{ "id": "ed0cf72a-9107-43b2-8f19-a82e545c31c9", "created_at": "2026-04-06T00:06:47.227312Z", "updated_at": "2026-04-10T03:31:09.466601Z", "deleted_at": null, "sha1_hash": "93fe4edb367840c2d68f651212ebdc65fb3baf40", "title": "CrowdStrike Discovers New DoppelPaymer Ransomware \u0026 Dridex Variant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1077468, "plain_text": "CrowdStrike Discovers New DoppelPaymer Ransomware \u0026 Dridex\r\nVariant\r\nBy bsg.sf.bh\r\nArchived: 2026-04-02 11:43:49 UTC\r\nCrowdStrike® Intelligence has identified a new ransomware variant identifying itself as BitPaymer. This new variant was\r\nbehind a series of ransomware campaigns beginning in June 2019, including attacks against the City of Edcouch, Texas and\r\nthe Chilean Ministry of Agriculture. We have dubbed this new ransomware DoppelPaymer because it shares most of its code\r\nwith the BitPaymer ransomware operated by INDRIK SPIDER. However, there are a number of differences between\r\nDoppelPaymer and BitPaymer, which may signify that one or more members of INDRIK SPIDER have split from the group\r\nand forked the source code of both Dridex and BitPaymer to start their own Big Game Hunting ransomware operation.\r\nINDRIK SPIDER Origins\r\nINDRIK SPIDER was formed in 2014 by former affiliates of the GameOver Zeus criminal network who internally referred\r\nto themselves as “The Business Club.” Shortly after the group’s inception, INDRIK SPIDER developed their own custom\r\nmalware known as Dridex. Early versions of Dridex were primitive, but over the years the malware became increasingly\r\nprofessional and sophisticated. In fact, Dridex operations were significant throughout 2015 and 2016, making it one of the\r\nmost prevalent eCrime malware families. At this time, INDRIK SPIDER was primarily conducting wire fraud, resulting in\r\nthe loss of millions of dollars globally. Over time, INDRIK SPIDER encountered a number of obstacles to their wire fraud\r\noperations. First, in 2015 the group had to overcome a takedown operation, which resulted in the arrest of one of its\r\naffiliates, who used the alias “Smilex.” This setback was followed by a law enforcement operation in the U.K. designed to\r\nbreak up the money laundering network supporting INDRIK SPIDER's monetization of Dridex campaigns. The dismantling\r\nof this network also coincided with the arrest, and subsequent imprisonment, of a U.K. bank employee who helped set up\r\nfake accounts. Perhaps as a result of these obstacles, INDRIK SPIDER changed their methods of operation in 2017,\r\nconducting smaller Dridex distribution campaigns. In August 2017, the group introduced BitPaymer ransomware and began\r\nto focus on leveraging access within a victim organization to demand a high ransom payment.\r\nBitPaymer Origins\r\nCrowdStrike Intelligence, has tracked the original BitPaymer since it was first identified in August 2017. In its first iteration,\r\nthe BitPaymer ransom note included the ransom demand and a URL for a TOR-based payment portal. The payment portal\r\nincluded the title “Bit paymer” along with a reference ID, a Bitcoin (BTC) wallet, and a contact email address. An example\r\nof this portal is shown in Figure 1. Within the first month of operation, the ransom amount was dropped from the ransom\r\nnote. In July 2018, the payment portal URL was also removed. From July 2018 until present, the ransom note has only\r\nincluded two contact emails, which are used to negotiate the ransom.\r\nhttps://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/\r\nPage 1 of 10\n\nFigure 1. Original BitPaymer Payment Portal via a TOR Hidden Service\r\nLatest BitPaymer Version\r\nIn November 2018, there was a significant update to BitPaymer. The ransom note was updated to include the victim’s name,\r\nand the file extension appended to encrypted files was also customized to use a representation of the victim’s name. An\r\nexample of the new ransom note is shown below in Figure 2.\r\nhttps://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/\r\nPage 2 of 10\n\nFigure 2. Latest BitPaymer Ransom Note\r\nIn addition to the updated ransom note and encrypted file extension, BitPaymer’s file encryption routine was updated to use\r\n256-bit AES in cipher block chaining (CBC) mode with a randomly generated key and a NULL initialization vector.\r\nPrevious versions of BitPaymer had used 128-bit RC4. Since AES is a block cipher, the implementation requires padding in\r\ncases where the data is not a multiple of the block size. Typically, this is implemented by adding zeros or the number n of\r\npadding bytes n times (also known as PKCS#7). However, INDRIK SPIDER chose to generate n bytes randomly for\r\npadding. As a result, the malware developer had to preserve the random padding bytes in order to correctly decrypt the last\r\ndata block of an encrypted file. This is reflected in the BitPaymer ransom note with a new field of TAIL , as shown above in\r\nFigure 2, which contains the Base64-encoded TAIL padding and encrypted AES KEY. Interestingly, the BitPaymer\r\ndevelopers implemented an encryption initialization function in the ransomware code that selects one of three desired\r\nencryption algorithms. The algorithm is chosen by an argument that is passed as an integer parameter to the function. The\r\ncurrent values supported are 1, 2, and 3 for 128-bit RC4, 128-bit AES and 256-bit AES, respectively. Newer versions of\r\nBitPaymer pass the hard-coded value of 3 for 256-bit AES encryption into the function, as shown in Figure 3.\r\nFigure 3. Latest BitPaymer Encryption Selection Pseudocode\r\nAlong with the updated file encryption routine, the size of the victim-specific RSA public key has also been increased from\r\n1,024-bit to 4,096-bit. This asymmetric key is used to encrypt the generated symmetric file encryption keys. If the ransom is\r\npaid, INDRIK SPIDER will provide a decryption tool that contains the corresponding victim’s RSA private key. It is unclear\r\nwhy INDRIK SPIDER moved from RC4 to AES encryption, but it may be due to concerns about the relative weakness of\r\nhttps://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/\r\nPage 3 of 10\n\nRC4 in comparison to AES. The increase in the RSA key size also greatly augments the cryptographic strength protecting\r\nthe file encryption keys. However, there is no evidence that BitPaymer’s prior or current encryption has been broken. Since\r\nthe update in November 2018, INDRIK SPIDER has actively used the latest version of BitPaymer in at least 15 confirmed\r\nransomware attacks. These attacks have continued throughout 2019, with multiple incidents occurring in June and July of\r\n2019 alone. While the first known victims of DoppelPaymer were targeted in June 2019, we were able to recover earlier\r\nbuilds of the malware dating back to April 2019. These earlier builds are missing many of the new features found in later\r\nvariants, so it is not clear if they were deployed to victims or if they were simply built for testing. To date, we have identified\r\neight distinct malware builds and three confirmed victims with ransom amounts of 2 BTC, 40 BTC and 100 BTC. Based on\r\nthe USD to BTC exchange rate at the time of this writing, these ransom amounts vary from approximately $25,000 to over\r\n$1,200,000. The ransom note used by DoppelPaymer is similar to those used by the original BitPaymer in 2018. The note\r\ndoes not include the ransom amount; however, it does contain a URL for a TOR-based payment portal, and instead of using\r\nthe keyword KEY to identify the encrypted key, the note uses the keyword DATA as shown in Figure 4.\r\nFigure 4. DoppelPaymer Ransom Note\r\nThe payment portal for DoppelPaymer is almost identical to the original BitPaymer portal. The “Bit paymer” title is still\r\npresent on the web page and a unique ID is still used to identify the victim. The portal provides a ransom amount, a\r\ncountdown timer and a BTC address where the ransom payment can be sent. An example of the DoppelPaymer ransom\r\nportal web page is shown below in Figure 5.\r\nhttps://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/\r\nPage 4 of 10\n\nFigure 5. DoppelPaymer Ransomware Payment Portal\r\nDoppelPaymer and BitPaymer Encryption Comparison\r\nAlthough DoppelPaymer and BitPaymer share significant amounts of code, there are some notable encryption differences,\r\nwhich are described in Table 1.\r\nDoppelPaymer BitPaymer\r\nRansom note\r\nEach readme file contains an\r\nencrypted 256-bit AES key in\r\na field named DATA.\r\nEach readme file contains an encrypted 256-bit AES key in a\r\nfield named KEY. Older versions contained an encrypted 128-\r\nbit RC4 key in the KEY field. Current versions use anonymous\r\nemail services such as ProtonMail for ransom payment\r\nnegotiations.\r\nEncryption 2048-bit RSA + 256-bit AES\r\n4096-bit RSA + 256-bit AES. Older versions used 1024-bit RSA\r\n+ 128-bit RC4.\r\nEncryption\r\n(AES) padding\r\nscheme\r\nStandard padding (PKCS#7) Random bytes specified in a field named TAIL\r\nRansom\r\nfilename\r\nEncrypted files are renamed\r\nwith a .locked extension.\r\nEncrypted files are renamed with the victim name as the\r\nextension. Older versions are appended the suffix .locked to\r\nthe names of encrypted files.\r\nTable 1. Encryption-Related Differences Between DoppelPaymer and BitPaymer There are obvious similarities\r\nbetween the tactics, techniques and procedures (TTPs) used by DoppelPaymer and prior TTPs of BitPaymer, such as the use\r\nhttps://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/\r\nPage 5 of 10\n\nof TOR for ransom payment and the .locked extension. However, the code overlaps suggest that DoppelPaymer is a more\r\nrecent fork of the latest version of BitPaymer. For example, in the latest version of BitPaymer, the code for RC4 string\r\nobfuscation reverses the bytes prior to encryption, and includes a helper function that provides support for multiple forms of\r\nsymmetric encryption (i.e., RC4, 128-bit AES, and 256-bit AES), as shown in Figure 3.\r\nNew DoppelPaymer Features and the Use of ProcessHacker\r\nIn addition to the changes discussed above, numerous modifications were made to the BitPaymer source code to improve\r\nand enhance DoppelPaymer’s functionality. For instance, file encryption is now threaded, which can increase the rate at\r\nwhich files are encrypted. The network enumeration code was updated to parse the victim system’s Address Resolution\r\nProtocol (ARP) table, retrieved with the command arp.exe -a . The resulting IP addresses of other hosts on the local\r\nnetwork are combined with domain resolution results via nslookup.exe . (In a similar approach, previous versions of\r\nBitPaymer made use of the command net.exe view to enumerate network shares.) In addition, DoppelPaymer is designed\r\nto run only after a specific command line argument is provided. The malware computes a CRC32 checksum of the first\r\nargument passed on the command line and adds it with a constant value that is hard-coded in the binary. The malware then\r\nadds the instruction pointer address to this result, which becomes the destination for a jmp used to continue the malware\r\nexecution. The hard-coded constant value is unique to each build. In the sampled analyzed, this value was 0x672e6eb7 , as\r\nshown below in Figure 6.\r\nFigure 6. DoppelPaymer Control Flow Obfuscation\r\nIf no arguments are provided, or if an incorrect value is provided on the command line, DoppelPaymer will crash. This\r\ndesign was likely intended to hinder automated malware analysis environments. Perhaps the most interesting change that the\r\nDoppelPaymer author made is to terminate processes and services that may interfere with file encryption. DoppelPaymer\r\ncontains several lists of CRC32 checksums of process and service names that are blacklisted. The malware author included\r\nCRC32 checksums rather than strings to hinder reverse engineering efforts. However, it is possible to brute-force all of the\r\nchecksums and recover the respective strings, as shown in Tables 7-11 found in the Appendix.\r\nProcessHacker\r\nhttps://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/\r\nPage 6 of 10\n\nIn order to terminate some of these processes and services, DopplePaymer uses an interesting technique that leverages\r\nProcessHacker, a legitimate open-source administrative utility. This application is bundled with a kernel driver that can be\r\nused to terminate processes and services. DoppelPaymer is bundled with six portable executable (PE) files that are encrypted\r\nand compressed in the malware’s sdata section. These PE files contain 32-bit and 64-bit versions of the following:\r\nProcessHacker application\r\nProcessHacker kernel driver\r\nA custom stager DLL that is used to exploit ProcessHacker\r\nThe modules are extracted by using the first 16 bytes of the sdata section as an RC4 key to decrypt the next 4 bytes of\r\ndata, which is the size (big endian) of the subsequent encrypted data. The encrypted data that follows also uses the first 16\r\nbytes as an RC4 key to decrypt the remaining data. The format is shown below in Table 2.\r\n16 Bytes 4 Bytes 16 Bytes M Bytes\r\nRC4 key Encrypted data size (M) RC4 key Encrypted data\r\nTable 2. Format of Encrypted DoppelPaymer ProcessHacker Related Modules After decryption, the first 4 bytes are the\r\nsize of the compressed data, and the next 4 bytes are the size of the uncompressed data, followed by the compressed data as\r\nshown in Table 3.\r\n4 Bytes 4 Bytes N Bytes\r\nCompressed size (N bytes) Uncompressed size Compressed 32-bit and 64-bit Process Hacker modules\r\nTable 3. Format of Encrypted DoppelPaymer ProcessHacker Related Modules Header and Data The data is\r\ndecompressed using aPLib, which produces the PE files in a custom structured format, where each PE contains an 8-byte\r\nheader consisting of a magic 4-byte value, followed by another 4-byte value that specifies the size of the following PE data\r\nas shown in Table 4.\r\n4 Bytes 4 Bytes N Bytes 4 Bytes 4 Bytes N Bytes\r\nMagic value 1 Size of Module 1 Module 1 Magic value 2 Size of Module 2 Module 2 ...\r\nTable 4. DoppelPaymer ProcessHacker Packed Module Format Table 5 contains the magic value and SHA256 hash for\r\neach ProcessHacker component.\r\nMagic Value SHA256 Description\r\n0xf03d9386 51d8618ec86159327e883615ad8989c7638172cf801f65ab0367e5b2e6af596a\r\nDoppelPaymer’s\r\nProcessHacker Stager\r\nDLL (32-bit)\r\n0xa68d9640 d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f ProcessHacker3 (32-bit)\r\n0x53e9cd92 0f97f6d53fff47914174bc3a05fb016e2c02ed0b43c827e5e5aadba2d244aecc\r\nKProcessHacker3 Kernel\r\nDriver (32-bit)\r\n0x2fb0f795 bfb7e62ba4ad5975e68a1beefb045cb72e056911fd7a8b070a15029dfcbbefe1\r\nDoppelPaymer’s\r\nProcessHacker Stager\r\nDLL (64-bit)\r\n0x7900f253 bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4 ProcessHacker3 (64-bit)\r\n0x8c64a981 70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4\r\nKProcessHacker3 Kernel\r\nDriver (64-bit)\r\nTable 5. Encrypted PE Files Embedded in DoppelPaymer After decompression, all three binaries are written to the same\r\ndirectory. Both ProcessHacker and the kernel driver are written as random filenames, but the stager DLL filename is chosen\r\nto be one of the DLL names imported by ProcessHacker. DoppelPaymer then executes ProcessHacker which loads the stager\r\nhttps://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/\r\nPage 7 of 10\n\nDLL via DLL search order hijacking. Once loaded, ProcessHacker’s kernel driver is leveraged to kill the blacklisted\r\nprocesses.\r\nDoppelPaymer Links to “Dridex 2.0”\r\nA Dridex loader sample, identified by SHA256 hash\r\n813d8020f32fefe01b66bea0ce63834adef2e725801b4b761f5ea90ac4facd3a , was distributed through the Emotet malware on\r\nJune 4, 2019. The Dridex sample contained code to decrypt either a 32-bit or a 64-bit core bot module from its sdata\r\nsection using the exact same encryption, compression, and data format (previously described) that DoppelPaymer uses to\r\nextract PEs from its sdata section. This observation ties this Dridex variant directly with DoppelPaymer. The Dridex\r\nsample was also unusual; not only because the Dridex loader was bundled with the bot core module (rather than dynamically\r\nretrieving it from a C2 server), but also because the bot core module had a version number of 2.0.0.78. We have seen\r\nsubsequent updates to this new variant of the Dridex bot core module with the latest version being 2.0.0.80 at the time of\r\nwriting. Of note, prior samples of Dridex had a version number of 4.0.0.87. It’s unclear why the malware author decided to\r\nuse lower version numbers, but one explanation is that the threat actor views this new creation as “Dridex 2.0.”\r\nConclusion\r\nBoth BitPaymer and DoppelPaymer continue to be operated in parallel and new victims of both ransomware families have\r\nbeen identified in June and July 2019. The parallel operations, coupled with the significant code overlap between BitPaymer\r\nand DoppelPaymer, indicate not only a fork of the BitPaymer code base, but an entirely separate operation. This may\r\nsuggest that the threat actor who is operating DoppelPaymer has splintered from INDRIK SPIDER and is now using the\r\nforked code to run their own Big Game Hunting ransomware operations.\r\nAdditional Resources\r\nFor more information on how to incorporate intelligence on dangerous threat actors into your security strategy,\r\nplease visit the CrowdStrike Falcon® Intelligence product page.\r\nDownload the CrowdStrike 2021 Global Threat Report\r\nTest CrowdStrike next-gen AV for yourself. Start your free trial of Falcon Prevent™ today.\r\nAppendix/Indicators\r\nIndicator Description\r\n801b04a1504f167c25f568f8d7cbac13bdde6440a609d0dcd64ebe225c197f9b DoppelPaymer SHA256 hash\r\n813d8020f32fefe01b66bea0ce63834adef2e725801b4b761f5ea90ac4facd3a Dridex 2.0 SHA256 hash\r\nTable 6. DoppelPaymer and Dridex 2.0 IOCs\r\nCRC32 String CRC32 String CRC32 String\r\n0xc622a2b1 acronisagent 0x5c6cd7ac msexchangeum 0xe381a459 epredline\r\n0xa8e4e8c2 backupexecagentaccelerator 0xab07d275 msexchangeumcr 0xe7a6b2c5 mozyproba\r\n0x6d7d9112 backupexecdevicemediaservice 0xe3d46892 mssqlserver 0xdf73ec1c masvc\r\n0xfef41240 backupexecjobengine 0xf203a569 msdtsserver 0xcc5f5bf1 macmnsvc\r\n0x6c99d156 backupexecmanagementservice 0x6d90a649 mysql57 0x467255e4 mfemms\r\n0x8ff434f5 backupexecrpcservice 0x2181c15e osearch15 0x0f2ae79c psqlwge\r\n0xc08e25a9 backupexecvssprovider 0xcdf97a8b oracleclientcache80 0x7e26520a swprv\r\nhttps://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/\r\nPage 8 of 10\n\n0x634332ff dfsr 0xcaff10b3 quickbooksdb25 0x656c0e35 wsbexchan\r\n0xfd7e1ab0 epintegrationservice 0x00c7b7a9 spadminv4 0xde2373de winvnc4\r\n0x69e7bca5 epprotectedservice 0x66a8eead spsearchhostcontroller\r\n0x68507185 epsecurityservice 0x46b607c2 sptracev4\r\n0x5809f6f7 epupdateservice 0xdb1ac7bb spusercodev4\r\n0xc2b55fa6 mb3service 0xf3c045e4 spwriterv4\r\n0xeca1f89e msexchangees 0xd917e4cb sqlbrowser\r\n0x44dda068 msexchangemgmt 0x23bc321e sqlsafeolrservice\r\n0xbebe6687 msexchangemta 0x9626475b sqlserveragent\r\n0x03803c01 msexchangesa 0xf76fde75 sqltelemetry\r\n0x0de53e33 msexchangesrs 0x9626475b sqlserveragent\r\n0x822dd426 msexchangeadtopology 0x25a92500 sqlwriter\r\n0xacedcdb8 msexchangedelivery 0x243d4975 syncoveryvssservice\r\n0x9060bcd4 msexchangediagnostics 0xc2a56207 veeambackupsvc\r\n0x50f0d551 msexchangeedgesync 0x8dbf54db veeamcatalogsvc\r\n0xa300bbb0 msexchangehm 0x82d1c632 veeamcloudsvc\r\n0x3040bb72 msexchangehmrecovery 0xb97407ef veeamendpointbackupsvc\r\n0x4014b792 msexchangeis 0x0aabacba veeamenterprisemanagersvc\r\n0x7e7e47bc msexchangemailboxreplication 0x43d71e6c veeammountsvc\r\n0x23a626e2 msexchangerpc 0x0c6574ad veeamnfssvc\r\n0xa323c785 msexchangerepl 0x2491fd1c veeamrestsvc\r\n0xbfec4da3 msexchangeservicehost 0xe076d4a9 veeamtransportsvc\r\n0xbe3d66d5 msexchangetransport 0xd67d1e60 epag\r\nTable 7. DoppelPaymer Email Server, Backup, and Database Software CRC32 Blacklist\r\nCRC32 String CRC32 String CRC32 String\r\n0xae5a22b4 dropbox.exe 0xdc40adba onenote.exe 0x306d51a0 sidebar.exe\r\n0x6274fa64 cis.exe 0x4107aa76 oracle.exe\r\n0xf62526b9 cistray.exe 0xbfdf529e postgres.exe\r\nTable 8. DoppelPaymer Antivirus, Backup, Database, and Windows Tool CRC32 Blacklist\r\nCRC32 String CRC32 String CRC32 String\r\n0x45a1c197 windefend 0x0b4fa6cf msmpsvc 0xe067db30 mcafeeframework\r\n0x987163e9 wdnissvc 0x360b9799 sentinelagent 0xfc95ba9d mcafeeframeworkmcafeeframewo\r\n0x34220c33 cylancesvc 0xde3dabc7 ekrn 0x360b9799 sentinelagent\r\nhttps://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/\r\nPage 9 of 10\n\n0x59d2dbbf mbamservice 0xb78f9b4e wrsvc 0x3b9f1b3e sentinelhelperservice\r\n0x27462fff mbendpointagent 0x23b07ca0\r\nvipre business\r\nservice\r\n0xa6772c96 sentinelstaticengine\r\n0x93a7f221 sbamsvc 0x9a4f7f43 mcafeeengineservice\r\nTable 9. DoppelPaymer Endpoint Security Software CRC32 Blacklist\r\nCRC32 String CRC32 String\r\n0xf26f12c8 zonealarm.exe 0xcff1c71e fortiwf.exe\r\n0x993f5471 a2guard.exe 0x64760001 nortonsecurity.exe\r\n0xd5345e50 a2service.exe 0x43c3c112 bullguard.exe\r\n0xc459d010 a2start.exe 0x0d71efa0 bullguardbhvscanner.exe\r\n0x0b02ef94 avastsvc.exe 0xa7dd5f59 bullguardscanner.exe\r\n0x21579df3 avshadow.exe 0x77a2fba9 bullguardtray.exe\r\n0x6b68c4c6 avastui.exe 0x50dbcbda bullguardupdate.exe\r\n0x0108a03e fortiesnac.exe 0x6e7d6782 avira.servicehost.exe\r\n0x830b705a fortiproxy.exe 0xb8894b22 avira.systray.exe\r\n0xca2d58f0 fortisslvpndaemon.exe 0x40cb21d3 avp.exe\r\n0xe2c0fe91 fortitray.exe 0xb018d47e mbcloudea.exe\r\nTable 10. DoppelPaymer Security Software CRC32 Blacklist 1\r\nCRC32 String CRC32 String\r\n0x1a2124c0 msascuil.exe 0x895abd73 nod32.exe\r\n0x456b109f wrsa.exe 0x2fba3706 mcshield.exe\r\nTable 11. DoppelPaymer Security Software CRC32 Blacklist 2\r\nSource: https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/\r\nhttps://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/" ], "report_names": [ "doppelpaymer-ransomware-and-dridex-2" ], "threat_actors": [ { "id": "91ff2504-6c1a-4eaa-832b-2c5e297426c5", "created_at": "2022-10-25T16:47:55.740817Z", "updated_at": "2026-04-10T02:00:03.678203Z", "deleted_at": null, "main_name": "GOLD EVERGREEN", "aliases": [ "The Business Club" ], "source_name": "Secureworks:GOLD EVERGREEN", "tools": [ "CryptoLocker", "JabberZeus", "Pony", "Zeus" ], "source_id": "Secureworks", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "d706edf6-cb86-4611-99e1-4b464e9dc5b9", "created_at": "2023-01-06T13:46:38.839083Z", "updated_at": "2026-04-10T02:00:03.117987Z", "deleted_at": null, "main_name": "INDRIK SPIDER", "aliases": [ "Manatee Tempest" ], "source_name": "MISPGALAXY:INDRIK SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434007, "ts_updated_at": 1775791869, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/93fe4edb367840c2d68f651212ebdc65fb3baf40.pdf", "text": "https://archive.orkl.eu/93fe4edb367840c2d68f651212ebdc65fb3baf40.txt", "img": "https://archive.orkl.eu/93fe4edb367840c2d68f651212ebdc65fb3baf40.jpg" } }