{
	"id": "2caebd82-8b03-4b47-963b-bd4fbef675fd",
	"created_at": "2026-04-06T00:22:29.111334Z",
	"updated_at": "2026-04-10T13:11:20.933514Z",
	"deleted_at": null,
	"sha1_hash": "ea815063063a990b31558abf20506283b2918ad3",
	"title": "New Evidence Proves Ongoing WIZARD/LUNAR SPIDER Collaboration",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 67631,
	"plain_text": "New Evidence Proves Ongoing WIZARD/LUNAR SPIDER\r\nCollaboration\r\nBy Brendon.Feeley.Brett.Stone-Gross\r\nArchived: 2026-04-05 14:13:53 UTC\r\nOn March 17, 2019, CrowdStrike® Intelligence observed the use of a new BokBot (developed and operated by\r\nLUNAR SPIDER) proxy module in conjunction with TrickBot (developed and operated by WIZARD SPIDER),\r\nwhich may provide WIZARD SPIDER with additional tools to steal sensitive information and conduct fraudulent\r\nwire transfers. This activity also provides further evidence to support the existence of a flourishing relationship\r\nbetween these two actors. WIZARD SPIDER’s TrickBot banking malware began distributing a new proxy module\r\nnamed shadDll to group tags (gtags) prefixed with sin and tin . These gtags have previously been\r\nassociated with LUNAR SPIDER’s BokBot (a.k.a. IcedID) malware, which was discussed in a previous blog. The\r\nmodule contains identical functionality to that of the BokBot proxy module. The new proxy module incorporates\r\nmany of the most potent BokBot features within the extensible, modular framework of the TrickBot malware.\r\nBinary code analysis revealed that the shadDll TrickBot module is 81 percent similar to the BokBot proxy\r\nmodule with 99 percent confidence.\r\nMan-in-the-Middle Attacks\r\nThis new TrickBot module, shadDll , is primarily responsible for performing man-in-the-middle (MITM)\r\nattacks against web browsers on infected hosts, achieved by hooking networking functions and installing\r\nillegitimate SSL certificates. Once the malware is able to intercept SSL traffic, it can use the various BokBot\r\nconfiguration entries to strategically redirect web traffic, inject code, take screenshots, and otherwise manipulate\r\nvictims’ browsing experience. The shadDll module contains typical characteristics of a TrickBot module. More\r\nexplicitly, the modules are dynamic link libraries (DLLs), they contain no TrickBot encrypted strings, and they\r\nhave the standard TrickBot exports of Start, Control and Release . Although the shadDll module contains\r\nno TrickBot-encrypted strings, it does contain strings obfuscated using the custom XOR encoding used in the\r\nBokBot proxy module.\r\nHard-Coded DN Values\r\nOf particular interest is the following hard-coded distinguished name (DN) values, which are identical to the ones\r\nfound within the illegitimate certificates that the BokBot proxy module uses for performing MITM attacks. C=US;\r\nO=VeriSign, Inc.; OU=VeriSign Trust Network; OU=(c) 2006 VeriSign, Inc. - For authorized use only;\r\nCN=VeriSign Class 3 Public Primary Certification Authority - G5\r\nFurther Solidification of Two eCrime Groups\r\nThis development between WIZARD SPIDER and LUNAR SPIDER further solidifies the connection between the\r\ntwo groups, which stretches back to the Dyre (a.k.a. Dyreza) and Neverquest era. CrowdStrike Intelligence will\r\nhttps://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module/\r\nPage 1 of 2\n\ncontinue to monitor this intriguing working relationship and mutual integration. A detailed analysis of the BokBot\r\nproxy module that is now being distributed by TrickBot is presented in this follow-up blog post.\r\nIndicators of Compromise (IOCs)\r\nModule Name SHA256 Hash\r\nshadDll32 dfea3d7607e72d4dff86be0ba30ec0620dc54d5d2a50799bbefe1e495e9accdd\r\nshadDll64 2b5c064e269247be0dc1a4a20a7968206c9b82219daab7b10994f52770f68661\r\nAdditional Resources\r\nDownload the 2020Global Threat Report.\r\nRead our report on CrowdStrike Falcon® Intelligence Automated Threat Intelligence to learn why\r\nactionable threat intelligence is the next step in SOC evolution.\r\nLearn more about comprehensive endpoint protection with the CrowdStrike Falcon® platform by visiting\r\nthe product page.\r\nTest CrowdStrike next-gen AV for yourself. Start your free trial of Falcon Prevent™ today.\r\nSource: https://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module/\r\nhttps://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MISPGALAXY",
		"MITRE",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module/"
	],
	"report_names": [
		"wizard-spider-lunar-spider-shared-proxy-module"
	],
	"threat_actors": [
		{
			"id": "c2385aea-d30b-4dbc-844d-fef465cf3ea9",
			"created_at": "2023-01-06T13:46:38.916521Z",
			"updated_at": "2026-04-10T02:00:03.144667Z",
			"deleted_at": null,
			"main_name": "LUNAR SPIDER",
			"aliases": [
				"GOLD SWATHMORE"
			],
			"source_name": "MISPGALAXY:LUNAR SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f6f91e1c-9202-4497-bf22-9cd5ef477600",
			"created_at": "2023-01-06T13:46:38.86765Z",
			"updated_at": "2026-04-10T02:00:03.12735Z",
			"deleted_at": null,
			"main_name": "WIZARD SPIDER",
			"aliases": [
				"TEMP.MixMaster",
				"GOLD BLACKBURN",
				"DEV-0193",
				"UNC2053",
				"Pistachio Tempest",
				"DEV-0237",
				"Storm-0230",
				"FIN12",
				"Periwinkle Tempest",
				"Storm-0193",
				"Trickbot LLC"
			],
			"source_name": "MISPGALAXY:WIZARD SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e",
			"created_at": "2024-06-04T02:03:07.799286Z",
			"updated_at": "2026-04-10T02:00:03.606456Z",
			"deleted_at": null,
			"main_name": "GOLD BLACKBURN",
			"aliases": [
				"ITG23 ",
				"Periwinkle Tempest ",
				"Wizard Spider "
			],
			"source_name": "Secureworks:GOLD BLACKBURN",
			"tools": [
				"BazarLoader",
				"Buer Loader",
				"Bumblebee",
				"Dyre",
				"Team9",
				"TrickBot"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "7cfe3bc9-7a6c-4ee1-a635-5ea7b947147f",
			"created_at": "2024-06-19T02:03:08.122318Z",
			"updated_at": "2026-04-10T02:00:03.652418Z",
			"deleted_at": null,
			"main_name": "GOLD SWATHMORE",
			"aliases": [
				"Lunar Spider "
			],
			"source_name": "Secureworks:GOLD SWATHMORE",
			"tools": [
				"Cobalt Strike",
				"GlobeImposter",
				"Gozi",
				"Gozi Trojan",
				"IcedID",
				"Latrodectus",
				"TrickBot"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "475ea823-9e47-4098-b235-0900bc1a5362",
			"created_at": "2022-10-25T16:07:24.506596Z",
			"updated_at": "2026-04-10T02:00:05.015497Z",
			"deleted_at": null,
			"main_name": "Lunar Spider",
			"aliases": [
				"Gold SwathMore"
			],
			"source_name": "ETDA:Lunar Spider",
			"tools": [
				"BokBot",
				"IceID",
				"IcedID",
				"NeverQuest",
				"Vawtrak",
				"grabnew"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "63061658-5810-4f01-9620-7eada7e9ae2e",
			"created_at": "2022-10-25T15:50:23.752974Z",
			"updated_at": "2026-04-10T02:00:05.244531Z",
			"deleted_at": null,
			"main_name": "Wizard Spider",
			"aliases": [
				"Wizard Spider",
				"UNC1878",
				"TEMP.MixMaster",
				"Grim Spider",
				"FIN12",
				"GOLD BLACKBURN",
				"ITG23",
				"Periwinkle Tempest",
				"DEV-0193"
			],
			"source_name": "MITRE:Wizard Spider",
			"tools": [
				"TrickBot",
				"AdFind",
				"BITSAdmin",
				"Bazar",
				"LaZagne",
				"Nltest",
				"GrimAgent",
				"Dyre",
				"Ryuk",
				"Conti",
				"Emotet",
				"Rubeus",
				"Mimikatz",
				"Diavol",
				"PsExec",
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3",
			"created_at": "2022-10-25T16:07:24.422115Z",
			"updated_at": "2026-04-10T02:00:04.983298Z",
			"deleted_at": null,
			"main_name": "Wizard Spider",
			"aliases": [
				"DEV-0193",
				"G0102",
				"Gold Blackburn",
				"Gold Ulrick",
				"Grim Spider",
				"ITG23",
				"Operation BazaFlix",
				"Periwinkle Tempest",
				"Storm-0230",
				"TEMP.MixMaster",
				"Wizard Spider"
			],
			"source_name": "ETDA:Wizard Spider",
			"tools": [
				"AdFind",
				"Agentemis",
				"Anchor_DNS",
				"BEERBOT",
				"BazarBackdoor",
				"BazarCall",
				"BazarLoader",
				"Cobalt Strike",
				"CobaltStrike",
				"Conti",
				"Diavol",
				"Dyranges",
				"Dyre",
				"Dyreza",
				"Dyzap",
				"Gophe",
				"Invoke-SMBAutoBrute",
				"KEGTAP",
				"LaZagne",
				"LightBot",
				"PowerSploit",
				"PowerTrick",
				"PsExec",
				"Ryuk",
				"SessionGopher",
				"TSPY_TRICKLOAD",
				"Team9Backdoor",
				"The Trick",
				"TheTrick",
				"Totbrick",
				"TrickBot",
				"TrickLoader",
				"TrickMo",
				"Upatre",
				"bazaloader",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434949,
	"ts_updated_at": 1775826680,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ea815063063a990b31558abf20506283b2918ad3.pdf",
		"text": "https://archive.orkl.eu/ea815063063a990b31558abf20506283b2918ad3.txt",
		"img": "https://archive.orkl.eu/ea815063063a990b31558abf20506283b2918ad3.jpg"
	}
}