{ "id": "05ec9edd-4838-44cb-af4f-4e16100d8064", "created_at": "2026-04-06T00:15:15.677323Z", "updated_at": "2026-04-10T13:12:50.159509Z", "deleted_at": null, "sha1_hash": "d6f1a8ac4d87f01eeac2310b34b5297452ed24ea", "title": "\"Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 682761, "plain_text": "\"Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER\r\nSharing the Same Web\r\nBy Brendon.Feeley.and.Bex.Hartley\r\nArchived: 2026-04-05 17:04:18 UTC\r\nCrowdStrike® Intelligence observed a new campaign from a LUNAR SPIDER affiliate to distribute WIZARD\r\nSPIDER's TrickBot malware on Feb. 7, 2019. However, this latest campaign is somewhat unique due to a custom\r\nvariant of a TrickBot module that (to date) is only associated with this campaign. The WIZARD SPIDER threat\r\ngroup is the Russia-based operator of the TrickBot banking malware. This group represents a growing criminal\r\nenterprise of which GRIM SPIDER appears to be a subset. The LUNAR SPIDER threat group is the Eastern\r\nEuropean-based operator and developer of the commodity banking malware called BokBot (aka IcedID), which\r\nwas first observed in April 2017. The BokBot malware provides LUNAR SPIDER affiliates with a variety of\r\ncapabilities to enable credential theft and wire fraud, through the use of webinjects and a malware distribution\r\nfunction. Campaigns involving both BokBot and TrickBot were first identified by CrowdStrike Intelligence in\r\nJuly 2017. In these campaigns, victim machines infected with BokBot issued a command to download and execute\r\na TrickBot payload. A somewhat sporadic relationship between the two adversaries has continued since then,\r\nalthough this most recent campaign likely signals a more intimate phase of that relationship.\r\nTrickBot Distribution\r\nOn Feb. 7, 2019, LUNAR SPIDER’s BokBot project ID C610DF9A was seen downloading and executing a loader\r\nfrom http://tfulf\u003c.\u003ehost/Sw9HJmXzq.exe. The custom loader subsequently downloaded a TrickBot loader\r\nfrom http://185.68.93\u003c.\u003e30/sin.png . The configuration file of this sample indicates it is TrickBot version\r\n1000351 and belongs to the group tag (gtag) sin2. The gtags with a prefix of sin have been related to\r\nLUNAR SPIDER activity as the successor to the previously associated mom gtag prefix. The full TrickBot\r\nconfiguration file, including command-and-control (C2) servers, can be seen below.\r\n\u003cmcconf\u003e \u003cver\u003e1000351\u003c/ver\u003e \u003cgtag\u003esin2\u003c/gtag\u003e \u003cservs\u003e \u003csrv\u003e185.246.64\u003c.\u003e237:443\u003c/srv\u003e\r\n\u003csrv\u003e68.119.85\u003c.\u003e138:449\u003c/srv\u003e \u003csrv\u003e65.184.200\u003c.\u003e184:449\u003c/srv\u003e \u003csrv\u003e185.62.188\u003c.\u003e30:443\u003c/srv\u003e\r\n\u003csrv\u003e96.36.253\u003c.\u003e146:449\u003c/srv\u003e \u003csrv\u003e92.38.135\u003c.\u003e33:443\u003c/srv\u003e \u003csrv\u003e24.247.181\u003c.\u003e155:449\u003c/srv\u003e\r\n\u003csrv\u003e31.131.22\u003c.\u003e212:443\u003c/srv\u003e \u003csrv\u003e208.79.106\u003c.\u003e155:449\u003c/srv\u003e \u003csrv\u003e192.227.204\u003c.\u003e224:443\u003c/srv\u003e\r\n\u003csrv\u003e124.29.213\u003c.\u003e74:449\u003c/srv\u003e \u003csrv\u003e46.100.14\u003c.\u003e215:449\u003c/srv\u003e \u003csrv\u003e190.109.178\u003c.\u003e222:449\u003c/srv\u003e\r\n\u003csrv\u003e103.47.168\u003c.\u003e172:449\u003c/srv\u003e \u003csrv\u003e208.79.110\u003c.\u003e201:449\u003c/srv\u003e \u003csrv\u003e204.14.154\u003c.\u003e126:449\u003c/srv\u003e\r\n\u003csrv\u003e103.47.168\u003c.\u003e72:449\u003c/srv\u003e \u003csrv\u003e103.47.168\u003c.\u003e91:449\u003c/srv\u003e \u003csrv\u003e46.21.249\u003c.\u003e220:443\u003c/srv\u003e\r\n\u003csrv\u003e107.146.147\u003c.\u003e235:449\u003c/srv\u003e \u003csrv\u003e185.62.188\u003c.\u003e30:443\u003c/srv\u003e \u003csrv\u003e68.111.123\u003c.\u003e100:449\u003c/srv\u003e\r\n\u003csrv\u003e103.47.169\u003c.\u003e27:449\u003c/srv\u003e \u003csrv\u003e24.247.182\u003c.\u003e240:449\u003c/srv\u003e \u003csrv\u003e36.91.74\u003c.\u003e138:449\u003c/srv\u003e\r\n\u003csrv\u003e125.209.82\u003c.\u003e158:449\u003c/srv\u003e \u003csrv\u003e76.107.90\u003c.\u003e235:449\u003c/srv\u003e \u003csrv\u003e47.224.98\u003c.\u003e123:449\u003c/srv\u003e\r\n\u003csrv\u003e185.222.202\u003c.\u003e79:443\u003c/srv\u003e \u003csrv\u003e24.247.182\u003c.\u003e253:449\u003c/srv\u003e \u003csrv\u003e216.17.92\u003c.\u003e138:449\u003c/srv\u003e\r\n\u003csrv\u003e199.21.106\u003c.\u003e189:449\u003c/srv\u003e \u003csrv\u003e208.79.106\u003c.\u003e213:449\u003c/srv\u003e \u003csrv\u003e24.247.182\u003c.\u003e253:449\u003c/srv\u003e\r\nhttps://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/\r\nPage 1 of 8\n\n136.25.2\u003c.\u003e43:449 181.129.93\u003c.\u003e226:449 170.79.176\u003c.\u003e242:449 Modified TrickBot Module\nThis activity follows the previous pattern of BokBot assisting in the delivery of TrickBot. However, the most\ninteresting thing about the custom loader is the embedded, Base64-encoded Portable Executable (PE) file shown\nin Figure 1.\nFigure 1. Base64-Encoded PE File\nThe embedded PE file is extracted by the custom loader, then decoded and executed. Analysis revealed that this\ndecoded PE file is, in fact, a modified version of the TrickBot lateral movement module shareDll . Typically,\nTrickBot modules are downloaded as a dynamic link library (DLL) with a standard set of exports, named Start,\nControl and Release . This DLL would then be injected into a child svchost.exe process within the TrickBot\nmodular framework. However, in the absence of this framework, the shareDll module distributed by BokBot is\na PE file. In addition, the strings within a standard TrickBot module are not obfuscated or protected in any way.\nHowever, the module distributed by BokBot contains strings that are both encrypted with 256-bit AES, with a\nderived key and initialization vector (IV), and Base64-encoded with the custom alphabet of\nterKSDozBw1l24IyCL6AHh/+5WRiGnj3xJQ8YkEbcgOZVNPamMsuUTpd0q9vFfX7. The strings are stored in an encrypted\nstring table (shown in Figure 2) in the exact same way as the main TrickBot loader, and decrypted when they are\nneeded.\nhttps://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/\nPage 2 of 8\n\nFigure 2. Custom Base64 Alphabet and Encrypted Strings\r\nTable 1 below outlines the key identified differences between the two variants of the shareDll module.\r\nBokBot Distributed shareDll TrickBot Distributed shareDll\r\nPE file DLL file\r\nObfuscated Little or no obfuscation\r\nNo exports Start, Control, and Release exports\r\nTable 1. Compares Key Differences Between Two Variants of ShareDLL The primary function of the shareDll\r\nmodule in both cases is to attempt lateral movement within the victim’s network, to reach machines accessible by\r\nthe currently logged-on user. In the BokBot distributed instance, once an accessible machine has been located, the\r\nmodified spreader module will attempt to download the TrickBot loader located at\r\nhttp://185.68.93\u003c.\u003e30/sin.png or http://185.68.93\u003c.\u003e30/win.png and install TrickBot on the accessible\r\nnetwork machine. The whole process of BokBot installing TrickBot on the local machine and moving laterally\r\naround the network is illustrated in Figure 3.\r\nhttps://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/\r\nPage 3 of 8\n\nFigure 3. BokBot Installation of TrickBot and Lateral Movement Using ShareDll\r\nRenamed Modules\r\nBeginning on Feb. 8, 2019, CrowdStrike Intelligence observed further development in this intriguing relationship\r\nwhen renamed TrickBot modules were delivered to victims of the gtags sin2 and sin4 . These gtags have been\r\nclosely associated with LUNAR SPIDER activity. The renamed modules and their respective SHA256 hashes are\r\nshown in Table 2 and contain the strings sin, tin , and win .\r\nModule Name Module SHA256 Hash\r\nsharesinDll32 eefd209ba6afff5830d5510e68b2af90df200550d8ca4c40029baa93a0f01999\r\nsharesinDll32 1b84f604847be0dbdf19ca169deb22b0245ca6f4bc2877b7a0ceeffa0436d7b3\r\nsharesinDll32 ea3c70d82f3b4fe8d0914cc58669da0f3f116aa20f0661d68f826fd55763ef50\r\nsharesinDll64 93da209d2fdb49df19b53089bb1820aa0183e9f207ea87b51b49faa74f8e76ba\r\nsharesinDll64 915e416576be4b459c19941cc86a84fb0d66f54964552be0f69045b89323d2f7\r\nsharesinDll64 6d8551194b12655b4605f046a754257f69b1ee250f21e32466db54797a45c7c0\r\ntabtinDll32 aa074b7a1ce29abd9141dc18ca603f2ed2764ae1afabb92eb2f9e4dc008d99d6\r\ntabtinDll32 ba5bd732466a41636217b639a7a2aff1038a80bc29bd80c0532609d53297051f\r\ntabtinDll64 7023bbd875635b35fdc0eba303143be76afb50c0f34e8d79e8d0daba1d984b60\r\ntabtinDll64 13b8ab8ce0aa9db161c065c6bf2fdbb50c6fd82fe48e4576abc4b8c3136f925e\r\nwormwinDll32 cac2f117d8b4f1fc40dd0921ea91312ad8129df3556444e41fda8d27c81e02cd\r\nhttps://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/\r\nPage 4 of 8\n\nwormwinDll32 d51644cefd34dd7e1ec32a3e0336f9c479c196527e8baea6e85937254cecfe99\r\nwormwinDll64 8c20b33374c280e9fd98113304843a339f738647cc13daf8f60312b9fef6b702\r\nwormwinDll64 e8ecceb0cbc0e6aefab5ac47a9e69f7926317d9e4f9a782b8df418c67a8d0661\r\nTable 2. Renamed Modules and Associated SHA256 Hashes Unlike the changes identified in the TrickBot module\r\nshareDll being distributed by BokBot, the modules sharesinDll, tabtinDll, and wormwinDll remain\r\nfunctionally equivalent to the TrickBot deployed modules shareDll, tabDll, and wormDll , respectively, and\r\nretain the typical characteristics of a TrickBot module. More explicitly, the modules are DLLs, contain no\r\nencrypted strings, and have the standard TrickBot exports of Start, Control, and Release . CrowdStrike\r\nFalcon®®endpoint provides protection coverage against these threats through behavioral IOA and machine\r\nlearning.\r\nConclusion\r\nIt is unclear at this stage what purpose the module renaming serves, but it may be a method of tracking activity\r\nfrom those modules specifically associated with the aforementioned gtags. Additionally, CrowdStrike Intelligence\r\nis exploring a possible connection between the TrickBot affiliate operating sin -prefixed TrickBot gtags and the\r\nBokBot affiliate operating the project ID C610DF9A , due to the recent introduction of the previously mentioned\r\ncustom TrickBot module. Of note, BokBot has aided the distribution of TrickBot, with the standard module set,\r\nthrough other BokBot project IDs for some time. Another key point to note about this recent development is the\r\nhistorical relationship that previously existed between the developers and operators of the banking malware\r\nfamilies Dyre (aka Dyreza) and Neverquest (aka Vawtrak). This relationship is key because:\r\nWIZARD SPIDER includes members that were a part of the same group that had developed and operated\r\nDyre.\r\nLUNAR SPIDER includes members that were a part of the same group that had developed and operated\r\nNeverquest.\r\nDespite being successful malware operations, both Dyre and Neverquest suddenly ceased operating in November\r\n2015 and May 2017, respectively (Figure 4). LUNAR SPIDER had already introduced BokBot to the criminal\r\nmarket at the time Neverquest operations ceased, suggesting that the malware change may have been planned.\r\nConversely, the Dyre operation ceased following Russian law enforcement action in which the offices of a\r\nMoscow-based film and production company, named 25th Floor, were raided in November 2015. Although no\r\ndetails were released by Russian law enforcement, it was speculated that the office played a part in the operation\r\nof Dyre. There was a one-year delay before the release of the TrickBot malware, which contains key similarities to\r\nthe Dyre malware, but the operation was immediately successful and grew swiftly.\r\nhttps://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/\r\nPage 5 of 8\n\nFigure 4. Timeline of Malware Operating Dates\r\nAlthough BokBot has aided the distribution of TrickBot since 2017, the development of custom TrickBot modules\r\nfor the specific campaign has not been observed before. This significant development demonstrates a close\r\nrelationship between the members of LUNAR SPIDER and WIZARD SPIDER. CrowdStrike Intelligence assesses\r\nthat the historical relationship established during the operations of Dyre and Neverquest has been reinvigorated\r\nand solidified now that both WIZARD SPIDER and LUNAR SPIDER have established successful malware\r\noperations.\r\nAppendix/Indicators\r\nIndicator Description\r\nhttp://tfulf\u003c.\u003ehost/Sw9HJmXzq.exe\r\nCustom loader\r\nURL\r\n4ba234160cfbd1ef8ca2a259e51abdd4f6109ce74954fb7541d6226ec510b755\r\nCustom loader\r\nSHA256\r\nhttp://185.68.93\u003c.\u003e30/sin.png\r\nTrickBot loader\r\nURL\r\nhttp://185.68.93\u003c.\u003e30/win.png\r\nTrickBot loader\r\nURL\r\nd06432486e7e9c2b8aaef4f42c11cf8efe19689638a3512ce931a23bdb5f2b4c\r\nTrickBot loader\r\nSHA256\r\n185.246.64\u003c.\u003e237:443 68.119.85\u003c.\u003e138:449 65.184.200\u003c.\u003e184:449\r\n185.62.188\u003c.\u003e30:443 96.36.253\u003c.\u003e146:449 92.38.135\u003c.\u003e33:443\r\n24.247.181\u003c.\u003e155:449 31.131.22\u003c.\u003e212:443 208.79.106\u003c.\u003e155:449\r\n192.227.204\u003c.\u003e224:443 124.29.213\u003c.\u003e74:449 46.100.14\u003c.\u003e215:449\r\n190.109.178\u003c.\u003e222:449 103.47.168\u003c.\u003e172:449 208.79.110\u003c.\u003e201:449\r\n204.14.154\u003c.\u003e126:449 103.47.168\u003c.\u003e72:449 103.47.168\u003c.\u003e91:449\r\n46.21.249\u003c.\u003e220:443 107.146.147\u003c.\u003e235:449 185.62.188\u003c.\u003e30:443\r\n68.111.123\u003c.\u003e100:449 103.47.169\u003c.\u003e27:449 24.247.182\u003c.\u003e240:449\r\n36.91.74\u003c.\u003e138:449 125.209.82\u003c.\u003e158:449 76.107.90\u003c.\u003e235:449\r\nTrickBot C2\r\nServers\r\nhttps://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/\r\nPage 6 of 8\n\n47.224.98\u003c.\u003e123:449 185.222.202\u003c.\u003e79:443 24.247.182\u003c.\u003e253:449\r\n216.17.92\u003c.\u003e138:449 199.21.106\u003c.\u003e189:449 208.79.106\u003c.\u003e213:449\r\n24.247.182\u003c.\u003e253:449 136.25.2\u003c.\u003e43:449 181.129.93\u003c.\u003e226:449\r\n170.79.176\u003c.\u003e242:449\r\nf8967874aeeddfa65f492489dfb91de138e34313bf804d3200423c790eb19dce\r\nCustomized\r\nshareDll\r\nmodule\r\neefd209ba6afff5830d5510e68b2af90df200550d8ca4c40029baa93a0f01999 s haresinDll32\r\n1b84f604847be0dbdf19ca169deb22b0245ca6f4bc2877b7a0ceeffa0436d7b3 sharesinDll32\r\nea3c70d82f3b4fe8d0914cc58669da0f3f116aa20f0661d68f826fd55763ef50 sharesinDll32\r\n93da209d2fdb49df19b53089bb1820aa0183e9f207ea87b51b49faa74f8e76ba sharesinDll64\r\n915e416576be4b459c19941cc86a84fb0d66f54964552be0f69045b89323d2f7 sharesinDll64\r\n6d8551194b12655b4605f046a754257f69b1ee250f21e32466db54797a45c7c0 sharesinDll64\r\naa074b7a1ce29abd9141dc18ca603f2ed2764ae1afabb92eb2f9e4dc008d99d6 tabtinDll32\r\nba5bd732466a41636217b639a7a2aff1038a80bc29bd80c0532609d53297051f tabtinDll32\r\n7023bbd875635b35fdc0eba303143be76afb50c0f34e8d79e8d0daba1d984b60 tabtinDll64\r\n13b8ab8ce0aa9db161c065c6bf2fdbb50c6fd82fe48e4576abc4b8c3136f925e tabtinDll64\r\ncac2f117d8b4f1fc40dd0921ea91312ad8129df3556444e41fda8d27c81e02cd wormwinDll32\r\nd51644cefd34dd7e1ec32a3e0336f9c479c196527e8baea6e85937254cecfe99 wormwinDll32\r\n8c20b33374c280e9fd98113304843a339f738647cc13daf8f60312b9fef6b702 wormwinDll64\r\ne8ecceb0cbc0e6aefab5ac47a9e69f7926317d9e4f9a782b8df418c67a8d0661 wormwinDll64\r\nAdditional Resources\r\nHear a comprehensive discussion of today’s top cyberthreats by CrowdStrike experts: register for a\r\nwebinar on the 2020 Global Threat Report.\r\nRead a report on CrowdStrike Falcon® Intelligence Automated Threat Intelligence and learn why\r\nactionable threat intelligence is the next step in SOC evolution.\r\nLearn more about comprehensive endpoint protection with the CrowdStrike Falcon® platform by visiting\r\nthe product page.\r\nTest CrowdStrike next-gen AV for yourself. Start your free trial of Falcon Prevent™ today.\r\nhttps://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/\r\nPage 7 of 8\n\nSource: https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/\r\nhttps://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/" ], "report_names": [ "sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web" ], "threat_actors": [ { "id": "12211366-1f14-4eed-9d91-46b6a2ede618", "created_at": "2025-08-07T02:03:25.014713Z", "updated_at": "2026-04-10T02:00:03.624097Z", "deleted_at": null, "main_name": "GOLD ULRICK", "aliases": [ "Grim Spider ", "UNC1878 " ], "source_name": "Secureworks:GOLD ULRICK", "tools": [ "Bloodhound", "Buer Loader", "Cobalt Strike", "Conti", "Diavol", "PowerShell Empire", "Ryuk", "SystemBC", "Team9 (aka BazarLoader)", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "c2385aea-d30b-4dbc-844d-fef465cf3ea9", "created_at": "2023-01-06T13:46:38.916521Z", "updated_at": "2026-04-10T02:00:03.144667Z", "deleted_at": null, "main_name": "LUNAR SPIDER", "aliases": [ "GOLD SWATHMORE" ], "source_name": "MISPGALAXY:LUNAR SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8492b1a0-126f-4113-b8f7-101d28559629", "created_at": "2023-01-06T13:46:38.864213Z", "updated_at": "2026-04-10T02:00:03.126178Z", "deleted_at": null, "main_name": "GRIM SPIDER", "aliases": [ "GOLD ULRICK" ], "source_name": "MISPGALAXY:GRIM SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "7cfe3bc9-7a6c-4ee1-a635-5ea7b947147f", "created_at": "2024-06-19T02:03:08.122318Z", "updated_at": "2026-04-10T02:00:03.652418Z", "deleted_at": null, "main_name": "GOLD SWATHMORE", "aliases": [ "Lunar Spider " ], "source_name": "Secureworks:GOLD SWATHMORE", "tools": [ "Cobalt Strike", "GlobeImposter", "Gozi", "Gozi Trojan", "IcedID", "Latrodectus", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "475ea823-9e47-4098-b235-0900bc1a5362", "created_at": "2022-10-25T16:07:24.506596Z", "updated_at": "2026-04-10T02:00:05.015497Z", "deleted_at": null, "main_name": "Lunar Spider", "aliases": [ "Gold SwathMore" ], "source_name": "ETDA:Lunar Spider", "tools": [ "BokBot", "IceID", "IcedID", "NeverQuest", "Vawtrak", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434515, "ts_updated_at": 1775826770, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d6f1a8ac4d87f01eeac2310b34b5297452ed24ea.pdf", "text": "https://archive.orkl.eu/d6f1a8ac4d87f01eeac2310b34b5297452ed24ea.txt", "img": "https://archive.orkl.eu/d6f1a8ac4d87f01eeac2310b34b5297452ed24ea.jpg" } }