{ "id": "508aafa8-5332-4081-a5f1-68594cf9975b", "created_at": "2026-04-06T00:20:52.535241Z", "updated_at": "2026-04-10T13:11:19.344629Z", "deleted_at": null, "sha1_hash": "f4fe12869563eef8eb1af126e3c52140ffea4f7a", "title": "PINCHY SPIDER Adopts “Big Game Hunting” to Distribute GandCrab", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 60984, "plain_text": "PINCHY SPIDER Adopts “Big Game Hunting” to Distribute\r\nGandCrab\r\nBy brendon.bex.sergei\r\nArchived: 2026-04-02 11:23:31 UTC\r\nCrowdStrike® Intelligence has recently observed PINCHY SPIDER affiliates deploying GandCrab ransomware in\r\nenterprise environments, using lateral movement techniques and tooling commonly associated with nation-state\r\nadversary groups and penetration testing teams. This change in tactics makes PINCHY SPIDER and its affiliates\r\nthe latest eCrime adversaries to join the growing trend of targeted, low-volume/high-return ransomware\r\ndeployments known as “big game hunting.” PINCHY SPIDER is the criminal group behind the development of\r\nthe ransomware most commonly known as GandCrab, which has been active since January 2018. PINCHY\r\nSPIDER sells access to use GandCrab ransomware under a partnership program with a limited number of\r\naccounts. The program is operated with a 60-40 split in profits (60 percent to the customer), as is common among\r\neCrime actors, but PINCHY SPIDER is also willing to negotiate up to a 70-30 split for “sophisticated” customers.\r\nGandCrab: Highly Developed and Prevalent\r\nGandCrab has established itself as one of the most developed and prevalent ransomware families on the market.\r\nDevelopment of the ransomware itself has been driven, in part, by PINCHY SPIDER’s interactions with the\r\ncybersecurity research community. GandCrab contains multiple references to members of the research community\r\nwho are both publicly active on social media and have reported on the ransomware. The main catalyst for\r\ndedicated development by PINCHY SPIDER, however, has been an ongoing battle with cybersecurity providers\r\nthat are actively developing GandCrab mitigations and decryptors. PINCHY SPIDER has responded by deploying\r\nfixes and even developed a zero-day exploit aimed at customers of one of those providers.\r\nPINCHY SPIDER Advertises for Affiliates\r\nPINCHY SPIDER has continued to promote the success of its ransomware in criminal forum posts, often boasting\r\nabout public reporting of GandCrab incidents. In February, PINCHY SPIDER released version 5.2 of GandCrab,\r\nwhich is immune to the decryption tools developed for earlier versions of GandCrab and in fact, was deployed the\r\nday before the release of the latest decryptor. Recently PINCHY SPIDER has also been observed advertising for\r\nindividuals with remote desktop protocol (RDP) and VNC (Virtual Network Computing) skills, and spammers\r\nwho have experience in corporate networking.\r\nGandCrab Identified by CrowdStrike Intel\r\nCrowdStrike Intelligence first identified new GandCrab ransomware deployment tactics in mid-February, when a\r\nthreat actor was observed performing actions on a victim host in order to install GandCrab. Though initially\r\nunsuccessful, the threat actor returned later to perform further reconnaissance on the victim network. The\r\nfollowing day, the threat actor returned a third time and manually removed security software from the host that\r\nhttps://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/\r\nPage 1 of 4\n\nwas preventing the installation of GandCrab. Using RDP and stolen credentials from the initially compromised\r\nhost, the threat actor then proceeded to move laterally around the victim network and was able to deploy\r\nGandCrab across several other hosts. Throughout the reconnaissance process, the threat actor used system\r\nadministration tools such as Sysinternals Process Monitor, Process Hacker, and a file search tool called LAN\r\nSearch Pro to assist with the collection of information from the hosts. Details of the affiliates, and GandCrab\r\nversions observed adopting these tactics, can be seen in Table 1.\r\nAffiliate ID Sub-group ID GandCrab Version\r\n23 23 5.2\r\n110 1276 5.1\r\nTable 1. GandCrab Affiiates Observed Adopting Big Game Hunting Tactics\r\nDomain Controller Access Observed\r\nNear the end of February, CrowdStrike Intelligence observed another incident in which similar manual lateral\r\nmovement techniques were used to deploy GandCrab across multiple hosts in an enterprise. This incident began\r\nwith a compromise that resulted in the threat actor gaining control of the enterprise domain controller. Once\r\nDomain Controller access was acquired, the threat actor used the enterprise’s own IT systems management\r\nsoftware, LANDesk, to deploy a loader to hosts across the enterprise. This loader, known as Phorpiex\r\nDownloader, is not specifically tied to GandCrab or PINCHY SPIDER, and it has previously been observed\r\ndropping other malware, such as Smoke Bot, Azorult, and XMRig. In this instance, Phorpiex served two main\r\npurposes for the threat actor. First, it spread itself to all removable drives on the infected hosts in order to further\r\npropagate throughout the network. Second, it downloaded and executed GandCrab on the infected hosts.\r\nExpanding to Adopt “Big Game Hunting” Tactics\r\nThe change in deployment tactics observed in these recent incidents, coupled with PINCHY SPIDER’s advertising\r\nfor individuals with skills in RDP/VNC and experience in corporate networking, suggest PINCHY SPIDER and\r\ntheir affiliates are expanding to adopt big game hunting tactics. The one difference in the tactics adopted by\r\nPINCHY SPIDER, versus most other adversaries who practice big game hunting, is the monetization model.\r\nTypically, a single payment would be requested to unlock the whole enterprise, as has been observed in INDRIK\r\nSPIDER and GRIM SPIDER intrusions. However, PINCHY SPIDER is encrypting individual hosts on the\r\nenterprise network and requesting payment on a per-host basis. It should be noted that PINCHY SPIDER is not\r\ncompletely alone in this strategy. BOSS SPIDER used both enterprise and per-host pricing during their\r\ncampaigns. As reported in the CrowdStrike 2018 Global Threat Report, big game hunting was a trend that helped\r\ndefine the criminal threat landscape in 2018. This latest activity underscores the fact that additional eCrime\r\nadversaries are aspiring to adopt this operational model. Both INDRIK SPIDER (with BitPaymer ransomware)\r\nand GRIM SPIDER (with Ryuk ransomware) have made headlines with their high profile victims and ransom\r\nprofits, demonstrating that big game hunting is a lucrative enterprise. Running successful big game hunting\r\noperations results in a higher average profit per victim, allowing adversaries like PINCHY SPIDER and their\r\npartners to increase their criminal revenue quickly.\r\nhttps://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/\r\nPage 2 of 4\n\nRelated Indicators of Compromise\r\nIOCs\r\nPhorpiex Loader SHA256\r\n5a1ab27b99f3fe6cbe825f2743c77347a7339783f8a22d99a54be2d07b94c1a8\r\nTable 2. Phorpiex IOCs Associated with Observed Activity\r\nIOCs\r\nGandCrab v5.1 SHA256\r\n0741e7c0b02f6ef0b28d00a7467bf91edb0cb0f6f20dc1fbed76119c7ae79b4f\r\nTable 3. GandCrab v5.1 IOCs Associated with Observed Activity\r\nIOCs\r\nGandCrab v5.2 SHA256\r\n329b3ddbf1c00b7767f0ec39b90eb9f4f8bd98ace60e2f6b6fbfb9adf25e3ef9\r\nbd16b703cd20e622e3e70e71bb4c68d1d1a3e14462f4b09978bbbb14e41625dc\r\nd7ffa0d8566702474790d7cbbbf9d51e9937d82582f82e1a00ddb1c489700d62\r\nd860bdf0d56a66f0e1b502067d07bdb595f60ef8c43de6b9caf5492a429426d6\r\nf70d73b6c3f61f412567bf74d4f1fba052ddccf0f8b2e61a6c69de9c8c5e6ec1\r\nfb136c8360d1a5ab80f61109c55c5a788aa1d8796d1e75aca8c1a762b598d3f4\r\nTable 4. GandCrab v5.2 IOCs Associated with Observed Activity\r\nAdditional Resources\r\nFor more information on how to incorporate intelligence on dangerous threat actors into your security\r\nstrategy, please visit the Falcon Threat Intelligence product page.\r\nDownload the CrowdStrike 2020 Global Threat Report.\r\nRead Stories from the front lines of incident response and get insights that can help inform your security\r\nstrategy in the CrowdStrike Services Cyber Intrusion Casebook.\r\nTest CrowdStrike next-gen AV for yourself. Start your free trial of Falcon Prevent™ today.\r\nhttps://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/\r\nPage 3 of 4\n\nSource: https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/\r\nhttps://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/" ], "report_names": [ "pinchy-spider-adopts-big-game-hunting" ], "threat_actors": [ { "id": "12211366-1f14-4eed-9d91-46b6a2ede618", "created_at": "2025-08-07T02:03:25.014713Z", "updated_at": "2026-04-10T02:00:03.624097Z", "deleted_at": null, "main_name": "GOLD ULRICK", "aliases": [ "Grim Spider ", "UNC1878 " ], "source_name": "Secureworks:GOLD ULRICK", "tools": [ "Bloodhound", "Buer Loader", "Cobalt Strike", "Conti", "Diavol", "PowerShell Empire", "Ryuk", "SystemBC", "Team9 (aka BazarLoader)", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "8492b1a0-126f-4113-b8f7-101d28559629", "created_at": "2023-01-06T13:46:38.864213Z", "updated_at": "2026-04-10T02:00:03.126178Z", "deleted_at": null, "main_name": "GRIM SPIDER", "aliases": [ "GOLD ULRICK" ], "source_name": "MISPGALAXY:GRIM SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4116df25-aff6-46ee-a5dd-926254a78e89", "created_at": "2023-01-06T13:46:38.894033Z", "updated_at": "2026-04-10T02:00:03.137353Z", "deleted_at": null, "main_name": "BOSS SPIDER", "aliases": [ "GOLD LOWELL" ], "source_name": "MISPGALAXY:BOSS SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8610b0d9-a6af-4010-818f-28671efc5d5e", "created_at": "2023-01-06T13:46:38.897477Z", "updated_at": "2026-04-10T02:00:03.138459Z", "deleted_at": null, "main_name": "PINCHY SPIDER", "aliases": [], "source_name": "MISPGALAXY:PINCHY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c84bbd2e-003d-4c43-8a46-d777455db2c7", "created_at": "2022-10-25T15:50:23.701006Z", "updated_at": "2026-04-10T02:00:05.378962Z", "deleted_at": null, "main_name": "GOLD SOUTHFIELD", "aliases": [ "GOLD SOUTHFIELD", "Pinchy Spider" ], "source_name": "MITRE:GOLD SOUTHFIELD", "tools": [ "ConnectWise", "REvil" ], "source_id": "MITRE", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "1b20199b-07ae-42f1-ad22-bbe2dd471df8", "created_at": "2024-06-04T02:03:07.872554Z", "updated_at": "2026-04-10T02:00:03.613698Z", "deleted_at": null, "main_name": "GOLD LOWELL", "aliases": [ "Boss Spider ", "CTG-0007 " ], "source_name": "Secureworks:GOLD LOWELL", "tools": [ "Samas" ], "source_id": "Secureworks", "reports": null }, { "id": "d706edf6-cb86-4611-99e1-4b464e9dc5b9", "created_at": "2023-01-06T13:46:38.839083Z", "updated_at": "2026-04-10T02:00:03.117987Z", "deleted_at": null, "main_name": "INDRIK SPIDER", "aliases": [ "Manatee Tempest" ], "source_name": "MISPGALAXY:INDRIK SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9df68733-9bcd-43b1-88f1-24b110fa3d56", "created_at": "2022-10-25T16:07:24.051993Z", "updated_at": "2026-04-10T02:00:04.851037Z", "deleted_at": null, "main_name": "Pinchy Spider", "aliases": [ "G0115", "Gold Garden", "Gold Southfield", "Pinchy Spider" ], "source_name": "ETDA:Pinchy Spider", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "GandCrab", "GrandCrab", "REvil", "Sodin", "Sodinokibi", "VIDAR", "Vidar Stealer", "certutil", "certutil.exe", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "eb8697fd-882a-4323-9eb8-8e20222cfd91", "created_at": "2022-10-25T16:07:23.416834Z", "updated_at": "2026-04-10T02:00:04.589943Z", "deleted_at": null, "main_name": "Boss Spider", "aliases": [ "Boss Spider", "CTG-0007", "Gold Lowell" ], "source_name": "ETDA:Boss Spider", "tools": [ "Mimikatz", "PsExec", "SDelete", "SamSam", "Samas" ], "source_id": "ETDA", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434852, "ts_updated_at": 1775826679, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f4fe12869563eef8eb1af126e3c52140ffea4f7a.pdf", "text": "https://archive.orkl.eu/f4fe12869563eef8eb1af126e3c52140ffea4f7a.txt", "img": "https://archive.orkl.eu/f4fe12869563eef8eb1af126e3c52140ffea4f7a.jpg" } }