Evil Corp

Threat Actor updated a month ago (2024-11-29T14:05:03.129Z)
Download STIX
Preview STIX
Evil Corp, a threat actor based in Russia, has been identified as a significant cybersecurity threat due to its involvement in various malicious activities, including the deployment of Dridex malware. The group is led by Maksim Yakubets and has been sanctioned by the Treasury Department for its cybercriminal activities. Research by Mandiant has linked Evil Corp to multiple LockBit ransomware intrusions, attributing these attacks to UNC2165, a financially motivated threat actor group with numerous overlaps with Evil Corp. Eight individuals have been designated under E.O. 13694 for providing financial and material assistance to the group. The activities of Evil Corp catalyzed a multiyear, international effort aimed at disrupting the ransomware underground during the early days of the Biden administration. This effort included the seizure of 35 LockBit servers in February, which was part of a wider crackdown on the ransomware ecosystem. The U.K. government also sanctioned 16 individuals who were part of Evil Corp, describing the group as a Russian state proxy. These actions have resulted in several arrests, indictments, sanctions, and server takedowns targeting the Russian cybercriminal underground. The National Crime Agency (NCA) in the U.K. has detailed Evil Corp's work as a Russian state proxy, including hacking members of NATO for Russian intelligence. Earlier this month, the U.K., U.S., and Australia imposed sanctions on seven individuals for their membership in Evil Corp, which has links to the Russian Federal Security Service. International law enforcement agencies have made significant strides against Russian cybercrime, targeting notorious groups like Evil Corp and LockBit, and revealing deep ties to Russian intelligence. This has resulted in key arrests and sanctions, demonstrating progress in the global fight against cybercrime.
Description last updated: 2024-10-17T11:41:02.363Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Socgholish is a possible alias for Evil Corp. SocGholish is a malicious software (malware) that has been significantly prevalent in cyber threats over recent years. In 2022, it was observed being used in conjunction with the Parrot TDS to deliver the FakeUpdates downloader to unsuspecting visitors on compromised websites. By late 2022, Microsof
4
Unc2165 is a possible alias for Evil Corp. UNC2165, a threat actor group with financial motivations, has been identified as the force behind multiple LockBit ransomware intrusions. This group shares several characteristics with another publically known group, Evil Corp. Research conducted by Mandiant reveals that UNC2165 has been shifting it
3
Whisper Spider is a possible alias for Evil Corp. Whisper Spider, also known as Silence, is a financially motivated threat actor that has been linked to multiple dangerous groups including Evil Corp. This entity has primarily targeted financial institutions in various countries such as Ukraine, Russia, Azerbaijan, Poland, and Kazakhstan. As a threa
2
Raspberry Robin is a possible alias for Evil Corp. Raspberry Robin is a sophisticated malware that uses advanced techniques to infiltrate and exploit computer systems. The malicious software is designed to stealthily enter a system through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can wreak havoc by st
2
FIN7 is a possible alias for Evil Corp. FIN7, also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group, is a notorious cybercrime group that has been active since 2012. The group is recognized for its advanced combination of malware and social engineering tactics, having executed numerous successful attacks against global
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Cybercrime
Russia
Malware
Ransom
Loader
Windows
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Lockbit Malware is associated with Evil Corp. LockBit is a prominent ransomware-as-a-service (RaaS) malware that has been involved in numerous cyberattacks, demonstrating its staying power and adaptability. The malware, which can infiltrate systems through suspicious downloads, emails, or websites, is designed to exploit and damage computers oris related to
7
The Dridex Malware is associated with Evil Corp. Dridex is a notorious malware, specifically a banking Trojan, designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. This malicious software was primarily used by the Russian cybercriminal group, Evil Corp, founded in 2014. The group taUnspecified
5
The Zeus Malware is associated with Evil Corp. Zeus is a notorious malware, short for malicious software, designed to exploit and damage computer systems. It is often spread through suspicious downloads, emails, or websites and can infiltrate systems without the user's knowledge. Once inside, it can steal personal information, disrupt operationsUnspecified
3
The WastedLocker Malware is associated with Evil Corp. WastedLocker is a sophisticated malware developed by the Evil Corp Group, a notorious cybercriminal organization. This malware is a form of ransomware that targets both Windows and Android devices, encrypting users' data and demanding a ransom for its release. Originating in 2020, WastedLocker utiliUnspecified
3
The BitPaymer Malware is associated with Evil Corp. BitPaymer is a type of malware, specifically ransomware, that was operated by the cybercriminal group known as GOLD DRAKE. It is designed to infiltrate systems and encrypt data, holding it hostage until a ransom is paid. This malicious software became prominent in conjunction with the rise of RansomUnspecified
3
The Gameover Zeus Malware is associated with Evil Corp. GameOver Zeus is a variant of the ZeuS malware, used by malicious actors to steal banking credentials and distribute other types of malware, including ransomware such as Cryptolocker. It operated as a banking Trojan, infecting systems and stealing sensitive information. The botnet was closely associUnspecified
2
The Truebot Malware is associated with Evil Corp. Truebot is a malicious software (malware) utilized by the CL0P actors, designed to exploit and damage computer systems. This malware can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Truebot serves multiple purposes: it can dowUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The TA505 Threat Actor is associated with Evil Corp. TA505, also known as Cl0p Ransomware Gang and Lace Tempest, is a highly active and sophisticated cybercriminal group. The group has been associated with various high-profile cyber-attacks, demonstrating adaptability through a multi-vector approach to their operations. In June 2023, the U.S. CybersecUnspecified
4
The Indrik Spider Threat Actor is associated with Evil Corp. Indrik Spider is a notable threat actor known for its cybercriminal activities, particularly in the realm of ransomware. In July 2017, the group entered the targeted ransomware sphere with BitPaymer, using file-sharing platforms to distribute the BitPaymer decryptor. This shift in operations saw IndUnspecified
2
Source Document References
Information about the Evil Corp Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
BankInfoSecurity
2 months ago
BankInfoSecurity
3 months ago
BankInfoSecurity
3 months ago
BankInfoSecurity
3 months ago
BankInfoSecurity
3 months ago
BankInfoSecurity
3 months ago
InfoSecurity-magazine
3 months ago
DARKReading
3 months ago
BankInfoSecurity
3 months ago
BankInfoSecurity
3 months ago
BankInfoSecurity
3 months ago
BankInfoSecurity
3 months ago
Securityaffairs
3 months ago
DARKReading
3 months ago
InfoSecurity-magazine
3 months ago
BankInfoSecurity
3 months ago
DARKReading
5 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
BankInfoSecurity
10 months ago