Wizard Spider
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 04/05/2026 16:33
- Updated at
- 04/05/2026 16:33
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 76 attack patterns (mitre), 11 malware, 1 countries, 101 indicators, 11 tool
Aliases
TEMP.MixMaster Grim Spider GOLD BLACKBURN ITG23 Periwinkle Tempest DEV-0193 FIN12 UNC1878
Description
[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
- CrowdStrike Wizard Spider October 2020
- Microsoft Threat Actor Naming July 2023
- CrowdStrike Grim Spider May 2019
- Secureworks Gold Blackburn Mar 2022
- Mandiant FIN12 Oct 2021
- FireEye KEGTAP SINGLEMALT October 2020
- Microsoft_PistachioTempest_Jan2024
- CrowdStrike Ryuk January 2019
- Mandiant FIN12 Oct 2021
- mitre-attack (G0102)
- DHS/CISA Ransomware Targeting Healthcare October 2020
- IBM X-Force ITG23 Oct 2021
- FireEye Ryuk and Trickbot January 2019