Sprite Spider, Gold Dupont - Threat Group Cards: A Threat Actor
Encyclopedia
Archived: 2026-04-05 20:10:19 UTC
Home > List all groups > Sprite Spider, Gold Dupont
 APT group: Sprite Spider, Gold Dupont
Names
Sprite Spider (CrowdStrike)
Gold Dupont (SecureWorks)
Country [Unknown]
Motivation Financial crime, Financial gain
First seen 2015
Description
(CrowdStrike) In 2020, CrowdStrike Intelligence observed both SPRITE SPIDER (the operators of Defray777) and C
Anunak (the operators of DarkSide) deploy Linux versions of their respective ransomware families on ESXi hosts du
operations. While ransomware for Linux has existed for many years, BGH actors have historically not targeted Linux
ESXi specifically. ESXi is a type of hypervisor that runs on dedicated hardware and manages multiple virtual machin
With more organizations migrating to virtualization solutions to consolidate legacy IT systems, this is a natural targe
ransomware operators looking to increase the impact against a victim.
All identified incidents were enabled by the acquisition of valid credentials. In four separate Defray777 incidents, SP
SPIDER used administrator credentials to log in through the vCenter web interface. In one instance, SPRITE SPIDE
the PyXie remote access trojan (RAT) LaZagne module to harvest vCenter administrator credentials stored in a web b
By targeting these hosts, ransomware operators are able to quickly encrypt multiple systems with relatively few actu
ransomware deployments. Encrypting one ESXi server inflicts the same amount of damage as individually deploying
on each VM hosted on a given server. Consequently, targeting ESXi hosts can also improve the speed of BGH operat
Additionally, due to their lack of conventional operating systems, ESXi hosts lack endpoint protection software that c
or detect ransomware attacks.
Observed Sectors: Education, Healthcare, Manufacturing, Technology.
Tools used Cobalt Strike, Defray777, LaZagne, Metasploit, PyXie, SharpHound, Shifu, SystemBC, Vatet.
Operations performed
Aug 2017
New Defray Ransomware Targets Education and Healthcare Verticals
May 2020
Texas Courts hit by ransomware, network disabled to limit spread
Jun 2020
New Ransom X Ransomware used in Texas TxDOT cyberattack
Aug 2020
Business technology giant Konica Minolta hit by new ransomware
Sep 2020
SoftServe hit by ransomware, Windows customization tool exploited
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=20947960-7770-472c-8152-4f88a1f7ea69
Page 1 of 2

Sep 2020
Leading U.S. laser developer IPG Photonics hit with ransomware
Sep 2020
Government software provider Tyler Technologies hit by ransomware
Oct 2020
Montreal's STM public transport system hit by ransomware attack
Nov 2020
Brazil's court system under massive RansomExx ransomware attack
Nov 2020
RansomExx ransomware also encrypts Linux systems
Feb 2021
Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ran
Maximize Impact
Aug 2021
RansomEXX ransomware leaks files stolen from Italian luxury brand Zegna
Aug 2021
Computer hardware giant GIGABYTE hit by RansomEXX ransomware
Aug 2021
Ransomware hits Lojas Renner, Brazil’s largest clothing store chain
Mar 2022
Ransomware group attacks Scottish mental health charity
Oct 2022
RansomExx Leaks 52GB of Barcelona Health Centers' Data
Information
Last change to this card: 27 December 2022
Download this actor card in PDF or JSON format
Source: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=20947960-7770-472c-8152-4f88a1f7ea69
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=20947960-7770-472c-8152-4f88a1f7ea69
Page 2 of 2