{ "id": "e9888513-ec2a-4179-bb50-5fc6dbe4140b", "created_at": "2026-04-06T00:17:38.539796Z", "updated_at": "2026-04-10T03:36:11.106797Z", "deleted_at": null, "sha1_hash": "a62728813dfcf5c3fe9ea4a71ca8021e30ceb51f", "title": "Wizard Spider Modifies and Expands Toolset [Adversary Update]", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1457267, "plain_text": "Wizard Spider Modifies and Expands Toolset [Adversary Update]\r\nBy The CrowdStrike Intel Team\r\nArchived: 2026-04-05 13:15:24 UTC\r\nWIZARD SPIDER is an established, high-profile and sophisticated eCrime group, originally known for the\r\ncreation and operation of the TrickBot banking malware. This Russia-based eCrime group originally began\r\ndeploying TrickBot for the purpose of conducting financial fraud in 2016, but has since evolved into a highly\r\ncapable group with a diverse and potent arsenal, including Ryuk, Conti and BazarLoader. Their toolset covers the\r\nentirety of the kill chain, from delivery to post-exploitation tools and big game hunting (BGH) ransomware,\r\nenabling them to conduct a wide range of criminal activities against enterprise environments. WIZARD SPIDER\r\nhas developed their tools over a number of years, and they continue to evolve the tactics, techniques and\r\nprocedures (TTPs) needed to monetize their criminal operations in an efficient and effective manner.\r\nOver recent months, WIZARD SPIDER has demonstrated their resilience and dedication to criminal operations by\r\noperating multiple ransomware families with differing modi operandi, using TrickBot and BazarLoader to\r\ninfiltrate victim environments and reacting to attempts to stop them in their tracks. The group has made significant\r\nimprovements to their arsenal recently and has both developed new tools and modified existing ones. The key\r\nobservations covered below are based on CrowdStrike® Intelligence analysis of BazarLoader, Conti and Ryuk\r\noperations.\r\nTrickBot\r\nTrickBot has remained a primary tool for WIZARD SPIDER and has grown to infect upward of one million\r\nsystems worldwide. TrickBot has played an integral part in enabling BGH operations and poses a severe threat\r\nacross all sectors and geographies. This has made WIZARD SPIDER’s TrickBot malware an extremely prevalent\r\nand widely tracked target.\r\nOn September 21 and 22, 2020, CrowdStrike Intelligence observed a non-standard configuration file being\r\ndistributed to victims infected with TrickBot. The configuration files instructed infected hosts to communicate\r\nwith the command-and-control (C2) server address 0.0.0.1 on TCP port 1 . This action resulted in an unknown\r\nnumber of bots being isolated from the TrickBot network and unreachable through the standard C2 channel.\r\nThis week, widespread public reporting has attributed this disruption attempt against TrickBot to multiple\r\ncybersecurity vendors. The operation against the TrickBot network was orchestrated to take down the botnet, thus\r\nreducing BGH infections by WIZARD SPIDER’s Ryuk and Conti ransomware families, with an ultimate goal of\r\nprotecting the forthcoming U.S. elections from ransomware operations. Since the disruption operation began on\r\nSeptember 21, 2020, we have observed a definite impact on the TrickBot network, with almost 10,000 unique\r\ndownloads of the non-standard configuration identified. However, in spite of this, TrickBot activity has returned to\r\nits usual rapid pace, and the impact of the disruption operation was manifested as a short-term setback for\r\nWIZARD SPIDER.\r\nhttps://www.crowdstrike.com/blog/wizard-spider-adversary-update/\r\nPage 1 of 6\n\nFigure 1. TrickBot Activity Tracking (July 1 to October 14, 2020) (click image to enlarge)\r\nIn a timely turn of events following a short break, MUMMY SPIDER’s Emotet malware has resumed spamming\r\nactivity this week, and we have since observed MUMMY SPIDER deploying TrickBot to Emotet-infected hosts.\r\nDownloaded TrickBot samples since October 14 have used group tags prefixed with mor — for example,\r\nmor131 . This is very likely an attempt by TrickBot to replenish their victim base to offset any losses they may\r\nhave experienced as a result of the takedown attempt.\r\nBazarLoader Takes to the Stage\r\nIn addition to the continuation of TrickBot activity, WIZARD SPIDER has increased their use of the initial access\r\ntool BazarLoader, which is now being distributed in spam operations and used as an additional infection vector to\r\nenable WIZARD SPIDER’s post-exploitation activity. Newly identified BazarLoader spam runs consist of emails\r\ncontaining a link to a Google Docs file (Figure 2). The Google Docs file commonly contains a link to the\r\nBazarLoader payload hosted on an external site.\r\nhttps://www.crowdstrike.com/blog/wizard-spider-adversary-update/\r\nPage 2 of 6\n\nFigure 2. Example BazarLoader Google Docs File (click image to enlarge)\r\nThe spam emails are often business-related, with themes that reference purported phone calls, meetings, customer\r\ncomplaints or employment termination. An example email is provided in Figure 3.\r\nFigure 3. BazarLoader Spam Email with Google Docs Link (click image to enlarge)\r\nBazarLoader (aka Kegtap) consists of a loader and a backdoor component. The loader is responsible for installing\r\nand executing the backdoor element. The latest version of the loader contains a large amount of string and code\r\nobfuscation, and it has been observed utilizing a novel technique of mimicking legitimate software for persistence.\r\nCrowdStrike technical analysis has specifically revealed the loader mimicking communications software such as\r\nSoftphone. The backdoor component is capable of executing arbitrary payloads, batch and PowerShell scripts,\r\nexfiltrating files from a victim, and terminating running processes. In addition to the backdoor component, we\r\nhave observed WIZARD SPIDER deploying and utilizing the CobaltStrike post-exploitation framework. In\r\nhttps://www.crowdstrike.com/blog/wizard-spider-adversary-update/\r\nPage 3 of 6\n\nSeptember 2020, the group distributed a PowerShell version of BazarLoader that contains similar functionality to\r\nthat of the executable version and is likely a pursuit to be compatible with their extensive, PowerShell-friendly\r\ntoolset.\r\nRyuk’s Return\r\nSince September 2018, WIZARD SPIDER’s Ryuk ransomware has been the group's most lucrative operation for\r\nsiphoning money from its victims through extortion. The U.S. Federal Bureau of Investigation (FBI) has estimated\r\nthat victims have paid over USD $61 million to recover files encrypted by Ryuk. In March 2020, WIZARD\r\nSPIDER ceased deploying Ryuk until mid-September.\r\nFrom March to September 2020, WIZARD SPIDER did not cease operating but instead switched to Conti\r\nransomware. We first observed Conti being deployed in June 2020. It is unknown why WIZARD SPIDER paused\r\noperating Ryuk, but it is likely they took a break from their operations to reorganize and reevaluate their\r\nmethodologies. It is also currently unclear how WIZARD SPIDER intends to use both Conti and Ryuk. It is\r\npossible that Conti and Ryuk may continue to be used simultaneously by WIZARD SPIDER, with either one\r\nbeing deployed depending on particular characteristics of the victim organization. What is clear is that WIZARD\r\nSPIDER is now running multiple ransomware operations. From a code perspective, little has changed between\r\nRyuk binaries compiled in March and those compiled in September. The functionality has remained overall static\r\nsince introducing features for targeting hosts on a local area network (LAN). The most notable change to Ryuk is\r\nthe introduction of code obfuscation. The code obfuscations appear to be designed to slow down the reverse\r\nengineering process by using anti-disassembly and code transformation obfuscation techniques.\r\nThese obfuscation techniques are not as advanced as those observed in Conti and BazarLoader. This is likely due\r\nto the age of the Ryuk code base and build process, which dates back to the end of 2018. Conti and BazarLoader\r\nare newer WIZARD SPIDER projects with obfuscation likely part of the build process. Ryuk’s code obfuscation\r\nappears to be macro-based, with macros inserted at the start of a function or in-line.\r\nConti: New, Developing, Persistent\r\nWIZARD SPIDER operations were notably reduced and sporadic during the first half of 2020, but recent months\r\nhave seen a resurgence of WIZARD SPIDER activity and the introduction of Conti ransomware. In August 2020,\r\nthe actor began using a data leak site (DLS) for Conti. Conti has been continually improved by WIZARD SPIDER\r\nand has already been used to compromise over 120 victim networks, with stolen data listed on the Conti DLS.\r\nConti victims span multiple sectors and geographies, the vast majority of which are based in North America and\r\nEurope (Figure 4). This opportunistic targeting is indicative of WIZARD SPIDER and wider ransomware\r\noperations.\r\nhttps://www.crowdstrike.com/blog/wizard-spider-adversary-update/\r\nPage 4 of 6\n\nFigure 4. Conti Ransomware Victims by Sector and Geography (click image to enlarge)\r\nConti has been under active development throughout WIZARD SPIDER’s deployment of the ransomware in BGH\r\ncampaigns. Additional features, obfuscation techniques and code changes are integrated on an almost weekly\r\nbasis. In August 2020, Conti’s technique shifted from fully encrypting files with AES-256 to a more strategic and\r\nefficient approach of selectively encrypting files with the ChaCha stream cipher. Conti’s host discovery and\r\nnetwork share targeting functionality has also continued to evolve and is now comparable to that of Ryuk’s.\r\nWIZARD SPIDER’s ongoing development of Conti is equally focused on the evasion of traditional, signature-based antivirus software and to hinder malware analysis efforts. Conti’s utilization of compiler-based obfuscation\r\ntechniques, such as ADVobfuscator, provide code obfuscation when the ransomware’s source code is built.\r\nPortions of Conti’s source code are restructured or rewritten regularly with the intention of avoiding detection and\r\ndisrupting automated malware analysis systems.\r\nOutlook\r\nThe ultimate goal of the disruption operation against the TrickBot network was to impact and prevent ransomware\r\ninfections — however, Ryuk and Conti continue to be used in BGH campaigns against organizations across\r\nmultiple sectors and geographies. Over a dozen confirmed WIZARD SPIDER ransomware cases have been\r\nidentified since the disruption began. While the valiant efforts of the cybersecurity teams involved in this complex\r\noperation undoubtedly had a short-term impact on WIZARD SPIDER’s TrickBot network, the response by the\r\ncriminal actors has been swift, effective and efficient. TrickBot activity continues at a progressive rate,\r\nhttps://www.crowdstrike.com/blog/wizard-spider-adversary-update/\r\nPage 5 of 6\n\nBazarLoader is increasing in prevalence, and BGH ransomware operations proceed as normal with Ryuk and\r\nConti. WIZARD SPIDER, with its diverse and effective toolset, has proven to be a highly capable adversary and\r\ncontinues to be resilient, reactive and resolute as they continue to run their formidable criminal enterprise. The\r\nresilience of advanced criminal threat actors like WIZARD SPIDER make it increasingly important that we, as an\r\nindustry, continue to fight back. Any attempt to increase the cost for the criminals contributes to a more secure\r\ncyberspace. The CrowdStrike Falcon® endpoint protection platform detects and prevents against Ryuk. For\r\nFalcon endpoint customers, prevention settings should be set at a minimum to the following:\r\nNext-Gen Antivirus: Cloud/Sensor Machine Learning: Set “Prevention” slider to “Aggressive”\r\nMalware Protection: Execution Blocking: Toggle “Prevent Suspicious Processes” to “Enabled”\r\nAdd any hashes to your custom blocklist for added protection\r\nThis blog was written by CrowdStrike Intelligence analysts Adam Podlosky, Alexander Hanel, Brendon Feeley\r\nand Sean Wilson.\r\nAdditional Resources\r\nDownload: CrowdStrike 2020 Global Threat Report.\r\nTo learn more about how to incorporate intelligence on threat actors into your security strategy, visit the\r\nCROWDSTRIKE FALCON® INTELLIGENCE™ Threat Intelligence page.\r\nLearn more about the powerful, cloud-native CrowdStrike Falcon® platform by visiting the product\r\nwebpage.\r\nGet a full-featured free trial of CrowdStrike Falcon® Prevent™ and learn how true next-gen AV performs\r\nagainst today’s most sophisticated threats.\r\nSource: https://www.crowdstrike.com/blog/wizard-spider-adversary-update/\r\nhttps://www.crowdstrike.com/blog/wizard-spider-adversary-update/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia", "MITRE" ], "references": [ "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/" ], "report_names": [ "wizard-spider-adversary-update" ], "threat_actors": [ { "id": "e8e18067-f64b-4e54-9493-6d450b7d40df", "created_at": "2022-10-25T16:07:24.515213Z", "updated_at": "2026-04-10T02:00:05.018868Z", "deleted_at": null, "main_name": "Mummy Spider", "aliases": [ "ATK 104", "Gold Crestwood", "Mummy Spider", "TA542" ], "source_name": "ETDA:Mummy Spider", "tools": [ "Emotet", "Geodo", "Heodo" ], "source_id": "ETDA", "reports": null }, { "id": "506404b2-82fb-4b7e-b40d-57c2e9b59f40", "created_at": "2023-01-06T13:46:38.870883Z", "updated_at": "2026-04-10T02:00:03.128317Z", "deleted_at": null, "main_name": "MUMMY SPIDER", "aliases": [ "TA542", "GOLD CRESTWOOD" ], "source_name": "MISPGALAXY:MUMMY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "2ac83159-1d9d-4db4-a176-97be6b7b07c9", "created_at": "2024-06-19T02:03:08.024653Z", "updated_at": "2026-04-10T02:00:03.672512Z", "deleted_at": null, "main_name": "GOLD CRESTWOOD", "aliases": [ "Mummy Spider ", "TA542 " ], "source_name": "Secureworks:GOLD CRESTWOOD", "tools": [ "Emotet" ], "source_id": "Secureworks", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434658, "ts_updated_at": 1775792171, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a62728813dfcf5c3fe9ea4a71ca8021e30ceb51f.pdf", "text": "https://archive.orkl.eu/a62728813dfcf5c3fe9ea4a71ca8021e30ceb51f.txt", "img": "https://archive.orkl.eu/a62728813dfcf5c3fe9ea4a71ca8021e30ceb51f.jpg" } }