THREATOPS Actor Dossier
LIVE ← Dashboard

Indrik Spider

G01191 reports
aliases · Indrik Spider · Evil Corp · Manatee Tempest · DEV-0243 · UNC2165
Export dossier:
1
Reports
12
Techniques
8
Tactics
1
Countries
58%
Hunt coverage
5
Aliases

Analyst assessment — key judgments

  • Signature techniques: T1053.005 (Scheduled Task), T1047 (Windows Management Instrumentation), T1213.002 (Sharepoint).
  • Primary targeting: US.
  • Currently dormant: 0 report(s) in last 30d vs 0 prior (+0%).
  • Hunt coverage 58% of 24 observed techniques (10 gap(s)).
  • Assessment confidence: medium (60).

Activity & trend

DormantLast 30d: 0 vs 0 prior (+0%)· first reported 2026-03-16 · last 2026-03-16
0
7d
0
30d
0
90d
1
All
0.0
Rpts/wk
Reporting timeline · 12 months

Movement — last 30 days

Dropped (90d+)
T1053.005T1047T1213.002T1588.007T1059.007T1583.008T1003.002T1543.003T1588.006T1555.005T1219T1684

Vulnerabilities in this actor's reporting · 16

Overview

Analyst triage
Intelligence summary

Indrik Spider is a Russia-based cybercriminal group that has been active since at least 2014. Indrik Spider initially started with the Dridex banking Trojan, and then by 2017 they began running ransomware operations using BitPaymer, WastedLocker, and Hades ransomware. Following U.S. sanctions and an indictment in 2019, Indrik Spider changed their tactics and diversified their toolset.(Citation: Crowdstrike Indrik November 2018)(Citation: Crowdstrike EvilCorp March 2021)(Citation: Treasury EvilCorp Dec 2019)

Top co-occurring indicators
    Aliases & naming
      Targeting · countries
        Targeting · named victims

          ATT&CK technique matrix

          Coverage vs hunt library:
          Hunt-coverage gaps — prioritized

            Top techniques by observation

            Threat catalogue · engineering roadmap0

            Flagged detection-engineering queue

            Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.

              No techniques queued yet — flag a gap above to add it here.

              Infrastructure

              IOC type mix
              Tooling / malware families
                Tracked infrastructure

                Relationships

                Related actors (behavioral cluster)
                  Attributed malware
                  Campaigns
                  No behavioral cluster, attributed malware, or campaigns recorded for this actor yet.

                  Activity

                  30-day mention timeline
                  Recent reporting
                  TitleSourceSeverityCollected