{ "id": "6668a44e-1c97-4730-9090-bf113e6f39e4", "created_at": "2026-04-06T00:08:12.415768Z", "updated_at": "2026-04-10T03:35:34.611865Z", "deleted_at": null, "sha1_hash": "f4642df5608f77c6200a12a02841752108eed9d5", "title": "Riddle Spider - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 59211, "plain_text": "Riddle Spider - Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 12:42:33 UTC\nHome \u003e List all groups \u003e Riddle Spider\n APT group: Riddle Spider\nNames\nRiddle Spider (CrowdStrike)\nAvaddon Team (self given)\nCountry [Unknown]\nMotivation Financial gain\nFirst seen 2020\nDescription\n(Cornell University) The commoditization of Malware-as-a-Service (MaaS) allows\ncriminals to obtain financial benefits at a low risk and with little technical\nbackground. One such popular product in the underground economy is ransomware.\nIn ransomware attacks, data from infected systems is held hostage (encrypted) until\na fee is paid to the criminals. This modus operandi disrupts legitimate businesses,\nwhich may become unavailable until the data is restored. A recent blackmailing\nstrategy adopted by criminals is to leak data online from the infected systems if the\nransom is not paid. Besides reputational damage, data leakage might produce further\neconomical losses due to fines imposed by data protection laws. Thus, research on\nprevention and recovery measures to mitigate the impact of such attacks is needed to\nadapt existing countermeasures to new strains.\nObserved\nCountries: Australia, Belgium, Brazil, Canada, China, Costa Rica, Czech, France,\nGermany, India, Indonesia, Italy, Japan, Jordan, Peru, Poland, Portugal, Russia,\nSouth Korea, Spain, Switzerland, Thailand, UAE, UK, USA and Worldwide.\nTools used Avaddon.\nOperations performed\nJun 2020\nNew Avaddon Ransomware launches in massive smiley spam\ncampaign\nJul 2020\nAvaddon ransomware shows that Excel 4.0 macros are still effective\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=b41f0843-fe80-4005-bb32-38336f92b80a\nPage 1 of 2\n\nAug 2020\nAvaddon ransomware launches data leak site to extort victims\nJan 2021\nAnother ransomware now uses DDoS attacks to force victims to pay\nFeb 2021\nAvaddon ransomware fixes flaw allowing free decryption\nApr 2021\nCyber-attackers hold PN to ransom with major data leak threat\nMay 2021\nInsurer AXA hit by ransomware after dropping support for ransom\npayments\nJun 2021\nAvaddon ransomware shuts down and releases decryption keys\nInformation Last change to this card: 15 June 2021\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=b41f0843-fe80-4005-bb32-38336f92b80a\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=b41f0843-fe80-4005-bb32-38336f92b80a\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=b41f0843-fe80-4005-bb32-38336f92b80a" ], "report_names": [ "showcard.cgi?u=b41f0843-fe80-4005-bb32-38336f92b80a" ], "threat_actors": [ { "id": "38e9c8e3-38f8-4500-8c5c-8349b3e9a998", "created_at": "2023-01-06T13:46:39.207556Z", "updated_at": "2026-04-10T02:00:03.246557Z", "deleted_at": null, "main_name": "RIDDLE SPIDER", "aliases": [], "source_name": "MISPGALAXY:RIDDLE SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e6148aa7-4347-4444-a2a0-dbbf7c0f121c", "created_at": "2022-10-25T16:07:24.12696Z", "updated_at": "2026-04-10T02:00:04.875073Z", "deleted_at": null, "main_name": "Riddle Spider", "aliases": [ "Avaddon Team" ], "source_name": "ETDA:Riddle Spider", "tools": [ "Avaddon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434092, "ts_updated_at": 1775792134, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f4642df5608f77c6200a12a02841752108eed9d5.pdf", "text": "https://archive.orkl.eu/f4642df5608f77c6200a12a02841752108eed9d5.txt", "img": "https://archive.orkl.eu/f4642df5608f77c6200a12a02841752108eed9d5.jpg" } }