Clankerusecase
Threat-actor profile
← Back to main site
Home/ Threat Actors/ REvil

🇷🇺REvil

🇷🇺 REvil is a tracked threat actor in the Clankerusecase corpus. Attributed to RU. Primary motivation: Criminal. We map 17 detection use cases to this actor across 14 MITRE ATT&CK techniques, with 1 threat-intel article citing them. Active in our corpus from 2026-07-17 to 2026-07-17.

high 1
View full actor card → All threat actors MITRE ATT&CK group spec (G0115) ↗
17Use cases
1Articles
14Techniques
0IOCs

Known aliases

REvilSodinokibiGOLD SOUTHFIELDPinchy Spider

Top techniques

All other tracked techniques

Detection use cases (17)

REvil/Kaseya VSA supply-chain: Defender-disable + certutil-decode 'agent.crt' → mpsvc.dll side-load AI · profile SΣDD Sodinokibi (REvil) impact: shadow-copy wipe + recovery sabotage immediately preceding mass encryption AI · profile SΣDD Ransomware-style mass file rename / extension change Internal LSASS process access / dump (credential theft) Internal Remote service execution — PsExec / SMB lateral movement Internal AI-Agent Server (PraisonAI/MCP) Spawns OS Shell or Recon LOLBin — Unauthenticated RCE Exploitation MITRE match Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Edge-service post-exploitation chain: internet-facing daemon → child shell or token redemption within 10 min of external request MITRE match Internet-Exposed AI Agent/LLM Service Spawns Shell or LOLBin After Inbound Connection MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package-manager child process credential fan-out with public egress (Mini Shai-Hulud / TeamPCP worm chain) MITRE match Self-hosted application service spawns shell or SSH within seconds of inbound unauthenticated API write MITRE match Vendor / Third-Party OAuth App or SP Sign-in From Unbaselined Egress Followed by Bulk SaaS Object Read MITRE match

Threat-intel articles (1)