Wizard Spider

Threat Actor updated 4 months ago (2024-06-24T19:17:47.491Z)
Download STIX
Preview STIX
Wizard Spider, also known as ITG23, DEV-0193, Trickbot Group, Fin12, and Grimspider, is a significant threat actor in the cybercrime landscape. This group has been continually analyzed by IBM Security X-Force researchers for its use of several crypters and is credited with creating the notorious, ever-evolving TrickBot malware. In March 2020, the group ceased deploying Ryuk ransomware until mid-September, and it is currently unclear how they intend to use both Conti and Ryuk. However, it's evident that Wizard Spider is now running multiple ransomware operations. In recent months, Wizard Spider has expanded the number and variety of channels used to distribute its key initial payloads. As a top group targeting users of the Netskope Security Cloud platform, it's a formidable adversary in the cybersecurity field. Wizard Spider's attacks were dominant during a certain period, operating under various aliases such as Grim Spider, UNC1878, and TEMP.MixMaster. While most financially motivated intrusions originated from Russia and Ukraine, the group's activities have highlighted China as a major geopolitical threat. Seven members of Wizard Spider, believed to be behind Ryuk, Conti, and Trickbot, were sanctioned earlier this year, and an additional eleven were added to the SDN in September. PRODAFT's analysis of the LockBit operation identified over 28 affiliates, some of whom share ties with other Russian e-crime groups like Evil Corp, FIN7, and Wizard Spider. Despite the sanctions and continuous tracking of their activities, the group remains active and continues to pose a substantial risk to global cybersecurity.
Description last updated: 2024-06-24T19:16:56.337Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
TrickBot is a possible alias for Wizard Spider. TrickBot is a notorious malware that has been used extensively by cybercriminals to exploit and damage computer systems. It operates as a crimeware-as-a-service platform, infecting systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can stea
5
FIN12 is a possible alias for Wizard Spider. FIN12, also known as DEV-0237 and Pistachio Tempest, is a threat actor group notorious for its malicious cyber activities. Tracked by Microsoft, this group is primarily engaged in the distribution of Hive, Conti, and Ryuk ransomware. The group has been responsible for several high-profile ransomware
2
Trickbot Group is a possible alias for Wizard Spider. The Trickbot Group, also known as ITG23, Wizard Spider, and DEV-0193, is a threat actor group notorious for its malicious activities. The group has been consistently analyzed by IBM Security X-Force researchers due to their development and use of several crypters. In the fall of 2020, efforts were m
2
ITG23 is a possible alias for Wizard Spider. ITG23, also known as the Trickbot/Conti syndicate, is a significant threat actor that has been active since 2016 in the East European cybercrime arena. This group is renowned for its use of Reflective DLL Injection code in many of its crypters, with the presence of these crypters on a file sample be
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Ransomware
Cybercrime
Russia
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Conti Malware is associated with Wizard Spider. Conti is a notorious type of malware, specifically ransomware, that infiltrates computer systems to steal data and disrupt operations. The malicious software often spreads through suspicious downloads, emails, or websites, and once inside, it can hold data hostage for ransom. The Conti ransomware opUnspecified
4
The Ryuk Malware is associated with Wizard Spider. Ryuk is a type of malware known as ransomware, which has been utilized by the threat group ITG23 for several years. This group has been notorious for crypting their malware, with crypters seen in use with other malware such as Trickbot, Emotet, Cobalt Strike, and Ryuk. In 2019, most ransomware invesUnspecified
3
Source Document References
Information about the Wizard Spider Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
BankInfoSecurity
4 months ago
CERT-EU
8 months ago
MITRE
10 months ago
CERT-EU
10 months ago
SecurityIntelligence.com
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
Recorded Future
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
Krebs on Security
2 years ago