Skip to content

Latest commit

 

History

History
50 lines (42 loc) · 9.17 KB

README.md

File metadata and controls

50 lines (42 loc) · 9.17 KB

PRODAFT Threat Intelligence

This repository contains indicators of compromise (IOCs) of our various investigations.

Threat Actors

Avatars Threat Actors Description Motivation
ArcaneMantisImage ArcaneMantis Arcane Mantis (a.k.a. Vice Society, Rhysida) is a ransomware group that first appeared in the summer of 2021. Ransomware
CrypticSilverfishImage CrypticSilverfish Cryptic Silverfish, also known as Evil Corp, is a notorious Russian cybercriminal group active since at least 2007. Organized Crime
DiabolicLadybugImage DiabolicLadybug Diabolic Ladybug, also known as TA505, is a financially motivated cybercriminal group active since at least 2014, known for orchestrating large-scale malicious email campaigns to distribute various malware families. Financial Crime
ElysianMantisImage ElysianMantis Elysian Mantis, also known as Conti, was a ransomware group active from 2019 to 2022, known for operating a ransomware-as-a-service (RaaS) model.. Ransomware
LARVA-140Image LARVA-140 LARVA-140, also known as Brunhilda, is the threat actor behind the Brunhilda DaaS operation, an Android malware dropper targeting banking apps, cryptocurrency wallets, and social media platforms in specific regions. Criminal Service
LARVA-147Image LARVA-147 LARVA-147, also known as CryptoChameleon, UNK-12, or Perm, is a cybercriminal threat actor specializing in advanced phishing campaigns targeting cryptocurrency users and exchanges like Binance, Uphold, and Kraken. Criminal Service
LARVA-15Image LARVA-15 LARVA-15, also known as Wazawaka and identified as Mikhail Pavlovich Matveev, is a prominent cybercriminal linked to ransomware groups such as Monti, Ragnar Locker, NoEscape, and LockBit RaaS. Initial Access Broker
LARVA-17Image LARVA-17 LARVA-17, a.k.a. Adminko, is a threat actor behind a phishing email campaign first observed in 2020, targeting users in Europe. Financial Crime
LARVA-18Image LARVA-18 LARVA-18, publicly known as Tramp or TA577, is a prolific cybercrime threat actor tracked by cybersecurity researchers since mid-2020. Initial Access Broker
LARVA-208Image LARVA-208 LARVA-208, also known as "EncryptHub," is a cybercriminal threat actor specializing in highly sophisticated spear-phishing attacks. Initial Access Broker
LARVA-39Image LARVA-39 LARVA-39, also known as PTI-249, is the developer and maintainer of PcWebControl, a Remote Access Trojan (RAT) used by threat actors primarily for financial crimes and ransomware attacks. Criminal Service
LARVA-47Image LARVA-47 LARVA-47, commonly referred to as the RIG Exploit Kit operator, is a cybercriminal group that has been active since 2014. Initial Access Broker
LARVA-57Image LARVA-57 LARVA-57, also known as PTI-257, is a sub-group within the cybercrime organization Wizard Spider (Mystical Silverfish), known for deploying LockBit ransomware in high-profile attacks. Ransomware
MysticalSilverfishImage MysticalSilverfish Mystical Silverfish (a.k.a Wizard Spider) is a sophisticated and financially motivated cybercrime group, known for its deployment of the TrickBot malware and the highly destructive Ryuk and Conti ransomware. Organized Crime
PrimalSnailImage PrimalSnail Primal Snail, also known as Nomadic Octopus, is a Russian-speaking cyber espionage group active since at least 2014, primarily targeting Central Asian entities such as local governments, diplomatic missions, and individuals. Espionage
RuthlessMantisImage RuthlessMantis Ruthless Mantis, or PTI-288, is a ransomware group that employs double extortion by exfiltrating data before encrypting systems. They collaborate with numerous ransomware affiliate programs, such as Ragnar Locker, INC Ransom, and others, to enhance their operational reliability and expand their range of actions. Ransomware
SavageLadybugImage SavageLadybug Savage Ladybug (a.k.a. FIN7) is a sophisticated cybercriminal group notorious for targeting financial institutions, hospitality, and retail sectors. Financial Crime
TenaciousMantisImage TenaciousMantis Tenacious Mantis, also known as LockBit, is a highly prolific ransomware group that operates under a Ransomware-as-a-Service (RaaS) model, allowing affiliates to utilize the ransomware for launching attacks. Ransomware
TranquilWaspImage TranquilWasp Tranquil Wasp (also known as UNC1151) is a sophisticated, state-sponsored threat actor linked to Belarus, primarily known for its cyber espionage and disinformation campaigns, including the infamous Ghostwriter operations. State Sponsored
VeiledMantisImage VeiledMantis Veiled Mantis, also known as PYSA or Mespinoza, is a highly organized ransomware threat actor that primarily targets large organizations across sectors such as healthcare, education, and government. Ransomware

Malware

Name Description Type
FluBot FluBot is a mobile banking Trojan that primarily targets Android devices through SMS phishing (smishing) campaigns. It spreads by sending malicious text messages containing links to fake websites that trick users into downloading the malware. RAT
Gorilla Gorilla is an evolving Android malware that focuses on SMS interception and persistent C2 communication while avoiding permission restrictions and battery optimizations. It employs stealthy techniques and may introduce phishing or new persistence mechanisms in future versions. Stealer
Kurisu Kurisu is a malware known for targeting Windows systems. It operates by executing malicious payloads that has keylogger functionality, meaning it's created to spy on victims and capture everything they type. RAT
PlutoCrypt PlutoCrypt is a variant of CryptoJoker ransomware. The decryptor in this repository has been developed for PlutoCrypt - but with a small modification, it can also work for other CryptoJoker variants. Ransomware
RagnarLoader Ragnar Loader, also known as Sardonic, is a sophisticated toolkit of the Monstrous Mantis (a.k.a. Ragnar Locker) ransomware group, which has been inflicting targeted cyberattacks on organizations since its emergence in 2020. Ragnar Loader often referred to as the Ragnar Framework by its affiliates—plays an essential role by establishing persistent access to compromised systems and ensuring long-term fixation. Loader
ShadowRansomware Shadow ransomware is a custom-built ransomware that is written in the .NET platform. It is dubbed as shadow because of the extension of the encrypted files Ransomware
Solarmarker Solarmarker is a multi-stage, heavily obfuscated malware targeting thousands of victims globally. Developers changed several installation steps in time, such as the initial point of entry in MSI installation files, making this advanced persistent threat even more dangerous. Backdoor
AnubisBackdoor A Python-based backdoor used by the Savage Ladybug group is developed to provide remote access, execute commands, and steal data. It is obfuscated to avoid detection. Backdoor

Others

Name Description Type
Lucid The Lucid Phishing-as-a-Service (PhAAS) platform, developed by the XinXin group, facilitates large-scale phishing campaigns targeting global organizations, including postal and courier services. Utilizing advanced technologies like RCS and iMessage, the group employs automated tools and evasion techniques to bypass detection. Phishing-as-a-Service (PhAAS)
Private Encrypter Threat actors, including Cuba Ransomware group, Wizard Spider and others, are using a private encrypting service to evade AV detections. The system is designed explicitly for the Cobalt Strike beacons, making conducting reverse engineering on the samples challenging. Encrypter

Copyright © PRODAFT 2025