{ "id": "f6ab743b-76a6-4aa8-ad39-ff9dc7deaaf3", "created_at": "2026-04-06T00:15:22.992676Z", "updated_at": "2026-04-10T03:35:43.288968Z", "deleted_at": null, "sha1_hash": "d10c35458b0e3efe0f446e42ff0b737bb8b2f4de", "title": "Wicked Spider Adversary | Threat Actor Profile | CrowdStrike", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 56894, "plain_text": "Wicked Spider Adversary | Threat Actor Profile | CrowdStrike\r\nBy AdamM\r\nArchived: 2026-04-02 12:07:08 UTC\r\nWICKED SPIDER (PANDA) is a suspected China-based adversary that likely operates as an exploitation\r\ngroup for hire. The use of two cryptonyms for this group exemplifies how this adversary has demonstrated two\r\ndifferent motivations for conducting malicious cyber operations. WICKED PANDA refers to the targeted intrusion\r\noperations of the actor publicly known as \"Winnti,\" whereas WICKED SPIDER represents this group's\r\nfinancially-motivated criminal activity. Originally, WICKED SPIDER was observed exploiting a number of\r\ngaming companies and stealing code-signing certificates for use in other operations associated with the malware\r\nknown as Winnti. Now, Winnti is commonly associated with the interests of the government of the People’s\r\nRepublic of China (PRC). The flexibility of the cryptonym system used by CrowdStrike to track adversaries is\r\nhighlighted by the case of WICKED PANDA/SPIDER. In this instance, one set of activity associated with\r\ncriminal motivations can be easily separated from a second set of behaviors by the same actor when operating in\r\nthe interest of a nation-state. The WICKED PANDA adversary makes use of a number of open-source and\r\ncustom tools to infect and move laterally in victim networks. Analysis of these tools and infrastructure linked\r\nto WICKED PANDA operations has traced these operations back to contractors who count multiple Chinese\r\ngovernment agencies as clients, including the Ministry of Public Security (MPS). Observed targeting by the\r\nWICKED PANDA adversary has focused on high-value entities in the engineering, manufacturing and technology\r\nsectors, aligning with the PRC’s strategic economic plans. WICKED PANDA has also targeted chemical and think\r\ntank sectors around the world. Most recently, our\r\ncyber threat intelligence and proactive threat hunting teams identified ongoing activity by WICKED PANDA\r\ntargeting organizations in the mining sector, where they attempted to perform lateral movement and credential\r\nharvesting before being contained by customer responders and the CrowdStrike Falcon® endpoint protection\r\nplatform. As for WICKED SPIDER, earlier this year the Falcon OverWatch team identified malicious activity on\r\nthe network of a company operating in the technology sector. The incident involved the PlugX malware, as well as\r\na scanning and exploitation tool for the ETERNALBLUE vulnerability with support for DOUBLEPULSAR.\r\nWicked Spider's Targets\r\nWICKED SPIDER has been observed targeting technology companies in Germany, Indonesia, the Russian\r\nFederation, South Korea, Sweden, Thailand, Turkey,\r\nthe United States, and elsewhere. Notably, WICKED SPIDER has often targeted gaming companies for their\r\ncertificates, which can be used in future PRC-based operations to sign malware. Ongoing analysis is still\r\nevaluating how these certificates are used — whether WICKED SPIDER hands the certificates off to other\r\nadversaries for use in future campaigns or stockpiles them for its own use.\r\nOther Known Criminal Adversaries\r\nhttps://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-july-wicked-spider/\r\nPage 1 of 2\n\nCobalt Spider\r\nDungeon Spider\r\nMummy Spider\r\nCurious about other nation-state adversaries? Visit our threat actor center to learn about the new adversaries\r\nthat the CrowdStrike team discovers. Want the insights on the latest adversary tactics, techniques, and\r\nprocedures (TTPs)? Download the CrowdStrike 2020 Global Threat Report.\r\nSource: https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-july-wicked-spider/\r\nhttps://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-july-wicked-spider/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-july-wicked-spider/" ], "report_names": [ "meet-crowdstrikes-adversary-of-the-month-for-july-wicked-spider" ], "threat_actors": [ { "id": "e8e18067-f64b-4e54-9493-6d450b7d40df", "created_at": "2022-10-25T16:07:24.515213Z", "updated_at": "2026-04-10T02:00:05.018868Z", "deleted_at": null, "main_name": "Mummy Spider", "aliases": [ "ATK 104", "Gold Crestwood", "Mummy Spider", "TA542" ], "source_name": "ETDA:Mummy Spider", "tools": [ "Emotet", "Geodo", "Heodo" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "220e1e99-97ab-440a-8027-b672c5c5df44", "created_at": "2022-10-25T16:47:55.773407Z", "updated_at": "2026-04-10T02:00:03.649501Z", "deleted_at": null, "main_name": "GOLD KINGSWOOD", "aliases": [ "Cobalt Gang ", "Cobalt Spider " ], "source_name": "Secureworks:GOLD KINGSWOOD", "tools": [ "ATMSpitter", "Buhtrap", "Carbanak", "Cobalt Strike", "CobtInt", "Cyst", "Metasploit", "Meterpreter", "Mimikatz", "SpicyOmelette" ], "source_id": "Secureworks", "reports": null }, { "id": "506404b2-82fb-4b7e-b40d-57c2e9b59f40", "created_at": "2023-01-06T13:46:38.870883Z", "updated_at": "2026-04-10T02:00:03.128317Z", "deleted_at": null, "main_name": "MUMMY SPIDER", "aliases": [ "TA542", "GOLD CRESTWOOD" ], "source_name": "MISPGALAXY:MUMMY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "273a41a8-5115-4f55-865f-0960a765f18c", "created_at": "2022-10-25T16:07:24.397947Z", "updated_at": "2026-04-10T02:00:04.974605Z", "deleted_at": null, "main_name": "Wicked Spider", "aliases": [ "APT 22", "Bronze Export", "Bronze Olive", "Wicked Spider" ], "source_name": "ETDA:Wicked Spider", "tools": [ "Agent.dhwf", "AngryRebel", "Destroy RAT", "DestroyRAT", "DoublePulsar", "EternalBlue", "Farfli", "Gh0st RAT", "Ghost RAT", "Kaba", "Korplug", "Moudour", "Mydoor", "PCRat", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav" ], "source_id": "ETDA", "reports": null }, { "id": "2dfaa730-7079-494c-b2f0-3ff8f3598a51", "created_at": "2022-10-25T16:07:23.474746Z", "updated_at": "2026-04-10T02:00:04.623746Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "ATK 67", "Cobalt Gang", "Cobalt Spider", "G0080", "Gold Kingswood", "Mule Libra", "TAG-CR3" ], "source_name": "ETDA:Cobalt Group", "tools": [ "ATMRipper", "ATMSpitter", "Agentemis", "AmmyyRAT", "AtNow", "COOLPANTS", "CobInt", "Cobalt Strike", "CobaltStrike", "Cyst Downloader", "Fareit", "FlawedAmmyy", "Formbook", "Little Pig", "Metasploit Stager", "Mimikatz", "More_eggs", "NSIS", "Nullsoft Scriptable Install System", "Pony Loader", "Ripper ATM", "SDelete", "Siplog", "SoftPerfect Network Scanner", "SpicyOmelette", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Terra Loader", "ThreatKit", "VenomKit", "cobeacon", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "aa8d7ec6-128a-41b9-8cdc-01ad8843020f", "created_at": "2022-10-25T16:07:24.485077Z", "updated_at": "2026-04-10T02:00:05.005858Z", "deleted_at": null, "main_name": "Dungeon Spider", "aliases": [], "source_name": "ETDA:Dungeon Spider", "tools": [ "Locky" ], "source_id": "ETDA", "reports": null }, { "id": "00e7a6ed-1880-4391-b0b9-1f46fae0e5cc", "created_at": "2025-08-07T02:03:24.591024Z", "updated_at": "2026-04-10T02:00:03.717645Z", "deleted_at": null, "main_name": "BRONZE EXPORT", "aliases": [ "TG-3279 ", "Wicked Spider " ], "source_name": "Secureworks:BRONZE EXPORT", "tools": [ "Conpee", "PlugX", "PwDump" ], "source_id": "Secureworks", "reports": null }, { "id": "6898c5bc-48af-4e38-917b-f9f0a41d0ee2", "created_at": "2023-01-06T13:46:39.00984Z", "updated_at": "2026-04-10T02:00:03.179681Z", "deleted_at": null, "main_name": "DUNGEON SPIDER", "aliases": [], "source_name": "MISPGALAXY:DUNGEON SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c11abba0-f5e8-4017-a4ee-acb1a7c8c242", "created_at": "2022-10-25T15:50:23.744036Z", "updated_at": "2026-04-10T02:00:05.294413Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "Cobalt Group", "GOLD KINGSWOOD", "Cobalt Gang", "Cobalt Spider" ], "source_name": "MITRE:Cobalt Group", "tools": [ "Mimikatz", "More_eggs", "SpicyOmelette", "SDelete", "Cobalt Strike", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "2ac83159-1d9d-4db4-a176-97be6b7b07c9", "created_at": "2024-06-19T02:03:08.024653Z", "updated_at": "2026-04-10T02:00:03.672512Z", "deleted_at": null, "main_name": "GOLD CRESTWOOD", "aliases": [ "Mummy Spider ", "TA542 " ], "source_name": "Secureworks:GOLD CRESTWOOD", "tools": [ "Emotet" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434522, "ts_updated_at": 1775792143, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d10c35458b0e3efe0f446e42ff0b737bb8b2f4de.pdf", "text": "https://archive.orkl.eu/d10c35458b0e3efe0f446e42ff0b737bb8b2f4de.txt", "img": "https://archive.orkl.eu/d10c35458b0e3efe0f446e42ff0b737bb8b2f4de.jpg" } }