Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
TEMP.MixMaster, a notable threat actor in the cybersecurity landscape, is associated with the deployment of Ryuk ransomware following TrickBot malware infections. This activity has been tracked by FireEye and has been linked to financially-motivated cyber attacks. The modus operandi of TEMP.MixMaster involves leveraging the widespread distribution of TrickBot malware to gain access to victim organizations. However, it's important to highlight that not all TrickBot infections lead to the deployment of Ryuk ransomware, suggesting a selective approach by this threat actor. The operational dynamics of TEMP.MixMaster are complex and somewhat elusive. Currently, there is no definitive evidence suggesting that the entire spectrum of TEMP.MixMaster activities, ranging from TrickBot distribution to Ryuk deployment, is conducted by a single operator or group. Adding another layer of complexity, TEMP.MixMaster has also been observed using EMPIRE and RDP connections for lateral movement within victim environments, instead of solely relying on built-in TrickBot capabilities. In terms of broader context, TEMP.MixMaster’s methodology aligns with a growing trend among threat actors, popularized first by SamSam operations dating back to late 2015. During the same period, malware attacks were predominantly carried out by Wizard Spider, also known as Grim Spider, UNC1878, and TEMP.MixMaster. Most financially motivated intrusions originated from Russia and Ukraine, but China emerged as the most significant geopolitical threat. Despite these insights, the identity and exact structure of TEMP.MixMaster remain unclear, underscoring the evolving challenges in the realm of cybersecurity.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Wizard Spider
Wizard Spider, also known as ITG23, DEV-0193, Trickbot Group, Fin12, and Grimspider, is a significant threat actor in the cybercrime landscape. This group has been continually analyzed by IBM Security X-Force researchers for its use of several crypters and is credited with creating the notorious, ev
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Lateral Move...
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Ryuk is a sophisticated malware, specifically a ransomware variant, that has been extensively used by cybercriminal group ITG23. The group has been employing crypting techniques for several years to obfuscate their malware, with Ryuk often seen in tandem with other malicious software such as Trickbo
TrickBot is a notorious form of malware that infiltrates systems to exploit and damage them, often through suspicious downloads, emails, or websites. Once it has breached a system, TrickBot can steal personal information, disrupt operations, and even hold data hostage for ransom. It has been linked
SamSam is a type of malware, specifically ransomware, that was first deployed by the cybercriminal group GOLD LOWELL in 2015. This malicious software is designed to infiltrate systems through suspicious downloads, emails, or websites and then exploit the compromised system, often stealing personal i
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the TEMP.MixMaster Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
9 months ago
Malware increasingly spread through cloud apps
a year ago
Credential Stealing Malware | Mandiant Research