStrike Falcon® platform by visiting the product webpage.\r\nGet a full-featured free trial of CrowdStrike Falcon® Prevent™ and learn how true next-gen AV performs\r\nagainst today’s most sophisticated threats.\r\nSource: https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/\r\nhttps://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/" ], "report_names": [ "how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack" ], "threat_actors": [ { "id": "8670f370-1865-4264-9a1b-0dfe7617c329", "created_at": "2022-10-25T16:07:23.69953Z", "updated_at": "2026-04-10T02:00:04.716126Z", "deleted_at": null, "main_name": "Hades", "aliases": [ "Operation TrickyMouse" ], "source_name": "ETDA:Hades", "tools": [ "Brave Prince", "Gold Dragon", "GoldDragon", "Lovexxx", "Olympic Destroyer", "Running RAT", "RunningRAT", "SOURGRAPE", "running_rat" ], "source_id": "ETDA", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "8610b0d9-a6af-4010-818f-28671efc5d5e", "created_at": "2023-01-06T13:46:38.897477Z", "updated_at": "2026-04-10T02:00:03.138459Z", "deleted_at": null, "main_name": "PINCHY SPIDER", "aliases": [], "source_name": "MISPGALAXY:PINCHY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c84bbd2e-003d-4c43-8a46-d777455db2c7", "created_at": "2022-10-25T15:50:23.701006Z", "updated_at": "2026-04-10T02:00:05.378962Z", "deleted_at": null, "main_name": "GOLD SOUTHFIELD", "aliases": [ "GOLD SOUTHFIELD", "Pinchy Spider" ], "source_name": "MITRE:GOLD SOUTHFIELD", "tools": [ "ConnectWise", "REvil" ], "source_id": "MITRE", "reports": null }, { "id": "38e9c8e3-38f8-4500-8c5c-8349b3e9a998", "created_at": "2023-01-06T13:46:39.207556Z", "updated_at": "2026-04-10T02:00:03.246557Z", "deleted_at": null, "main_name": "RIDDLE SPIDER", "aliases": [], "source_name": "MISPGALAXY:RIDDLE SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "d706edf6-cb86-4611-99e1-4b464e9dc5b9", "created_at": "2023-01-06T13:46:38.839083Z", "updated_at": "2026-04-10T02:00:03.117987Z", "deleted_at": null, "main_name": "INDRIK SPIDER", "aliases": [ "Manatee Tempest" ], "source_name": "MISPGALAXY:INDRIK SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9df68733-9bcd-43b1-88f1-24b110fa3d56", "created_at": "2022-10-25T16:07:24.051993Z", "updated_at": "2026-04-10T02:00:04.851037Z", "deleted_at": null, "main_name": "Pinchy Spider", "aliases": [ "G0115", "Gold Garden", "Gold Southfield", "Pinchy Spider" ], "source_name": "ETDA:Pinchy Spider", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "GandCrab", "GrandCrab", "REvil", "Sodin", "Sodinokibi", "VIDAR", "Vidar Stealer", "certutil", "certutil.exe", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "ccd0f6b5-6d20-4d28-9796-88ab6deb4087", "created_at": "2024-06-19T02:03:08.067518Z", "updated_at": "2026-04-10T02:00:03.671628Z", "deleted_at": null, "main_name": "GOLD HERON", "aliases": [ "Doppel Spider " ], "source_name": "Secureworks:GOLD HERON", "tools": [ "Cobalt Strike", "DoppelPaymer", "Dridex", "Grief", "PowerShell Empire" ], "source_id": "Secureworks", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "a0d0e1ef-3562-40a8-a021-321db92644d9", "created_at": "2023-01-06T13:46:39.104046Z", "updated_at": "2026-04-10T02:00:03.2146Z", "deleted_at": null, "main_name": "DOPPEL SPIDER", "aliases": [ "GOLD HERON" ], "source_name": "MISPGALAXY:DOPPEL SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d555c5da-abe4-42aa-a8cf-77b68905891a", "created_at": "2022-10-25T16:07:23.548385Z", "updated_at": "2026-04-10T02:00:04.65211Z", "deleted_at": null, "main_name": "Doppel Spider", "aliases": [ "Gold Heron", "Grief Group" ], "source_name": "ETDA:Doppel Spider", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "DoppelPaymer", "Pay OR Grief", "Pay or Grief", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "e6148aa7-4347-4444-a2a0-dbbf7c0f121c", "created_at": "2022-10-25T16:07:24.12696Z", "updated_at": "2026-04-10T02:00:04.875073Z", "deleted_at": null, "main_name": "Riddle Spider", "aliases": [ "Avaddon Team" ], "source_name": "ETDA:Riddle Spider", "tools": [ "Avaddon" ], "source_id": "ETDA", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434688, "ts_updated_at": 1775792197, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/84fb4151154b1cb5cc9c06eafb1e624e10969ac1.pdf", "text": "https://archive.orkl.eu/84fb4151154b1cb5cc9c06eafb1e624e10969ac1.txt", "img": "https://archive.orkl.eu/84fb4151154b1cb5cc9c06eafb1e624e10969ac1.jpg" } }