{ "id": "a9c60cfc-76a9-4f3b-9d0c-36114db9eef7", "created_at": "2026-04-06T01:32:00.770305Z", "updated_at": "2026-04-10T13:11:31.597583Z", "deleted_at": null, "sha1_hash": "e7a8afe336429efa2b249023bdeed038a84302c2", "title": "Tracking Adversaries: EvilCorp, the RansomHub affiliate", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 237637, "plain_text": "Tracking Adversaries: EvilCorp, the RansomHub affiliate\r\nBy BushidoToken\r\nPublished: 2025-04-02 · Archived: 2026-04-06 00:12:16 UTC\r\nIntroduction\r\nThis blog is part of a cyber threat intelligence (CTI) blog series called Tracking Adversaries that investigates\r\nprominent or new threat groups.\r\nThe focus of this blog is EvilCorp, a sanctioned Russia-based cybercriminal enterprise known for launching\r\nransomware attacks, and RansomHub, a prominent ransomware as a service (RaaS) operation run by Russian-speaking cybercriminals.\r\nThese two threat groups have been linked together through cooperation on intrusions and IOCs and TTPs shared\r\nby multiple CTI sources. The implication of this link is critical due to RansomHub being the most active\r\nransomware gang and is working with a well-known sanctioned affiliate.\r\nWho is RansomHub?\r\nhttps://blog.bushidotoken.net/2025/04/tracking-adversaries-evilcorp-ransomhub.html\r\nPage 1 of 5\n\nActive since February 2024, RansomHub is a RaaS operation formerly known as Cyclops and Knight and is run\r\nby Russian-speaking adversaries. It is currently used by more and more cybercriminals that are ex-affiliates of\r\nother RaaS operations. This includes the ALPHV/BlackCat RaaS and the LockBit RaaS, which have since\r\nshutdown or disappeared. This has made the RansomHub RaaS one of the most widespread ransomware families\r\nas of early 2025.\r\nDue to having a high number of affiliates, the tools and TTPs observed before the final RansomHub payload is\r\ndeployed can vary significantly. Each affiliate may have their own set of tools and TTPs to achieve the final\r\nobjectives of data exfiltration and ransomware deployment.\r\nWho is EvilCorp?\r\nEvil Corp is an international cybercrime network sanctioned for orchestrating large-scale financial cyberattacks\r\nled by Maksim Yakubets. EvilCorp’s operations have evolved over time, expanding from Dridex banking trojan\r\ncampaigns into developing ransomware like BitPaymer, WastedLocker, Hades, PhoenixLocker, and\r\nMacawLocker.\r\nNotably, Aleksandr Ryzhenkov, was identified by the National Crime Agency (NCA) as a high-ranking member of\r\nEvilCorp and also LockBit affiliate. Ryzhenkov became a LockBit affiliate around 2022, contributing to over 60\r\nLockBit ransomware builds and attempting to extort more than $100 million from victims. This discovery aligns\r\nwith Mandiant’s previous reporting on EvilCorp shifting to LockBit as well.\r\nThe NCA also found that EvilCorp maintains close ties with Russian intelligence agencies through Yakubets'\r\nfather-in-law, Eduard Bendersky, a former FSB officer, who is suspected of using his influence to shield the group\r\nfrom prosecution in Russia.\r\nOne of the TTPs that makes EvilCorp standout from the rest of the RaaS affiliates is their own affiliation to the\r\nSocGholish JavaScript malware (aka FAKEUPDATES). If ransomware deployment takes place following a\r\nSocGholish infection, then the attackers responsible for the attack will be affiliated with EvilCorp.\r\nReported Connections Between EvilCorp and RansomHub\r\nOn 15 July 2024, Microsoft shared a post on X stating that RansomHub was observed being deployed in post-compromise activity by Manatee Tempest (which is Microsoft’s name for EvilCorp) following initial access via\r\nSocGholish (aka FakeUpdates) infections (which Microsoft tracks as Mustard Tempest).\r\nhttps://blog.bushidotoken.net/2025/04/tracking-adversaries-evilcorp-ransomhub.html\r\nPage 2 of 5\n\nOn 15 January 2025, Guidepoint wrote a blog on a new Python backdoor used by an affiliate of RansomHub.\r\nNotably, the new Python backdoor was delivered by SocGholish. Therefore, this Python backdoor is another\r\npotential artifact worth monitoring for its connection to known EvilCorp-related malware.\r\nThe next day, on 16 January 2025, Google shared a report on EvilCorp (which Google tracks as UNC2165) that\r\ndisclosed numerous tools and malware families they have been using to deliver RansomHub, including a Python\r\nbackdoor dubbed VIPERTUNNEL (see the image below). The presence of a Python backdoor following a\r\nSocGholish infection is notable TTP that overlaps with the Guidepoint blog on RansomHub.\r\nhttps://blog.bushidotoken.net/2025/04/tracking-adversaries-evilcorp-ransomhub.html\r\nPage 3 of 5\n\nOn 14 March 2025, Trend Micro disclosed further details that also confirmed the SocGholish malware is leading\r\nto the deployment of RansomHub ransomware. The operators of SocGholish are tracked as Water Scylla by Trend\r\nMicro. The operators distribute SocGholish via the Keitaro Traffic Direction System (TDS), a legitimate service\r\nused for marketing campaigns. Trend Micro also observed SocGholish dropping the same custom Python\r\nbackdoor (aka VIPERTUNNEL) as well.\r\nSo What?\r\nEvilCorp has been under US sanctions since 2019, making it illegal for affected organisations to pay ransoms to\r\nthem without facing potential fines from the US Treasury’s Office of Foreign Assets Control (OFAC). Despite\r\nthese sanctions, EvilCorp has continued its cybercriminal activities by adapting its tactics to include rebranding\r\ntheir ransomware and becoming an affiliate of RaaS operations, such as LockBit and RansomHub. \r\nThe key indicator of EvilCorp's involvement in ransomware attacks continues to be the use of the SocGholish\r\nmalware, which employs drive-by downloads masquerading as web browser software updates to gain initial\r\naccess to systems.\r\nEvilCorp’s affiliation with RansomHub raises the possibilities that RansomHub may soon face sanctions similar to\r\nthose imposed on EvilCorp. Consequently, any victim that pays a ransom to RansomHub could become\r\nsignificantly riskier for cyber insurance organisations, incident responders, and ransomware negotiators, as they\r\nmay inadvertently violate sanctions and face legal repercussions.\r\nGiven EvilCorp's prominence as a target for international law enforcement, its association with RansomHub is\r\nlikely to draw increased scrutiny. This could result in RansomHub becoming the focus of future law enforcement\r\nactions, including potential takedowns and additional sanctions, further complicating the landscape for entities\r\ninvolved in ransomware response and mitigation.\r\nThere is also the increased likelihood that RansomHub will now rebrand. As we saw in the BlackBasta Leaks,\r\nransomware groups pay close attention to the news, CTI reports, and even posts on X and even blogs by\r\nresearchers. This association to EvilCorp and threat of sanctions is an issue for ransomware groups as it impacts\r\ntheir business model and makes earning harder. Therefore, by linking the two entities together CTI analysts can\r\nimpose cost on these cybercriminals.\r\nReferences:\r\n1. https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-242a\r\n2. https://www.bankinfosecurity.com/blogs/ransomhub-hits-powered-by-ex-affiliates-lockbit-blackcat-p-3703\r\n3. https://www.ransomware.live/group/ransomhub#ttps\r\n4. https://home.treasury.gov/news/press-releases/sm845\r\n5. https://web.archive.org/web/20200213115628/https:/www.nationalcrimeagency.gov.uk/news/international-law-enforcement-operation-exposes-the-world-s-most-harmful-cyber-crime-group\r\n6. https://www.crowdstrike.com/en-us/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/\r\n7. https://web.archive.org/web/20241004104429/https:/www.nationalcrimeagency.gov.uk/news/further-evil-corp-cyber-criminals-exposed-one-unmasked-as-lockbit-affiliate\r\nhttps://blog.bushidotoken.net/2025/04/tracking-adversaries-evilcorp-ransomhub.html\r\nPage 4 of 5\n\n8. https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/#DEV-0206-DEV-0243\r\n9. https://malpedia.caad.fkie.fraunhofer.de/details/js.fakeupdates\r\n10. https://x.com/msftsecintel/status/1812932754947911780\r\n11. https://www.microsoft.com/en-gb/security/security-insider/manatee-tempest\r\n12. https://www.guidepointsecurity.com/blog/ransomhub-affiliate-leverage-python-based-backdoor/\r\n13. https://services.google.com/fh/files/misc/threat_horizons_report_h1_2025.pdf\r\n14. https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html\r\n15. https://blog.bushidotoken.net/2025/02/blackbasta-leaks-lessons-from-ascension.html\r\nSource: https://blog.bushidotoken.net/2025/04/tracking-adversaries-evilcorp-ransomhub.html\r\nhttps://blog.bushidotoken.net/2025/04/tracking-adversaries-evilcorp-ransomhub.html\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.bushidotoken.net/2025/04/tracking-adversaries-evilcorp-ransomhub.html" ], "report_names": [ "tracking-adversaries-evilcorp-ransomhub.html" ], "threat_actors": [ { "id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312", "created_at": "2024-06-07T02:00:03.998431Z", "updated_at": "2026-04-10T02:00:03.64336Z", "deleted_at": null, "main_name": "RansomHub", "aliases": [], "source_name": "MISPGALAXY:RansomHub", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8670f370-1865-4264-9a1b-0dfe7617c329", "created_at": "2022-10-25T16:07:23.69953Z", "updated_at": "2026-04-10T02:00:04.716126Z", "deleted_at": null, "main_name": "Hades", "aliases": [ "Operation TrickyMouse" ], "source_name": "ETDA:Hades", "tools": [ "Brave Prince", "Gold Dragon", "GoldDragon", "Lovexxx", "Olympic Destroyer", "Running RAT", "RunningRAT", "SOURGRAPE", "running_rat" ], "source_id": "ETDA", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "2eb5ae35-e3ae-4b76-a945-5e6c2cfc1942", "created_at": "2024-02-02T02:00:04.028297Z", "updated_at": "2026-04-10T02:00:03.530787Z", "deleted_at": null, "main_name": "Mustard Tempest", "aliases": [ "DEV-0206", "Purple Vallhund" ], "source_name": "MISPGALAXY:Mustard Tempest", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "761d1fb2-60e3-46f0-9f1c-c8a9715967d4", "created_at": "2023-01-06T13:46:38.269054Z", "updated_at": "2026-04-10T02:00:02.90356Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "GOTHIC PANDA", "TG-0110", "Buckeye", "Group 6", "Boyusec", "BORON", "BRONZE MAYFAIR", "Red Sylvan", "Brocade Typhoon" ], "source_name": "MISPGALAXY:APT3", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ebc139d2-7450-46f5-a9e4-e7d561133fa5", "created_at": "2024-04-24T02:00:49.453475Z", "updated_at": "2026-04-10T02:00:05.321256Z", "deleted_at": null, "main_name": "Mustard Tempest", "aliases": [ "Mustard Tempest", "DEV-0206", "TA569", "GOLD PRELUDE", "UNC1543" ], "source_name": "MITRE:Mustard Tempest", "tools": [ "SocGholish", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "d706edf6-cb86-4611-99e1-4b464e9dc5b9", "created_at": "2023-01-06T13:46:38.839083Z", "updated_at": "2026-04-10T02:00:03.117987Z", "deleted_at": null, "main_name": "INDRIK SPIDER", "aliases": [ "Manatee Tempest" ], "source_name": "MISPGALAXY:INDRIK SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "3bf456e4-84ee-48fd-b3ab-c10d54a48a34", "created_at": "2024-06-19T02:03:08.096988Z", "updated_at": "2026-04-10T02:00:03.82859Z", "deleted_at": null, "main_name": "GOLD PRELUDE", "aliases": [ "Mustard Tempest ", "TA569 ", "UNC1543 " ], "source_name": "Secureworks:GOLD PRELUDE", "tools": [ "SocGholish" ], "source_id": "Secureworks", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "06f622cb-3a78-49cf-9a4c-a6007a69325f", "created_at": "2022-10-25T16:07:23.315239Z", "updated_at": "2026-04-10T02:00:04.537826Z", "deleted_at": null, "main_name": "APT 3", "aliases": [ "APT 3", "Boron", "Brocade Typhoon", "Bronze Mayfair", "Buckeye", "G0022", "Gothic Panda", "Group 6", "Operation Clandestine Fox", "Operation Clandestine Fox, Part Deux", "Operation Clandestine Wolf", "Operation Double Tap", "Red Sylvan", "TG-0110", "UPS Team" ], "source_name": "ETDA:APT 3", "tools": [ "APT3 Keylogger", "Agent.dhwf", "BKDR_HUPIGON", "Backdoor.APT.CookieCutter", "Badey", "Bemstour", "CookieCutter", "Destroy RAT", "DestroyRAT", "DoublePulsar", "EXL", "EternalBlue", "HTran", "HUC Packet Transmit Tool", "Hupigon", "Hupigon RAT", "Kaba", "Korplug", "LaZagne", "MFC Huner", "OSInfo", "Pirpi", "PlugX", "RedDelta", "RemoteCMD", "SHOTPUT", "Sogu", "TIGERPLUG", "TTCalc", "TVT", "Thoper", "Xamtrav", "remotecmd", "shareip", "w32times" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439120, "ts_updated_at": 1775826691, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e7a8afe336429efa2b249023bdeed038a84302c2.pdf", "text": "https://archive.orkl.eu/e7a8afe336429efa2b249023bdeed038a84302c2.txt", "img": "https://archive.orkl.eu/e7a8afe336429efa2b249023bdeed038a84302c2.jpg" } }