NEW: Group Profiler — instant APT intel lookup. Try it →

← threatfilter.dev / all groups / Wizard Spider

Wizard Spider

G0102 Russia MITRE ATT&CK →

Also known as: UNC1878 · TEMP.MixMaster · Grim Spider · FIN12 · GOLD BLACKBURN · ITG23 · Periwinkle Tempest · DEV-0193 · Pistachio Tempest · DEV-0237

Overview

Wizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016. Wizard Spider possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.

Targets

Defense · Finance · Government · Healthcare · Telecommunications

Regions

Australia · Bahamas · Canada · Costa Rica · France · Germany · India · Ireland · Italy · Japan · Mexico · New Zealand · Spain · Switzerland · Taiwan · Ukraine · United Kingdom · United States

Capabilities

  • Custom malware/implant development — ATT&CK: 11 attributed custom malware families

TTPs — 64 techniques across 13 tactics

Resource Development

Initial Access

Execution

Defense Impairment

Credential Access

Collection

Command and Control

Tools & malware (22)

TrickBot · AdFind · BITSAdmin · SystemBC · BloodHound · Ping · Bazar · LaZagne · Nltest · GrimAgent · Dyre · Ryuk · Conti · Emotet · Rubeus · Mimikatz · Anchor · Diavol · Net · Empire · PsExec · Cobalt Strike

Reporting (3)