{
	"id": "dcf42f1d-5c64-4e7c-985b-765365406b8d",
	"created_at": "2026-04-06T00:16:53.464327Z",
	"updated_at": "2026-04-10T13:12:36.67399Z",
	"deleted_at": null,
	"sha1_hash": "f1dc82cab8b05b7694a9f8bba1cdad811fcc86a6",
	"title": "Doppel Spider - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 77296,
	"plain_text": "Doppel Spider - Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 19:45:03 UTC\nHome \u003e List all groups \u003e Doppel Spider\n APT group: Doppel Spider\nNames\nDoppel Spider (CrowdStrike)\nGold Heron (SecureWorks)\nGrief Group (self given)\nCountry Russia\nMotivation Financial gain\nFirst seen 2019\nDescription\n(CrowdStrike) CrowdStrike Intelligence has identified a new ransomware variant identifying itself as\nBitPaymer. This new variant was behind a series of ransomware campaigns beginning in June 2019,\nincluding attacks against the City of Edcouch, Texas and the Chilean Ministry of Agriculture.\nWe have dubbed this new ransomware DoppelPaymer because it shares most of its code with the\nBitPaymer ransomware operated by Indrik Spider. However, there are a number of differences between\nDoppelPaymer and BitPaymer, which may signify that one or more members of Indrik Spider have\nsplit from the group and forked the source code of both Dridex and BitPaymer to start their own Big\nGame Hunting ransomware operation.\nDoppelPaymer has been observed to be distributed by Smoke Loader (operated by Smoky Spider) and\nEmotet (operated by Mummy Spider, TA542).\nObserved\nSectors: Government, Manufacturing.\nCountries: Austria, Brazil, Canada, Chile, Dominican Republic, France, Germany, Greece, Italy,\nMexico, Portugal, Spain, Switzerland, Thailand, UK, USA.\nTools used Cobalt Strike, DoppelPaymer, Grief.\nOperations performed\nFeb 2020\nThe DoppelPaymer Ransomware is the latest family threatening to sell or publish a\nvictim's stolen files if they do not pay a ransom demand.\nMar 2020\nRansomware scumbags leak Boeing, Lockheed Martin, SpaceX documents after\ncontractor refuses to pay\nJun 2020 DopplePaymer ransomware gang claims to have breached DMI, a major US IT and\ncybersecurity provider, and one of NASA IT contractors.\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=9e088fdc-e4b7-4ab2-b7b5-8b85b4f7b8b8\nPage 1 of 3\n\nAug 2020\nUK research university Newcastle University says that it will take several weeks to get\nIT services back online after DoppelPaymer ransomware operators breached its network\nand took systems offline on the morning of August 30th.\nSep 2020\nDeath occurred after a patient was diverted to a nearby hospital after the Duesseldorf\nUniversity Hospital suffered a ransomware attack.\nOct 2020\nOn October 7th, Hall County in Georgia announced that they had suffered a ransomware\nattack that impacted their networks and phone systems.\nNov 2020\nCompal, the second-largest laptop manufacturer in the world, hit by ransomware\nNov 2020\nMasterChef, Big Brother producer hit by DoppelPaymer ransomware\nDec 2020\nFoxconn electronics giant hit by ransomware, $34 million ransom\nFeb 2021\nKia Motors America suffers ransomware attack, $20 million ransom\nApr 2021\nBreach of the Illinois Attorney General’s Office\nJul 2021\nDoppelPaymer ransomware gang rebrands as the Grief group\nSep 2021\nRansomware gang threatens to wipe decryption key if negotiator hired\nSep 2021\nGrief Gang’s New Quadruple Extortion Scheme Doesn’t Change the Game\nOct 2021 Grief Ransomware Gang Claims 41 New Victims, Targeting Manufacturers;\nMunicipalities; \u0026 Service Companies in U.K. \u0026 Europe\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=9e088fdc-e4b7-4ab2-b7b5-8b85b4f7b8b8\nPage 2 of 3\n\nOct 2021\nNRA: No comment on Russian ransomware gang attack claims\nCounter operations\nFeb 2023\nGermany and Ukraine hit two high-value ransomware targets\nSep 2023\nDoppelPaymer ransomware group suspects identified\nMay 2025\nMoldova arrests suspect linked to DoppelPaymer ransomware attacks\nInformation\nLast change to this card: 27 June 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=9e088fdc-e4b7-4ab2-b7b5-8b85b4f7b8b8\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=9e088fdc-e4b7-4ab2-b7b5-8b85b4f7b8b8\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=9e088fdc-e4b7-4ab2-b7b5-8b85b4f7b8b8"
	],
	"report_names": [
		"showcard.cgi?u=9e088fdc-e4b7-4ab2-b7b5-8b85b4f7b8b8"
	],
	"threat_actors": [
		{
			"id": "539855ac-def3-46a0-a490-f33abde7976f",
			"created_at": "2025-08-07T02:03:24.802704Z",
			"updated_at": "2026-04-10T02:00:03.718613Z",
			"deleted_at": null,
			"main_name": "GOLD ANDREW",
			"aliases": [
				"Smoky Spider "
			],
			"source_name": "Secureworks:GOLD ANDREW",
			"tools": [
				"Smoke Loader"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "e8e18067-f64b-4e54-9493-6d450b7d40df",
			"created_at": "2022-10-25T16:07:24.515213Z",
			"updated_at": "2026-04-10T02:00:05.018868Z",
			"deleted_at": null,
			"main_name": "Mummy Spider",
			"aliases": [
				"ATK 104",
				"Gold Crestwood",
				"Mummy Spider",
				"TA542"
			],
			"source_name": "ETDA:Mummy Spider",
			"tools": [
				"Emotet",
				"Geodo",
				"Heodo"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "058823d4-60c2-42ab-a3aa-4c10f0ff37c9",
			"created_at": "2022-10-25T16:07:24.57064Z",
			"updated_at": "2026-04-10T02:00:05.036609Z",
			"deleted_at": null,
			"main_name": "Smoky Spider",
			"aliases": [],
			"source_name": "ETDA:Smoky Spider",
			"tools": [
				"Dofoil",
				"Oficla",
				"Sasfis",
				"Sharik",
				"Smoke Loader",
				"SmokeLoader"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "506404b2-82fb-4b7e-b40d-57c2e9b59f40",
			"created_at": "2023-01-06T13:46:38.870883Z",
			"updated_at": "2026-04-10T02:00:03.128317Z",
			"deleted_at": null,
			"main_name": "MUMMY SPIDER",
			"aliases": [
				"TA542",
				"GOLD CRESTWOOD"
			],
			"source_name": "MISPGALAXY:MUMMY SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "50068c14-343c-4491-b568-df41dd59551c",
			"created_at": "2022-10-25T15:50:23.253218Z",
			"updated_at": "2026-04-10T02:00:05.234464Z",
			"deleted_at": null,
			"main_name": "Indrik Spider",
			"aliases": [
				"Indrik Spider",
				"Evil Corp",
				"Manatee Tempest",
				"DEV-0243",
				"UNC2165"
			],
			"source_name": "MITRE:Indrik Spider",
			"tools": [
				"Mimikatz",
				"PsExec",
				"Dridex",
				"WastedLocker",
				"BitPaymer",
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "fdf30f70-537c-458d-82b2-54b4f09cea48",
			"created_at": "2023-01-06T13:46:39.119613Z",
			"updated_at": "2026-04-10T02:00:03.221272Z",
			"deleted_at": null,
			"main_name": "SMOKY SPIDER",
			"aliases": [],
			"source_name": "MISPGALAXY:SMOKY SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b296f34c-c424-41da-98bf-90312a5df8ef",
			"created_at": "2024-06-19T02:03:08.027585Z",
			"updated_at": "2026-04-10T02:00:03.621193Z",
			"deleted_at": null,
			"main_name": "GOLD DRAKE",
			"aliases": [
				"Evil Corp",
				"Indrik Spider ",
				"Manatee Tempest "
			],
			"source_name": "Secureworks:GOLD DRAKE",
			"tools": [
				"BitPaymer",
				"Cobalt Strike",
				"Covenant",
				"Donut",
				"Dridex",
				"Hades",
				"Koadic",
				"LockBit",
				"Macaw Locker",
				"Mimikatz",
				"Payload.Bin",
				"Phoenix CryptoLocker",
				"PowerShell Empire",
				"PowerSploit",
				"SocGholish",
				"WastedLocker"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "d706edf6-cb86-4611-99e1-4b464e9dc5b9",
			"created_at": "2023-01-06T13:46:38.839083Z",
			"updated_at": "2026-04-10T02:00:03.117987Z",
			"deleted_at": null,
			"main_name": "INDRIK SPIDER",
			"aliases": [
				"Manatee Tempest"
			],
			"source_name": "MISPGALAXY:INDRIK SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ccd0f6b5-6d20-4d28-9796-88ab6deb4087",
			"created_at": "2024-06-19T02:03:08.067518Z",
			"updated_at": "2026-04-10T02:00:03.671628Z",
			"deleted_at": null,
			"main_name": "GOLD HERON",
			"aliases": [
				"Doppel Spider "
			],
			"source_name": "Secureworks:GOLD HERON",
			"tools": [
				"Cobalt Strike",
				"DoppelPaymer",
				"Dridex",
				"Grief",
				"PowerShell Empire"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "9806f226-935f-48eb-b138-6616c9bb9d69",
			"created_at": "2022-10-25T16:07:23.73153Z",
			"updated_at": "2026-04-10T02:00:04.729977Z",
			"deleted_at": null,
			"main_name": "Indrik Spider",
			"aliases": [
				"Blue Lelantos",
				"DEV-0243",
				"Evil Corp",
				"G0119",
				"Gold Drake",
				"Gold Winter",
				"Manatee Tempest",
				"Mustard Tempest",
				"UNC2165"
			],
			"source_name": "ETDA:Indrik Spider",
			"tools": [
				"Advanced Port Scanner",
				"Agentemis",
				"Babuk",
				"Babuk Locker",
				"Babyk",
				"BitPaymer",
				"Bugat",
				"Bugat v5",
				"Cobalt Strike",
				"CobaltStrike",
				"Cridex",
				"Dridex",
				"EmPyre",
				"EmpireProject",
				"FAKEUPDATES",
				"FakeUpdate",
				"Feodo",
				"FriedEx",
				"Hades",
				"IEncrypt",
				"LINK_MSIEXEC",
				"MEGAsync",
				"Macaw Locker",
				"Metasploit",
				"Mimikatz",
				"PayloadBIN",
				"Phoenix Locker",
				"PowerShell Empire",
				"PowerSploit",
				"PsExec",
				"QNAP-Worm",
				"Raspberry Robin",
				"RaspberryRobin",
				"SocGholish",
				"Vasa Locker",
				"WastedLoader",
				"WastedLocker",
				"cobeacon",
				"wp_encrypt"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a0d0e1ef-3562-40a8-a021-321db92644d9",
			"created_at": "2023-01-06T13:46:39.104046Z",
			"updated_at": "2026-04-10T02:00:03.2146Z",
			"deleted_at": null,
			"main_name": "DOPPEL SPIDER",
			"aliases": [
				"GOLD HERON"
			],
			"source_name": "MISPGALAXY:DOPPEL SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d555c5da-abe4-42aa-a8cf-77b68905891a",
			"created_at": "2022-10-25T16:07:23.548385Z",
			"updated_at": "2026-04-10T02:00:04.65211Z",
			"deleted_at": null,
			"main_name": "Doppel Spider",
			"aliases": [
				"Gold Heron",
				"Grief Group"
			],
			"source_name": "ETDA:Doppel Spider",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"DoppelPaymer",
				"Pay OR Grief",
				"Pay or Grief",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "2ac83159-1d9d-4db4-a176-97be6b7b07c9",
			"created_at": "2024-06-19T02:03:08.024653Z",
			"updated_at": "2026-04-10T02:00:03.672512Z",
			"deleted_at": null,
			"main_name": "GOLD CRESTWOOD",
			"aliases": [
				"Mummy Spider ",
				"TA542 "
			],
			"source_name": "Secureworks:GOLD CRESTWOOD",
			"tools": [
				"Emotet"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434613,
	"ts_updated_at": 1775826756,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f1dc82cab8b05b7694a9f8bba1cdad811fcc86a6.pdf",
		"text": "https://archive.orkl.eu/f1dc82cab8b05b7694a9f8bba1cdad811fcc86a6.txt",
		"img": "https://archive.orkl.eu/f1dc82cab8b05b7694a9f8bba1cdad811fcc86a6.jpg"
	}
}