Indrik Spider (Evil Corp): A Persistent Russian Cybercriminal Threat
- Suspected Origin
- Russia
- Motivation
- Financial Gain
- Aliases
- Evil Corp, Manatee Tempest, DEV-0243, UNC2165
- Target Sectors
- Financial, Healthcare, Government, Media, Defense, Manufacturing, IT, Education
- Associated Malware
- Dridex, BitPaymer, WastedLocker, Hades, LockBit, PhoenixLocker, Macaw, PayloadBIN, Gozi ISFB, Cobalt Strike, SocGholish, Truebot, Raspberry Robin, RansomHub
Overview
Indrik Spider, also widely known by its aliases Evil Corp, Manatee Tempest, DEV-0243, and UNC2165, is a highly sophisticated and resilient Russia-based cybercriminal group. Active since at least 2014, this group has established itself as one of the most capable and financially motivated syndicates in the cyber underground. While their roots are in sophisticated banking Trojan operations, they have continually evolved their tactics, techniques, and procedures (TTPs), adapting to defensive measures and international law enforcement pressure, particularly after U.S. sanctions and indictments were imposed in 2019. Indrik Spider’s primary objective is financial gain, achieved through both direct financial theft via banking malware and, more prominently in recent years, “big-game hunting” ransomware operations targeting high-value organizations globally. Evidence strongly links the group’s leadership, including Maksim Yakubets and Igor Turashev, to Russian nationals, and there are indications of tacit protection or even cooperation with Russian intelligence services for certain operations prior to 2019.
Tactics & Techniques
Indrik Spider employs a wide array of sophisticated TTPs that reflect their deep technical capabilities and adaptive nature. Initial access is frequently gained through well-crafted phishing schemes, often involving malicious zipped files or email campaigns. They also exploit unpatched vulnerabilities and leverage compromised legitimate websites to serve fake updates for popular software like FlashPlayer and Google Chrome, or use general “FakeUpdates” (also known as SocGholish). The group has also been observed purchasing access to victim VPNs or utilizing stolen credentials for initial infiltration. In some instances, infections related to the Raspberry Robin worm have been observed leading to FakeUpdates deployments, ultimately enabling Indrik Spider’s follow-on activities.
Once inside a network, Indrik Spider utilizes a variety of tools for execution, including PowerShell Empire, batch scripts, and malicious JavaScript files. They commonly employ tools like PsExec to stop services before ransomware deployment, execute commands, disable Windows Defender, and restrict real-time monitoring. Windows Management Instrumentation (WMI) and WMIC are frequently used for remote command execution and adding new user accounts, while Group Policy Objects (GPOs) are exploited to deploy batch scripts across the network.
For defense evasion, the group relies on code signing to make their malicious software appear legitimate and frequently modifies malware signatures to bypass antivirus detection. They actively work to impede defensive products by disabling Windows Defender definitions using MpCmdRun and uninstalling or resetting anti-virus services via WMI. Log files are often cleared using Cobalt Strike or wevutil to hinder forensic analysis.
Credential access is a high priority, with Indrik Spider collecting credentials from infected systems, including domain accounts, accessing and exporting passwords from password managers, and performing Kerberoasting attacks. They utilize tools like ProcDump via Cobalt Strike for credential dumping and have been known to collect sensitive information directly from the clipboard.
Internal reconnaissance is thorough, using tools like PowerView to enumerate Active Directory instances and deploying Advanced Port Scanner and Lansweeper to map victim networks. They have also been observed accessing VMware VCenter for host configuration details. Lateral movement often involves PsExec, Remote Desktop Protocol (RDP), Secure Shell (SSH), and the use of stolen valid accounts. Data exfiltration, often a precursor to ransomware deployment or a component of double extortion, is carried out using tools such as Rclone or MEGAsync, with collected data temporarily stored in .tmp files.
Notable Campaigns
Indrik Spider’s operational history is marked by several significant campaigns. Their early activities, starting around 2014, were centered on the Dridex banking Trojan, which was highly effective in harvesting banking credentials and automating financial theft, netting the group millions of dollars. By 2017, they expanded into ransomware, adopting a “big-game hunting” approach to target organizations rather than individuals. One of their most prominent early ransomware incidents involved the UK’s National Health Service (NHS) in August 2017, where they deployed BitPaymer ransomware and demanded a high ransom. Other notable victims include Funke Mediengruppe, the University Hospital Düsseldorf, the Spanish MSP Everis, and radio station Cadena SER.
Following U.S. sanctions and indictments against their leadership in December 2019, Indrik Spider diversified their toolset and evolved their tactics to evade attribution and continue monetizing their attacks. This included moving away from direct reliance on their proprietary Dridex and BitPaymer tools. They were observed using WastedLocker ransomware, with Garmin being a high-profile victim. Subsequently, they shifted to Hades ransomware, which shares significant code overlap with WastedLocker, likely to further bypass sanctions by using previously unattributed tooling.
More recently, particularly around November 2021, the group (tracked as Manatee Tempest or UNC2165) began deploying Ransomware-as-a-Service (RaaS) payloads, most notably LockBit 2.0. This strategic move to RaaS platforms is assessed to be a deliberate attempt to obscure their affiliation with Evil Corp and complicate attribution, making it harder for sanctioned entities to be identified and for victims to refuse payment due to regulatory risks. CrowdStrike has observed Indrik Spider deploying LockBit ransomware and conducting pre-ransomware activity throughout 2023, often gaining initial access via Fake Browser Update services in 2024. In Q2 2024, Manatee Tempest was seen deploying RansomHub ransomware following initial access achieved via FakeUpdates/SocGholish infections.
Associated Malware & Tools
Indrik Spider has developed and utilized a formidable arsenal of malware and legitimate tools. Their foundational malware was the Dridex banking Trojan (also known as Cridex or Bugat), a sophisticated information stealer with dynamic command and control capabilities and backdoor functionality. They then developed multiple ransomware families, including BitPaymer (also called Friedex or iEncrypt), WastedLocker, Hades, PhoenixLocker, Macaw, and PayloadBIN.
Beyond their proprietary malware, Indrik Spider heavily leverages commercially available or open-source tools to facilitate their operations. Cobalt Strike is a staple in their post-compromise activities, used for command and control, credential dumping via ProcDump, and log clearing. PowerShell Empire is another favored tool for executing malware. For reconnaissance, they deploy tools like Advanced Port Scanner and Lansweeper. Other utilities include PsExec, Mimikatz, and PowerSploit. They also make use of legitimate remote access and data transfer tools such as RDP, SSH, Rclone, and MEGAsync.
A key element in their diversified toolset, particularly post-sanctions, is the widespread adoption of SocGholish (a JavaScript framework often delivered via FakeUpdates) as an initial access loader, paving the way for further compromise. They have also been associated with the use of Truebot and Raspberry Robin for initial access and remote control in conjunction with other payloads. Their willingness to incorporate third-party RaaS, such as LockBit 2.0 and more recently RansomHub, demonstrates their pragmatic approach to maintaining operational effectiveness and evading sanctions.
Current Status
Indrik Spider remains an Active and highly adaptable threat actor. Despite significant efforts by international law enforcement, including U.S. indictments and sanctions, the group has shown remarkable resilience. Their strategy since 2019 has been one of continuous evolution, rapidly changing their TTPs and diversifying their malware arsenal to circumvent the impact of sanctions and maintain their ability to extort victims.
Recent activity underscores their ongoing operations, with observations of them deploying LockBit ransomware throughout 2023 and continuing to gain initial access via Fake Browser Update services in 2024. Most recently, in the second quarter of 2024, the group, tracked as Manatee Tempest, was observed deploying RansomHub ransomware in post-compromise activity, following initial access gained through SocGholish infections. This consistent adoption of new RaaS variants, alongside their established initial access mechanisms, highlights their determination to avoid clear attribution and continue their financially motivated cybercriminal endeavors. We anticipate that Indrik Spider will continue to adapt their tradecraft, leveraging new partnerships and tools to maintain their illicit operations in the face of ongoing scrutiny.
Related content
Threat Profile: Mustard Tempest (G1020)
Adversary ProfileEmber Bear (G1003): Russian Cyber Espionage and Destructive Operations
Adversary ProfileCarbanak Threat Profile: Financial Apex Predators
Adversary ProfileDeep Panda (G0009) Threat Actor Profile: A Persistent Chinese Espionage Group
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call