Hades

Threat Actor updated 4 months ago (2024-05-04T19:18:00.502Z)

Download STIX

Preview STIX

Hades is a notable threat actor, known for its distinctive tactics and infrastructure in executing cyber attacks. The cybersecurity industry first observed Hades' operations in June 2021, with its activities marked by the use of advanced tools such as Advanced Port Scanner, MegaSync, Rclone, and Malleable C2, which have also been used in other ransomware incidents like Snatch, Pysa, Nefilim, REvil, Egregor, Darkside, and Defray. This group's unique approach includes the use of MSBuild to execute Metasploit, disguised as a ".proj" file, an uncommon technique that further distinguishes Hades from other threat actors. In one of the most significant incidents attributed to Hades, a U.S. insurance provider was forced to pay $40 million in late March 2021 to regain access to its network following a ransomware attack. The ransomware variant deployed in this instance was operated by the GOLD WINTER threat group, indicating a possible connection or collaboration between Hades and GOLD WINTER. This incident underscores the severe financial implications of Hades' operations and the sophisticated nature of their attacks. The threat actor Hades has also been linked to Sandworm, another malicious entity, through the attribution of a wiper named SwiftSlicer. This suggests that Hades may operate under multiple aliases or in conjunction with other threat actors to broaden its impact and evade detection. As the cybersecurity landscape continues to evolve, understanding and tracking the activities of threat actors like Hades remains crucial for organizations worldwide.

Description last updated: 2024-05-04T19:15:40.740Z

What's your take? (Question 1 of 4)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Sandworm	2	Sandworm, a Russia-linked threat actor group, has been implicated in a series of significant cyber-attacks targeting Ukraine's infrastructure. The group successfully compromised 11 Ukrainian telecommunication providers, demonstrating their extensive capabilities and the broad reach of their operatio

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Wiper

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Hades Ransomware	Unspecified	2	Hades ransomware is a variant of the WastedLocker malware, which is designed to exploit and damage computers or devices. It was observed by CTU researchers being used in conjunction with Advanced Port Scanner, MegaSync, and Malleable C2 tools in various cyberattack incidents. These tools have been l
Swiftslicer	Unspecified	2	SwiftSlicer is a new wiper malware, written in Go, that was detected by security researchers on January 25th, 2023. This malicious software was designed to overwrite crucial files used by the Windows operating system, thereby causing significant disruption and damage to infected systems. The malware

Source Document References

Information about the Hades Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	10 months ago	Advanced threat predictions for 2024 – GIXtools
Securelist	10 months ago	Kaspersky Security Bulletin: APT predictions 2024
CERT-EU	a year ago	Impact of the New SEC Cyber Incident Reporting Rules on the C-Suite and Beyond
Secureworks	2 years ago	Ransomware Evolution
Secureworks	2 years ago	Phases of a Post-Intrusion Ransomware Attack
Count Upon Security	2 years ago	Offensive Tools and Techniques
CERT-EU	a year ago	Hacker Group Names Are Now Absurdly Out of Control \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker – National Cyber Security Consulting
Secureworks	2 years ago	BRONZE STARLIGHT Ransomware Operations Use HUI Loader
MITRE	2 years ago	Security Blog - Cyber Defense \| Accenture
MITRE	2 years ago	INDRIK SPIDER: WastedLocker Superseded by Hades Ransomware