Indrik Spider
G01191 reportsaliases · Indrik Spider · Evil Corp · Manatee Tempest · DEV-0243 · UNC2165
1
Reports
12
Techniques
8
Tactics
1
Countries
58%
Hunt coverage
5
Aliases
Analyst assessment — key judgments
- Signature techniques: T1053.005 (Scheduled Task), T1047 (Windows Management Instrumentation), T1213.002 (Sharepoint).
- Primary targeting: US.
- Currently dormant: 0 report(s) in last 30d vs 0 prior (+0%).
- Hunt coverage 58% of 24 observed techniques (10 gap(s)).
- Assessment confidence: medium (60).
Activity & trend
DormantLast 30d: 0 vs 0 prior (+0%)· first reported 2026-03-16 · last 2026-03-16
0
7d
0
30d
0
90d
1
All
0.0
Rpts/wk
Reporting timeline · 12 months
Movement — last 30 days
Dropped (90d+)
T1053.005T1047T1213.002T1588.007T1059.007T1583.008T1003.002T1543.003T1588.006T1555.005T1219T1684Vulnerabilities in this actor's reporting · 16
- CVE-2019-6693KEV1 rpt
- CVE-2021-27877KEV1 rpt
- CVE-2021-27878KEV1 rpt
- CVE-2021-40539KEV1 rpt
- CVE-2023-4966KEV1 rpt
- CVE-2024-21762KEV1 rpt
- CVE-2024-3400KEV1 rpt
- CVE-2024-37085KEV1 rpt
- CVE-2024-40766KEV1 rpt
- CVE-2024-55591KEV1 rpt
- CVE-2025-31161KEV1 rpt
- CVE-2025-31324KEV1 rpt
- CVE-2025-53770KEV1 rpt
- CVE-2025-61882KEV1 rpt
- CVE-2025-8088KEV1 rpt
- CVE-2025-537711 rpt
Overview
Analyst triage
Intelligence summary
Indrik Spider is a Russia-based cybercriminal group that has been active since at least 2014. Indrik Spider initially started with the Dridex banking Trojan, and then by 2017 they began running ransomware operations using BitPaymer, WastedLocker, and Hades ransomware. Following U.S. sanctions and an indictment in 2019, Indrik Spider changed their tactics and diversified their toolset.(Citation: Crowdstrike Indrik November 2018)(Citation: Crowdstrike EvilCorp March 2021)(Citation: Treasury EvilCorp Dec 2019)
Top co-occurring indicators
Aliases & naming
Targeting · countries
Targeting · named victims
ATT&CK technique matrix
Coverage vs hunt library:
—
Hunt-coverage gaps — prioritized
Top techniques by observation
- T1053.005 · Scheduled Taskconf 601
- T1047 · Windows Management Instrumentationconf 601
- T1213.002 · Sharepointconf 601
- T1588.007 · Artificial Intelligenceconf 601
- T1059.007 · JavaScriptconf 601
- T1583.008 · Malvertisingconf 601
- T1003.002 · Security Account Managerconf 601
- T1543.003 · Windows Serviceconf 601
- T1588.006 · Vulnerabilitiesconf 601
- T1555.005 · Password Managersconf 601
- T1219 · Remote Access Toolsconf 601
- T1684 · Social Engineeringconf 601
Threat catalogue · engineering roadmap
Flagged detection-engineering queue
Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.
Infrastructure
IOC type mix
Tooling / malware families
Relationships
Activity
30-day mention timeline
Recent reporting
| Title | Source | Severity | Collected |
|---|