Hades

Threat Actor updated 2 months ago (2024-10-01T19:00:55.970Z)

Download STIX

Preview STIX

Hades is a significant threat actor that has been active in the cybersecurity landscape, particularly associated with ransomware attacks. The group uses distinctive tactics and infrastructure, as noted by CTU researchers in June 2021. Hades ransomware operators have been observed using Advanced Port Scanner, a tool previously seen in Snatch, Pysa, and other ransomware incidents. They also employ MegaSync, a tool used in Nefilim, Pysa, and other operations, along with Malleable C2, which has been encountered in Darkside, Defray, and other incidents. In late March 2021, Hades orchestrated a major attack on a U.S. insurance provider, leading to a substantial ransom payment of $40 million for network access restoration. This specific attack involved a Hades ransomware variant operated by the GOLD WINTER threat group. Some members of this group are known to continually adapt their methods and have gone on to develop further malware and ransomware strains such as WastedLocker, PhoenixLocker, PayloadBIN, and Macaw. Interestingly, the group has also been linked to the development of a wiper named SwiftSlicer, attributed to Sandworm, another alias for Hades. The group's activities have had a global impact, with victims hailing from all corners of the world. Their actions and the subsequent discussions about them have sparked lively online conversations among cybersecurity professionals worldwide, highlighting the group's influence and the importance of ongoing vigilance against their evolving tactics.

Description last updated: 2024-10-01T18:16:14.847Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
WastedLocker is a possible alias for Hades. WastedLocker is a sophisticated malware developed by the Evil Corp Group, a notorious cybercriminal organization. This malware is a form of ransomware that targets both Windows and Android devices, encrypting users' data and demanding a ransom for its release. Originating in 2020, WastedLocker utili	3
Sandworm is a possible alias for Hades. Sandworm, a threat actor linked to Russia, has been identified as the primary cyber attack unit supporting Russian military activities in Ukraine. This group is notorious for its sophisticated and disruptive cyber attacks, including the compromise of 11 Ukrainian telecommunications providers which c	2
Payloadbin is a possible alias for Hades. PayloadBIN is a threat actor associated with the infamous cybercrime group, Evil Corp. This association emerged in 2021 when Babuk ransomware operations rebranded as PayloadBIN in an apparent effort to evade sanctions imposed by the U.S. government in December 2019. The group has been responsible fo	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Wiper

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Swiftslicer Malware is associated with Hades. SwiftSlicer is a new wiper malware, written in Go, that was detected by security researchers on January 25th, 2023. This malicious software was designed to overwrite crucial files used by the Windows operating system, thereby causing significant disruption and damage to infected systems. The malware	Unspecified	2
The Hades Ransomware Malware is associated with Hades. Hades ransomware is a variant of the WastedLocker malware, which is designed to exploit and damage computers or devices. It was observed by CTU researchers being used in conjunction with Advanced Port Scanner, MegaSync, and Malleable C2 tools in various cyberattack incidents. These tools have been l	Unspecified	2

Source Document References

Information about the Hades Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
InfoSecurity-magazine	2 months ago	Evil Corp's LockBit Ties Exposed in Latest Phase of Operation Cronos
BankInfoSecurity	2 months ago	LockBit and Evil Corp Targeted In Anti-Ransomware Crackdown
CERT-EU	a year ago	Advanced threat predictions for 2024 – GIXtools
Securelist	a year ago	Kaspersky Security Bulletin: APT predictions 2024
CERT-EU	a year ago	Impact of the New SEC Cyber Incident Reporting Rules on the C-Suite and Beyond
Secureworks	2 years ago	Ransomware Evolution
Secureworks	2 years ago	Phases of a Post-Intrusion Ransomware Attack
Count Upon Security	2 years ago	Offensive Tools and Techniques
CERT-EU	2 years ago	Hacker Group Names Are Now Absurdly Out of Control \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker – National Cyber Security Consulting
Secureworks	2 years ago	BRONZE STARLIGHT Ransomware Operations Use HUI Loader
MITRE	2 years ago	Security Blog - Cyber Defense \| Accenture
MITRE	2 years ago	INDRIK SPIDER: WastedLocker Superseded by Hades Ransomware