analyst @ nohacky :~/threat-actors $
cat / threat-actors / evil-corp
analyst@nohacky:~/evil-corp.html
active threat profile
type cybercrime
threat_level high
status active
origin Russia
last_updated 2026-03-13
EC
evil-corp

Evil Corp

also known as: INDRIK SPIDER UNC2165 Manatee Tempest

Evil Corp is a Russian cybercrime organization best known for building the Dridex banking malware ecosystem and later pivoting into high-impact ransomware operations including BitPaymer, WastedLocker, and Hades. The group matters because it evolved from credential theft and banking fraud into hands-on-keyboard enterprise intrusions, and multiple government and private-sector reports continue to tie it to Russian operators and post-sanctions rebranding activity.

attributed origin Russia
suspected sponsor Criminal organization; leadership linked by U.S./U.K. authorities to Russian intelligence services
first observed 2014
primary motivation Financial gain, credential theft, fraud, and ransomware extortion
primary targets Financial services, large enterprise, healthcare, manufacturing
known campaigns 4+ major clusters
mitre att&ck group G0119
target regions North America, Europe, global enterprise targets
threat level high

Overview

Evil Corp is the name widely used for a Russia-based financially motivated cybercrime organization associated with the operators tracked by MITRE as INDRIK SPIDER / G0119. MITRE describes the cluster as active since at least 2014 and notes its progression from the Dridex banking Trojan to ransomware families including BitPaymer, WastedLocker, and Hades. U.S. Treasury sanctions and criminal actions identify the group as the organization behind Dridex and describe it as a Moscow-based operation led by Maksim Yakubets, with Igor Turashev and other members tied to technical administration, targeting, and financial facilitation.

Evil Corp's operational history shows a clear maturation pattern: mass phishing and banking credential theft first, then selective enterprise compromise, lateral movement, and ransomware deployment against higher-value victims. Treasury stated that the group used Dridex to infect systems at hundreds of banks and financial institutions in more than 40 countries and attributed more than $100 million in theft to the activity. After the 2019 sanctions, private-sector reporting assessed that the group adapted through malware changes, successor ransomware families, and alias churn to reduce the sanctions friction created by OFAC designations.

The group is notable not only for its criminal profitability but also for the long-running reporting that some members overlap with, or provide services to, Russian state interests. Treasury said Yakubets provided material assistance to the FSB, and later coalition reporting in 2024 further described ties between Evil Corp operators and Russian intelligence services. More recent Google Threat Intelligence Group reporting in March 2026 said UNC2165 overlaps with public reporting on Evil Corp and was observed using a zero-day for initial access in mid-2025, underscoring that the cluster should still be treated as an active threat actor rather than a purely historical one.

Target Profile

Evil Corp has historically targeted organizations that either hold directly monetizable credentials or can support high-value extortion. Early Dridex campaigns concentrated on banks and financial institutions, while later operations widened into large enterprises with the revenue, cyber-insurance coverage, and operational dependence that make ransomware negotiations more likely.

  • Financial services: Treasury attributed large-scale banking credential theft and fraudulent fund transfers to Evil Corp's Dridex operations, including targeting of institutions in the United States and the United Kingdom.
  • Large enterprise environments: Post-2017 activity increasingly focused on hands-on intrusions against organizations with mature Windows estates where the group could escalate privileges, move laterally, disable defenses, and deploy ransomware at scale.
  • Healthcare, manufacturing, technology, and other operationally sensitive sectors: Public reporting on WastedLocker, Hades, and related intrusions shows victim selection skewing toward organizations where downtime materially increases pressure to pay.

Tactics, Techniques & Procedures

Documented TTPs derived from MITRE ATT&CK, government actions, and vendor reporting on Dridex, BitPaymer, WastedLocker, Hades, and related Evil Corp activity.

mitre id technique description
T1204.002 User Execution: Malicious File Used malicious document and archive delivery to drive initial execution in phishing-led Dridex and follow-on intrusion activity.
T1078 Valid Accounts Relied on stolen or purchased credentials to access victim environments and maintain access during ransomware operations.
T1003.001 OS Credential Dumping: LSASS Memory Used post-exploitation tooling including Cobalt Strike and ProcDump to extract credentials and accelerate privilege escalation.
T1558.003 Kerberoasting Conducted Kerberoasting against Active Directory environments to recover service account credentials for lateral movement and persistence.
T1021.001 Remote Services: Remote Desktop Protocol Used RDP for internal movement after gaining privileged access inside enterprise Windows environments.
T1484.001 Domain or Tenant Policy Modification: Group Policy Modification Abused Group Policy Objects and administrative tooling to stage scripts and prepare widespread ransomware execution.
T1562.001 Impair Defenses: Disable or Modify Tools Disabled or altered security tooling, including Microsoft Defender and other defensive controls, before final impact actions.
T1486 Data Encrypted for Impact Deployed BitPaymer, WastedLocker, Hades, and related ransomware families to encrypt domain-connected systems for extortion.

Known Campaigns

Confirmed or strongly attributed activity clusters linked to Evil Corp and overlapping post-sanctions reporting.

Dridex Banking Malware Operations 2014-2019

Mass phishing-led malware distribution used to steal banking credentials, compromise online banking sessions, and support fraudulent fund transfers. U.S. Treasury said the activity affected customers at approximately 300 banks and financial institutions in more than 40 countries and produced at least $100 million in theft.

BitPaymer Big-Game Ransomware Intrusions 2017-2019

Transition from banking fraud toward enterprise ransomware operations. BitPaymer intrusions featured hands-on-keyboard post-exploitation, domain-wide impact, and monetization through ransom demands rather than mule-driven bank fraud.

WastedLocker Targeted Extortion 2020

Selective ransomware attacks against major enterprises. Public reporting associated WastedLocker with Evil Corp / INDRIK SPIDER and highlighted deliberate victim selection, enterprise-wide disablement of defenses, and ransomware deployment after deep reconnaissance.

Hades and Post-Sanctions Rebranding Activity 2020-2025

After the 2019 sanctions, reporting from CrowdStrike and Mandiant linked Evil Corp-related operators to successor ransomware and alias changes, including Hades and later UNC2165 activity associated with LockBit and, more recently, zero-day-enabled access operations observed in 2025.

Tools & Malware

Evil Corp has been associated with both proprietary malware development and commodity post-exploitation tooling.

  • Dridex: Banking Trojan and malware delivery platform used for credential theft, fraud enablement, and initial access establishment.
  • BitPaymer: Early enterprise ransomware family tied to the group's pivot from banking fraud to big-game extortion.
  • WastedLocker: Targeted ransomware associated with high-value enterprise intrusions and broad encryption of business-critical assets.
  • Hades: Successor ransomware lineage that CrowdStrike assessed as code-overlapping with WastedLocker and part of post-sanctions adaptation.
  • Cobalt Strike / PowerShell Empire: Post-exploitation frameworks used for execution, credential dumping, lateral movement, and operator control.
  • Rclone / MEGASync / administrative discovery tools: Utilities observed in related intrusions for data movement, exfiltration staging, and network reconnaissance.

Indicators of Compromise

This profile intentionally does not publish a static IOC block. Evil Corp infrastructure, malware hashes, delivery domains, and staging nodes have changed repeatedly across Dridex, BitPaymer, WastedLocker, Hades, and later cluster activity. For operational blocking or detection engineering, use current vendor and government feeds rather than a historical profile page.

warning

Historical indicators remain useful for retrospective hunting and correlation, but they should not be treated as sufficient for live blocking without freshness validation. Prioritize continuously maintained intelligence feeds, YARA/Sigma updates, and vendor advisories tied to the specific malware family you are defending against.

Mitigation & Defense

Defenses against Evil Corp should assume a blended intrusion model that spans email-borne malware, stolen credentials, enterprise privilege escalation, hands-on-keyboard lateral movement, and ransomware impact.

  • Harden identity and remote access: Enforce phishing-resistant MFA for externally exposed services, restrict privileged accounts, monitor abnormal VPN and RDP use, and eliminate shared admin credentials wherever possible.
  • Reduce credential exposure: Enable LSASS protection where feasible, control administrative tool usage, detect ProcDump/Cobalt Strike behavior, rotate privileged credentials aggressively after suspected compromise, and monitor for Kerberoasting indicators.
  • Constrain lateral movement: Segment Tier 0 assets, restrict RDP/SMB/WinRM, audit Group Policy changes, and block unauthorized service creation, PsExec-style execution, and suspicious software deployment from management shares.
  • Improve email and malware prevention: Use attachment detonation, macro/script controls, URL rewriting, and strong filtering for archive- and document-based delivery commonly associated with Dridex-style campaigns.
  • Prepare for ransomware impact: Maintain offline or immutable backups, validate restoration, isolate backup infrastructure, and pre-stage containment playbooks for rapid host isolation and privileged credential reset.
note

Alias mapping around Evil Corp can be messy. MITRE tracks the public Evil Corp cluster under G0119 / INDRIK SPIDER, while private vendors also use labels such as UNC2165 and Manatee Tempest for overlapping post-sanctions activity. Treat the profile as a consolidated view of a persistent actor ecosystem rather than a claim that every cited campaign was executed by an identical crew under a single unchanged brand.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile