Evil Corp

Threat Actor updated a month ago (2024-10-17T12:01:04.529Z)

Download STIX

Preview STIX

Evil Corp, a threat actor based in Russia, has been identified as a significant cybersecurity threat due to its involvement in various malicious activities, including the deployment of Dridex malware. The group is led by Maksim Yakubets and has been sanctioned by the Treasury Department for its cybercriminal activities. Research by Mandiant has linked Evil Corp to multiple LockBit ransomware intrusions, attributing these attacks to UNC2165, a financially motivated threat actor group with numerous overlaps with Evil Corp. Eight individuals have been designated under E.O. 13694 for providing financial and material assistance to the group. The activities of Evil Corp catalyzed a multiyear, international effort aimed at disrupting the ransomware underground during the early days of the Biden administration. This effort included the seizure of 35 LockBit servers in February, which was part of a wider crackdown on the ransomware ecosystem. The U.K. government also sanctioned 16 individuals who were part of Evil Corp, describing the group as a Russian state proxy. These actions have resulted in several arrests, indictments, sanctions, and server takedowns targeting the Russian cybercriminal underground. The National Crime Agency (NCA) in the U.K. has detailed Evil Corp's work as a Russian state proxy, including hacking members of NATO for Russian intelligence. Earlier this month, the U.K., U.S., and Australia imposed sanctions on seven individuals for their membership in Evil Corp, which has links to the Russian Federal Security Service. International law enforcement agencies have made significant strides against Russian cybercrime, targeting notorious groups like Evil Corp and LockBit, and revealing deep ties to Russian intelligence. This has resulted in key arrests and sanctions, demonstrating progress in the global fight against cybercrime.

Description last updated: 2024-10-17T11:41:02.363Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Socgholish is a possible alias for Evil Corp. SocGholish is a malicious software (malware) that has been significantly prevalent in cyber threats over recent years. In 2022, it was observed being used in conjunction with the Parrot TDS to deliver the FakeUpdates downloader to unsuspecting visitors on compromised websites. By late 2022, Microsof	4
Unc2165 is a possible alias for Evil Corp. UNC2165, a threat actor group with financial motivations, has been identified as the force behind multiple LockBit ransomware intrusions. This group shares several characteristics with another publically known group, Evil Corp. Research conducted by Mandiant reveals that UNC2165 has been shifting it	3
Whisper Spider is a possible alias for Evil Corp. Whisper Spider, also known as Silence, is a financially motivated threat actor that has been linked to multiple dangerous groups including Evil Corp. This entity has primarily targeted financial institutions in various countries such as Ukraine, Russia, Azerbaijan, Poland, and Kazakhstan. As a threa	2
Raspberry Robin is a possible alias for Evil Corp. Raspberry Robin is a sophisticated malware that uses advanced techniques to infiltrate and exploit computer systems. The malicious software is designed to stealthily enter a system through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can wreak havoc by st	2
FIN7 is a possible alias for Evil Corp. FIN7, also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group, is a notorious cybercrime group that has been active since 2012. The group is recognized for its advanced combination of malware and social engineering tactics, having executed numerous successful attacks against global	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Cybercrime

Russia

Malware

Ransom

Loader

Windows

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Lockbit Malware is associated with Evil Corp. LockBit is a malicious software, or malware, known for its damaging and exploitative functions. It infiltrates systems via dubious downloads, emails, or websites, often without the user's knowledge, and can steal personal information, disrupt operations, or hold data hostage for ransom. The LockBit	is related to	7
The Dridex Malware is associated with Evil Corp. Dridex is a notorious malware, specifically a banking Trojan, designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. This malicious software was primarily used by the Russian cybercriminal group, Evil Corp, founded in 2014. The group ta	Unspecified	5
The Zeus Malware is associated with Evil Corp. Zeus is a notorious malware, short for malicious software, designed to exploit and damage computer systems. It is often spread through suspicious downloads, emails, or websites and can infiltrate systems without the user's knowledge. Once inside, it can steal personal information, disrupt operations	Unspecified	3
The WastedLocker Malware is associated with Evil Corp. WastedLocker is a sophisticated malware developed by the Evil Corp Group, a notorious cybercriminal organization. This malware is a form of ransomware that targets both Windows and Android devices, encrypting users' data and demanding a ransom for its release. Originating in 2020, WastedLocker utili	Unspecified	3
The BitPaymer Malware is associated with Evil Corp. BitPaymer is a type of malware, specifically ransomware, that was operated by the cybercriminal group known as GOLD DRAKE. It is designed to infiltrate systems and encrypt data, holding it hostage until a ransom is paid. This malicious software became prominent in conjunction with the rise of Ransom	Unspecified	3
The Gameover Zeus Malware is associated with Evil Corp. GameOver Zeus is a variant of the ZeuS malware, used by malicious actors to steal banking credentials and distribute other types of malware, including ransomware such as Cryptolocker. It operated as a banking Trojan, infecting systems and stealing sensitive information. The botnet was closely associ	Unspecified	2
The Truebot Malware is associated with Evil Corp. Truebot is a malicious software (malware) utilized by the CL0P actors, designed to exploit and damage computer systems. This malware can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Truebot serves multiple purposes: it can dow	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The TA505 Threat Actor is associated with Evil Corp. TA505, also known as Cl0p Ransomware Gang and Lace Tempest, is a highly active and sophisticated cybercriminal group. The group has been associated with various high-profile cyber-attacks, demonstrating adaptability through a multi-vector approach to their operations. In June 2023, the U.S. Cybersec	Unspecified	4
The Indrik Spider Threat Actor is associated with Evil Corp. Indrik Spider is a notable threat actor known for its cybercriminal activities, particularly in the realm of ransomware. In July 2017, the group entered the targeted ransomware sphere with BitPaymer, using file-sharing platforms to distribute the BitPaymer decryptor. This shift in operations saw Ind	Unspecified	2

Source Document References

Information about the Evil Corp Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
BankInfoSecurity	a month ago	Oil and Gas Firms Aware of Cyber Risks
BankInfoSecurity	a month ago	Operation Cronos Is Disrupting LockBit, Says UK Official
BankInfoSecurity	a month ago	UK to Continue Disruptive Actions Targeting Cybercrime
BankInfoSecurity	a month ago	MI5 Chief Warns of Cyberthreats to the UK
BankInfoSecurity	a month ago	EU Strengthens Sanctions Against Russian Hackers
BankInfoSecurity	2 months ago	ISMG Editors: Russian Cybercrime Syndicates Under Siege
InfoSecurity-magazine	2 months ago	Microsoft and US Government Disrupt Russian Star Blizzard Operations
DARKReading	2 months ago	Near-'perfctl' Fileless Malware Targets Millions of Linux Servers
BankInfoSecurity	2 months ago	US DOJ Unveils New Strategic Approach to Counter Cybercrime
BankInfoSecurity	2 months ago	Global Governments Release New Ransomware Response Guidance
BankInfoSecurity	2 months ago	Cybercrime is Still Evil Incorporated, But Disruptions Help
BankInfoSecurity	2 months ago	Hawaii Clinic Notifies 124,000 of Hack Credited to Lockbit
Securityaffairs	2 months ago	Police arrested four new individuals linked to the LockBit ransomware operation
DARKReading	2 months ago	LockBit Associates Arrested, Evil Corp Bigwig Outed
InfoSecurity-magazine	2 months ago	Evil Corp's LockBit Ties Exposed in Latest Phase of Operation Cronos
BankInfoSecurity	2 months ago	LockBit and Evil Corp Targeted In Anti-Ransomware Crackdown
DARKReading	4 months ago	Ransomware Gangs Exploit ESXi Bug for Instant, Mass Encryption of VMs
CERT-EU	9 months ago	Authorities Claim LockBit Admin "LockBitSupp" Has Engaged with Law Enforcement \| #cybercrime \| #infosec \| National Cyber Security Consulting
CERT-EU	9 months ago	LockBit Group Prepared New Crypto-Locker Before Takedown \| #ransomware \| #cybercrime \| National Cyber Security Consulting
BankInfoSecurity	9 months ago	LockBit Group Prepared New Crypto-Locker Before Takedown