{ "id": "9ee191e9-ca9e-42f8-85c8-f37cd461f35b", "created_at": "2026-04-06T00:12:48.24099Z", "updated_at": "2026-04-10T03:31:09.785656Z", "deleted_at": null, "sha1_hash": "eca6371c0135d89caee7ae41a8d793963dd08443", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49439, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 21:23:18 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Hades\n Tool: Hades\nNames Hades\nCategory Malware\nType Ransomware, Big Game Hunting\nDescription\n(Accenture) At this time, it is unclear if the unknown threat group operates under an affiliate\nmodel, or if Hades is distributed by a single group. Under an affiliate model, developers’\npartner with affiliates who are responsible for various tasks or stages of the operation lifecycle,\nsuch as distributing the malware, providing initial access to organizations or even target\nselection and reconnaissance. However, based on intrusion data from incident response\nengagements, the operators tailor their tactics and tooling to carefully selected targets and run\na more “hands on keyboard” operation to inflict maximum damage and higher payouts.\nIn addition, we identified similarities in the Hades ransom notes to those that have been used\nby REvil ransomware operators, where portions of the ransom notes observed contain identical\nwording. The differentiating factors in the ransom notes are the operators’ contact information\nand the formatting of the ransom notes. While the ransom notes are similar, we do not have\nany evidence to suggest the threat groups or operations have any overlap at this time.\nInformation\nMalpedia Last change to this tool card: 08 August 2021\nDownload this tool card in JSON format\nAll groups using tool Hades\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=775f96e0-e868-40ee-9968-20998f571240\nPage 1 of 2\n\nChanged Name Country Observed\r\nAPT groups\r\n  Indrik Spider 2007-Oct 2024\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=775f96e0-e868-40ee-9968-20998f571240\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=775f96e0-e868-40ee-9968-20998f571240\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=775f96e0-e868-40ee-9968-20998f571240" ], "report_names": [ "listgroups.cgi?u=775f96e0-e868-40ee-9968-20998f571240" ], "threat_actors": [ { "id": "8670f370-1865-4264-9a1b-0dfe7617c329", "created_at": "2022-10-25T16:07:23.69953Z", "updated_at": "2026-04-10T02:00:04.716126Z", "deleted_at": null, "main_name": "Hades", "aliases": [ "Operation TrickyMouse" ], "source_name": "ETDA:Hades", "tools": [ "Brave Prince", "Gold Dragon", "GoldDragon", "Lovexxx", "Olympic Destroyer", "Running RAT", "RunningRAT", "SOURGRAPE", "running_rat" ], "source_id": "ETDA", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "d706edf6-cb86-4611-99e1-4b464e9dc5b9", "created_at": "2023-01-06T13:46:38.839083Z", "updated_at": "2026-04-10T02:00:03.117987Z", "deleted_at": null, "main_name": "INDRIK SPIDER", "aliases": [ "Manatee Tempest" ], "source_name": "MISPGALAXY:INDRIK SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434368, "ts_updated_at": 1775791869, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/eca6371c0135d89caee7ae41a8d793963dd08443.pdf", "text": "https://archive.orkl.eu/eca6371c0135d89caee7ae41a8d793963dd08443.txt", "img": "https://archive.orkl.eu/eca6371c0135d89caee7ae41a8d793963dd08443.jpg" } }