Evil Corp - ctrlaltdeceit.org

### **Evil Corp (TA505) – Cybercrime & Financial Attacks** 💰💻 **Evil Corp (aka TA505, Dudear, Indrik Spider)** is a **Russian cybercrime group** known for **banking trojans, ransomware attacks, and financial fraud**. They specialize in large-scale, **highly organized cyber heists**, stealing **hundreds of millions of dollars** worldwide. 🚨 **Key Facts:** - **Founded**: ~2014 - **Main Goal**: Financial theft through **ransomware & banking fraud** - **Notorious For**: **Dridex, BitPaymer, WastedLocker, and [[LockBit ]]ransomware** - **Ties to Russia**: **Sanctioned by the U.S. in 2019**, suspected **FSB connections** --- ## **🔹 Evil Corp's Most Notorious Cyberattacks** |**Attack**|**Tactics Used**|**Target**|**Year**| |---|---|---|---| |**Dridex Banking Trojan**|Keylogging & credential theft|Global banks & finance firms|2014-Present| |**BitPaymer Ransomware**|File encryption & ransom extortion|U.S. & EU hospitals, gov't agencies|2017-2019| |**WastedLocker Ransomware**|Targeted corporate attacks|Garmin, CWT, U.S. media firms|2020| |**Hades Ransomware**|Rebranded ransomware to evade U.S. sanctions|Manufacturing, supply chains|2021| |**LockBit Collaboration**|Possible partnership with LockBit for ransomware ops|European & U.S. companies|2022-2023| 🚨 **Estimated Stolen: Over $100M+ worldwide** 🚨 --- ## **🔹 Tools & Malware Used by Evil Corp** |**Tool/Malware**|**Function**| |---|---| |**Dridex**|Banking Trojan for credential theft & fraud| |**BitPaymer**|High-value ransomware targeting enterprises| |**WastedLocker**|Custom ransomware for targeted extortion| |**Hades**|Rebranded ransomware to evade sanctions| |**LockBit**|Used after sanctions to continue operations| |**FlawedAmmyy RAT**|Remote access tool for persistence| |**Cobalt Strike**|Post-exploitation & lateral movement| |**PowerShell Empire**|Fileless malware execution| --- ## **🔹 Tactics & Techniques Used (MITRE ATT&CK)** ✅ **Initial Access** – Phishing emails with infected attachments ✅ **Execution** – Macro-enabled Word/Excel files dropping Dridex ✅ **Persistence** – Registry modifications & scheduled tasks ✅ **Privilege Escalation** – Using Mimikatz to steal credentials ✅ **Lateral Movement** – SMB exploitation & RDP abuse ✅ **Exfiltration** – Data theft before encryption ✅ **Impact** – Deploy ransomware & demand millions in crypto --- ## **🔹 Links to the Russian Government?** 🤔 - **U.S. Treasury sanctioned Evil Corp in 2019**, stating they operated with Russian intelligence's **tacit approval**. - **Leader [[Maksim Yakubets]] (hacker alias: **Aqua**) allegedly has **FSB ties** and even **worked on Russian government projects**. - Despite sanctions, **Evil Corp continues operations under new ransomware names** ([[Hades]], [[LockBit]]). --- ## **🔹 Current Status & Recent Activity** 🔥 **Evil Corp is still active**, adapting to sanctions by **rebranding** their malware and collaborating with **LockBit & other ransomware groups**.