Hades

Threat Actor updated a month ago (2024-11-29T14:04:01.693Z)
Download STIX
Preview STIX
Hades is a significant threat actor that has been active in the cybersecurity landscape, particularly associated with ransomware attacks. The group uses distinctive tactics and infrastructure, as noted by CTU researchers in June 2021. Hades ransomware operators have been observed using Advanced Port Scanner, a tool previously seen in Snatch, Pysa, and other ransomware incidents. They also employ MegaSync, a tool used in Nefilim, Pysa, and other operations, along with Malleable C2, which has been encountered in Darkside, Defray, and other incidents. In late March 2021, Hades orchestrated a major attack on a U.S. insurance provider, leading to a substantial ransom payment of $40 million for network access restoration. This specific attack involved a Hades ransomware variant operated by the GOLD WINTER threat group. Some members of this group are known to continually adapt their methods and have gone on to develop further malware and ransomware strains such as WastedLocker, PhoenixLocker, PayloadBIN, and Macaw. Interestingly, the group has also been linked to the development of a wiper named SwiftSlicer, attributed to Sandworm, another alias for Hades. The group's activities have had a global impact, with victims hailing from all corners of the world. Their actions and the subsequent discussions about them have sparked lively online conversations among cybersecurity professionals worldwide, highlighting the group's influence and the importance of ongoing vigilance against their evolving tactics.
Description last updated: 2024-10-01T18:16:14.847Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
WastedLocker is a possible alias for Hades. WastedLocker is a sophisticated malware developed by the Evil Corp Group, a notorious cybercriminal organization. This malware is a form of ransomware that targets both Windows and Android devices, encrypting users' data and demanding a ransom for its release. Originating in 2020, WastedLocker utili
3
Sandworm is a possible alias for Hades. Sandworm, a threat actor linked to Russia, has been identified as the primary cyber attack unit supporting Russian military activities in Ukraine. This group is notorious for its sophisticated and disruptive cyber attacks, including the compromise of 11 Ukrainian telecommunications providers which c
2
Payloadbin is a possible alias for Hades. PayloadBIN is a threat actor associated with the infamous cybercrime group, Evil Corp. This association emerged in 2021 when Babuk ransomware operations rebranded as PayloadBIN in an apparent effort to evade sanctions imposed by the U.S. government in December 2019. The group has been responsible fo
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Wiper
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Swiftslicer Malware is associated with Hades. SwiftSlicer is a new wiper malware, written in Go, that was detected by security researchers on January 25th, 2023. This malicious software was designed to overwrite crucial files used by the Windows operating system, thereby causing significant disruption and damage to infected systems. The malwareUnspecified
2
The Hades Ransomware Malware is associated with Hades. Hades ransomware is a variant of the WastedLocker malware, which is designed to exploit and damage computers or devices. It was observed by CTU researchers being used in conjunction with Advanced Port Scanner, MegaSync, and Malleable C2 tools in various cyberattack incidents. These tools have been lUnspecified
2
Source Document References
Information about the Hades Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more