Evil Corp

Threat Actor updated 4 months ago (2024-05-04T17:19:18.001Z)

Download STIX

Preview STIX

Evil Corp, a threat actor group based in Russia, has been identified as a significant cybercrime entity responsible for the execution of malicious actions. The alleged leader of this group is Maksim Yakubets, who is notably associated with Dridex malware operations. The U.S. Treasury imposed sanctions on Evil Corp due to their cybercriminal activities, which led to eight individuals being designated under E.O. 13694 for providing financial and material assistance to the group. These actions have been taken to suppress the group's illegal activities and curb its influence in the cybercrime world. Research by Mandiant and PRODAFT highlights that Evil Corp has been using multiple tactics to evade these sanctions and continue their nefarious activities. They've used ransomware like LockBit and have shown overlaps with other financially motivated threat actor groups such as UNC2165. Furthermore, they've been linked to various e-crime groups like FIN7 and Wizard Spider (also known as TrickBot). The use of LockBit was likely an attempt by Evil Corp to disguise itself and reduce the visibility of its connections to sanctioned Russian entities, thus maintaining their victims' willingness to pay ransoms. Moreover, Evil Corp has also been found to use Raspberry Robin, an initial access option popular among threat actors, contributing to major breaches in both public and private sector organizations. Despite the sanctions and the cybersecurity industry's efforts to curtail their activities, Evil Corp continues to operate, often obscuring its hand in attacks by using other groups' ransomware variants. This obfuscation, coupled with the lucrative nature of the hacking industry, has allowed them to amass substantial illicit earnings, estimated at around $450 million in ransomware payments in just the first half of last year.

Description last updated: 2024-05-04T16:49:07.103Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Socgholish	4	SocGholish is a malicious software (malware) that has been significantly prevalent in cyber threats over recent years. In 2022, it was observed being used in conjunction with the Parrot TDS to deliver the FakeUpdates downloader to unsuspecting visitors on compromised websites. By late 2022, Microsof
Whisper Spider	2	Whisper Spider, also known as Silence, is a financially motivated threat actor that has been linked to multiple dangerous groups including Evil Corp. This entity has primarily targeted financial institutions in various countries such as Ukraine, Russia, Azerbaijan, Poland, and Kazakhstan. As a threa
Raspberry Robin	2	Raspberry Robin is a sophisticated piece of malware that uses a variety of tactics to infiltrate and exploit computer systems. It employs the CPUID instruction to conduct several checks, enabling it to assess the system's characteristics and vulnerabilities. Furthermore, Raspberry Robin has been obs
Unc2165	2	UNC2165 is a financially motivated threat actor group that has been linked to multiple LockBit ransomware intrusions, as per research conducted by Mandiant. This group shares numerous overlaps with Evil Corp, another notorious cybercrime organization. The activity of UNC2165 has been tracked since t
FIN7	2	FIN7, a prominent threat actor in the cybercrime landscape, has been noted for its malicious activities and innovative tactics. Known for their relentless attacks on large corporations, FIN7 recently targeted a significant U.S. carmaker with phishing attacks, demonstrating their continued evolution

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Malware

Cybercrime

Loader

Windows

Russia

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Lockbit	is related to	4	LockBit is a malicious software, or malware, that has been notably active and damaging in the cyber world. Known for its ability to infiltrate systems often without detection, it can steal personal information, disrupt operations, and even hold data hostage for ransom. In the first half of 2024, Loc
Zeus	Unspecified	2	Zeus is a notorious form of malware, or malicious software, designed to exploit and damage computer systems. It infiltrates devices often without the user's knowledge via suspicious downloads, emails, or websites. Once embedded within a system, Zeus can steal personal information, disrupt operations
Dridex	Unspecified	2	Dridex is a well-known malware, specifically a banking Trojan, that has been utilized by cybercriminals to exploit and damage computer systems. The malware infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user, and can steal personal information, disrupt o
Truebot	Unspecified	2	Truebot is a highly potent malware used by the threat actor group CL0P, which has been linked to various malicious activities aimed at exploiting and damaging computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once embedded,
Gameover Zeus	Unspecified	2	Gameover ZeuS, also known as P2P ZeuS, is a notorious piece of malware designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
TA505	Unspecified	4	TA505, also known as Cl0p Ransomware Gang and Lace Tempest, is a highly active and sophisticated cybercriminal group. The group has been associated with various high-profile cyber-attacks, demonstrating adaptability through a multi-vector approach to their operations. In June 2023, the U.S. Cybersec
Indrik Spider	Unspecified	2	Indrik Spider is a notable threat actor known for its cybercriminal activities, particularly in the realm of ransomware. In July 2017, the group entered the targeted ransomware sphere with BitPaymer, using file-sharing platforms to distribute the BitPaymer decryptor. This shift in operations saw Ind

Source Document References

Information about the Evil Corp Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	a month ago	Ransomware Gangs Exploit ESXi Bug for Instant, Mass Encryption of VMs
CERT-EU	6 months ago	Authorities Claim LockBit Admin "LockBitSupp" Has Engaged with Law Enforcement \| #cybercrime \| #infosec \| National Cyber Security Consulting
CERT-EU	7 months ago	LockBit Group Prepared New Crypto-Locker Before Takedown \| #ransomware \| #cybercrime \| National Cyber Security Consulting
BankInfoSecurity	7 months ago	LockBit Group Prepared New Crypto-Locker Before Takedown
CERT-EU	7 months ago	Authorities disrupt Lockbit ransomware, indict two RaaS affiliates \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
DARKReading	7 months ago	Raspberry Robin Jumps on 1-Day Bugs to Nest Deep in Windows Networks
CERT-EU	8 months ago	Ransomware is coming for the automotive industry: David Booth \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	8 months ago	How ransomware could cripple countries, not just companies \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	8 months ago	How ransomware could cripple countries, not just companies
CERT-EU	8 months ago	How Machine Learning Is Revolutionizing Cybersecurity \| by dparente \| Daniel Parente \| Dec, 2023 \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	8 months ago	One paid out, one did not • The Register \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	9 months ago	Behind the Scenes of Matveev's Ransomware Empire: Tactics and Team
CERT-EU	10 months ago	Ransomware hits Infosys, Ace Hardware and Henry Schein - Cybersecurity Insiders
CERT-EU	a year ago	LockBit says CDW data will be leaked after talks break down
CERT-EU	a year ago	US and UK sanction 11 TrickBot and Conti cybercrime gang members
CERT-EU	a year ago	Top 3 Malware Loaders of 2023 that Fueling 80% of Cyber Attacks \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	a year ago	3 Malware Loaders Detected in 80% of Attacks: Security Firm
CERT-EU	a year ago	Three malware loaders behind 80% of intrusions, researchers find
InfoSecurity-magazine	a year ago	Four in Five Cyber-Attacks Powered by Just Three Malware Loaders
CERT-EU	a year ago	These 3 loaders were behind 80% of intrusions this year