{ "id": "6c3b387f-72dc-4a5b-b375-d51c4f9e7922", "created_at": "2026-04-06T00:15:26.282389Z", "updated_at": "2026-04-10T13:12:08.739754Z", "deleted_at": null, "sha1_hash": "c8c7a1cd174389190af277b2d3d92a2b5f47e753", "title": "Sanctions Be Damned | From Dridex To Macaw, The Evolution of Evil Corp", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 31534, "plain_text": "Sanctions Be Damned | From Dridex To Macaw, The Evolution of\r\nEvil Corp\r\nBy Author:\r\nArchived: 2026-04-05 12:59:18 UTC\r\n1SA N C T I O N S B E DA M N E D | F R O M D R I D E X TO M AC AW, T H E E VO LU T I O N O F E V I\r\nL CO R P\r\nSANCTIONS BE DAMNED |\r\nFROM DRIDEX TO MACAW,\r\nTHE EVOLUTION OF EVIL CORP\r\nAuthor: Antonio Pirozzi, Antonis Terefos and Idan Weizman February 2022 SentinelLABS Research Team\r\n2SA N C T I O N S B E DA M N E D | F R O M D R I D E X TO M AC AW, T H E E VO LU T I O N O F E V I\r\nL CO R P\r\nTABLE OF\r\nCONTENTS\r\n3 EXECUTIVE SUMMMARY\r\n4 BACKGROUND\r\n6 THE EVIL CORP\r\nMALWARE LINEAGE\r\n28 OTHER TOOLSET EXPANSION\r\n29 MACAW LOCKER\r\nRANSOMWARE\r\n34 CRYPTONE: THE PACKER\r\n44 INFRASTRUCTURE OVERLAPS\r\n46 CONCLUSIONS\r\n48 MITRE ATT\u0026CK\r\nTTPS OBSERVED\r\n52 YARA RULES\r\n53 INDICATORS OF\r\nCOMPROMISE [IOCS]\r\n60 APPENDIX\r\n63 ABOUT SENTINELLABS\r\nSource: https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp\r\nhttps://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp" ], "report_names": [ "sentinellabs_EvilCorp" ], "threat_actors": [ { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434526, "ts_updated_at": 1775826728, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c8c7a1cd174389190af277b2d3d92a2b5f47e753.pdf", "text": "https://archive.orkl.eu/c8c7a1cd174389190af277b2d3d92a2b5f47e753.txt", "img": "https://archive.orkl.eu/c8c7a1cd174389190af277b2d3d92a2b5f47e753.jpg" } }