Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ Indrik Spider

🌐Indrik Spider

🌐 Indrik Spider is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Criminal. We map 14 detection use cases to this actor across 33 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0119) ↗
14Use cases
0Articles
33Techniques
0IOCs

About this actor (MITRE)

[Indrik Spider](https://attack.mitre.org/groups/G0119) is a Russia-based cybercriminal group that has been active since at least 2014. [Indrik Spider](https://attack.mitre.org/groups/G0119) initially started with the [Dridex](https://attack.mitre.org/software/S0384) banking Trojan, and then by 2017 they began running ransomware operations using [BitPaymer](https://attack.mitre.org/software/S0570), [WastedLocker](https://attack.mitre.org/software/S0612), and Hades ransomware. Following U.S. sanctions and an indictment in 2019, [Indrik Spider](https://attack.mitre.org/groups/G0119) changed their

Known aliases

Indrik SpiderEvil CorpManatee TempestDEV-0243UNC2165

Top techniques

T1003.001 · LSASS MemoryT1007 · System Service DiscoveryT1012 · Query Registry

All other tracked techniques

T1018 · Remote System DiscoveryT1021.001 · Remote Desktop ProtocolT1021.004 · SSHT1036.005 · Match Legitimate Resource Name or LocationT1047 · Windows Management InstrumentationT1059.001 · PowerShellT1059.003 · Windows Command ShellT1059.007 · JavaScriptT1074.001 · Local Data StagingT1078 · Valid AccountsT1078.002 · Domain AccountsT1105 · Ingress Tool TransferT1112 · Modify RegistryT1136 · Create AccountT1136.001 · Local AccountT1204.002 · Malicious FileT1484.001 · Group Policy ModificationT1486 · Data Encrypted for ImpactT1489 · Service StopT1552.001 · Credentials In FilesT1555.005 · Password ManagersT1558.003 · KerberoastingT1567.002 · Exfiltration to Cloud StorageT1583 · Acquire InfrastructureT1584.004 · ServerT1585.002 · Email AccountsT1587.001 · MalwareT1590 · Gather Victim Network InformationT1685 · Disable or Modify ToolsT1685.005 · Clear Windows Event Logs

Detection use cases (14)

Indrik Spider / Evil Corp SocGholish (FakeUpdates) — wscript.exe → PowerShell chain from browser-dropped ZIP AI · profile SΣ Indrik Spider WastedLocker / Hades pre-encryption sequence — takeown + icacls + vssadmin within 30 minutes AI · profile S 1Password impossible-travel sign-in MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Hook Spawns Scripting Interpreter Then Touches Credential Files or Egresses Off-Registry MITRE match Package Manager Install Spawning Outbound Egress to Non-Registry Infrastructure Within 5 Minutes MITRE match