Financially Motivated36 malware familiesExploits CVEs in the wild

WIZARD SPIDER

Also known asConti Team 1DEV-0193DEV-0237FIN12G0102Gold BlackburnGold UlrickGrim SpiderITG23Periwinkle TempestPistachio TempestStorm-0230TEMP.MixMasterTrickbot gangUNC1878UNC2053WIZARD SPIDER

Wizard Spider is a financially motivated, Russia-based cybercrime threat actor associated with TrickBot and the Conti ransomware operation. Provided aliases include Conti Team One, DEV-0193, DEV-0237, FIN12, G0102, GOLD BLACKBURN, GOLD ULRICK, Grim Spider, ITG23, Periwinkle Tempest, Pistachio Tempest, Storm-0230, TEMP.MixMaster, TrickBot Gang, UNC1878, UNC2053, and Wizard Spider. The content states that Conti rebranded around May 2020 and appeared to merge with TrickBot/Wizard Spider by the end of 2021; after the Conti leaks, operators reportedly began winding down Conti by distributing activity across multiple ransomware operations. The actor is linked in the content to Ryuk and Conti ransomware deployment, and ANSSI states related operators have also been associated with Hive, BlackCat, Nokoyawa, Play, Royal, and possibly BlackCat. The group is described as using phishing to install TrickBot and BazarLoader, which provide remote access, followed by credential theft, lateral movement, data collection and exfiltration, and ransomware deployment. The content also links Wizard Spider-related activity to BazarCall distribution and to HTML smuggling campaigns delivering TrickBot. FIN12/DEV-0237 is described as specializing in rapid post-compromise ransomware deployment, primarily Ryuk, and as frequently targeting healthcare organizations; ANSSI linked this operating model to roughly 30 ransomware incidents in France between 2020 and 2023 and to the March 2023 CHU de Brest intrusion. Observed tradecraft in the provided content includes use of cmd.exe for command execution; macros to launch PowerShell downloaders; PowerShell for execution and lateral movement; WMI and LDAP queries for network discovery and lateral movement; batch scripts leveraging WMIC to deploy ransomware; scheduled tasks for persistence; Registry Run keys and Startup-folder shortcuts for persistence; collection of host configuration data via systeminfo and Get-ADComputer; exfiltration of domain credentials and network-enumeration data over C2; staging ZIP archives in local directories such as C:\PerfLogs\1\ and C:\User\1\ prior to exfiltration; file deletion for cleanup; disabling or uninstalling security tools; use of ipconfig for network configuration discovery; and RDP for lateral movement and interactive ransomware deployment. Tooling explicitly mentioned includes Empire, Cobalt Strike, Rubeus, AdFind, BloodHound, Metasploit, Advanced IP Scanner, Nirsoft PingInfoView, and SoftPerfect Network Scanner. The content also states Wizard Spider has used WMIC and vssadmin to delete volume shadow copies, and Conti ransomware to automate shadow copy deletion. The content further notes that Wizard Spider developed TrickBot and Conti, has been identified in Five Eyes reporting as a Russia-aligned cybercrime group, and has targeted sectors including healthcare, health, and education.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Materials
Government & Administration

Where they target

Geographies tied to known operations.

🇺🇸 United States
🇳🇴 Norway
🇳🇱 Netherlands

MITRE ATT&CK

Tradecraft

59 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

14 of 15 tactics91 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0042

Resource Development

2 techniques

T1583

Acquire Infrastructure

T1583.001

Domains

T1583.003

Virtual Private Server

T1588

Obtain Capabilities

T1588.002

Tool

TA0001

Initial Access

4 techniques

T1078×3

Valid Accounts

T1133

External Remote Services

T1190×2

Exploit Public-Facing Application

T1566

Phishing

T1566.001×2

Spearphishing Attachment

T1566.002×2

Spearphishing Link

TA0002

Execution

5 techniques

T1047×2

Windows Management Instrumentation

T1053

Scheduled Task/Job

T1053.005×2

Scheduled Task

T1059

Command and Scripting Interpreter

T1059.001×3

PowerShell

T1059.003×3

Windows Command Shell

T1059.005×2

Visual Basic

T1059.007

JavaScript

T1197

BITS Jobs

T1204

User Execution

TA0003

Persistence

9 techniques

T1053

Scheduled Task/Job

T1053.005×2

Scheduled Task

T1078×3

Valid Accounts

T1098

Account Manipulation

T1112×3

Modify Registry

T1133

External Remote Services

T1136

Create Account

T1197

BITS Jobs

T1547×2

Boot or Logon Autostart Execution

T1547.001×3

Registry Run Keys / Startup Folder

T1556

Modify Authentication Process

T1556.001

Domain Controller Authentication

TA0004

Privilege Escalation

6 techniques

T1053

Scheduled Task/Job

T1053.005×2

Scheduled Task

T1055×2

Process Injection

T1078×3

Valid Accounts

T1098

Account Manipulation

T1484

Domain or Tenant Policy Modification

T1484.001

Group Policy Modification

T1547×2

Boot or Logon Autostart Execution

T1547.001×3

Registry Run Keys / Startup Folder

TA0005

Stealth

5 techniques

T1027

Obfuscated Files or Information

T1027.002

Software Packing

T1055×2

Process Injection

T1070×2

Indicator Removal

T1070.004×3

File Deletion

T1078×3

Valid Accounts

T1197

BITS Jobs

TA0112

Defense Impairment

4 techniques

T1112×3

Modify Registry

T1484

Domain or Tenant Policy Modification

T1484.001

Group Policy Modification

T1553

Subvert Trust Controls

T1553.002

Code Signing

T1556

Modify Authentication Process

T1556.001

Domain Controller Authentication

TA0006

Credential Access

4 techniques

T1003

OS Credential Dumping

T1003.001

LSASS Memory

T1003.003

NTDS

T1555

Credentials from Password Stores

T1555.003

Credentials from Web Browsers

T1556

Modify Authentication Process

T1556.001

Domain Controller Authentication

T1558

Steal or Forge Kerberos Tickets

T1558.003

Kerberoasting

TA0007

Discovery

5 techniques

T1018×2

Remote System Discovery

T1069

Permission Groups Discovery

T1069.002

Domain Groups

T1082

System Information Discovery

T1087

Account Discovery

T1482

Domain Trust Discovery

TA0008

Lateral Movement

3 techniques

T1021

Remote Services

T1021.001×2

Remote Desktop Protocol

T1021.002

SMB/Windows Admin Shares

T1021.003

Distributed Component Object Model

T1550

Use Alternate Authentication Material

T1550.002

Pass the Hash

T1570×2

Lateral Tool Transfer

TA0009

Collection

3 techniques

T1005×2

Data from Local System

T1074×3

Data Staged

T1560

Archive Collected Data

TA0011

Command and Control

4 techniques

T1071

Application Layer Protocol

T1071.001×2

Web Protocols

T1090

Proxy

T1105×2

Ingress Tool Transfer

T1219×2

Remote Access Tools

TA0010

Exfiltration

2 techniques

T1041×4

Exfiltration Over C2 Channel

T1567

Exfiltration Over Web Service

T1567.002×2

Exfiltration to Cloud Storage

TA0040

Impact

2 techniques

T1486×6

Data Encrypted for Impact

T1490×3

Inhibit System Recovery

ARSENAL

Associated malware families

36 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

TrickBotThe crypto-locking malware first emerged around the middle of 2018 and seemed to have its heyday largely in 2019, before rebranding as Conti around May 2020, and appearing to merge with TrickBot - aka Wizard Spider - by the end of 2021.20May 31, 2026

ContiThe crypto-locking malware first emerged around the middle of 2018 and seemed to have its heyday largely in 2019, before rebranding as Conti around May 2020, and appearing to merge with TrickBot - aka Wizard Spider - by the end of 2021.13May 31, 2026

Cobalt StrikeAPT29 has obtained and used a variety of tools including Mimikatz, SDelete, Tor, meek, and Cobalt Strike.9May 26, 2026

RyukThe FBI has accused them of hacking into numerous organizations from March 2019 through September 2020, and installing Ryuk ransomware on servers and workstations.8May 31, 2026

BazarLoaderAfter a break in FIN12 activity from late March 2020 to late August 2020, FIN12 resumed operations shifting their reliance for initial access away from TRICKBOT to BAZARLOADER malware in September 2020.5May 26, 2026

31 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

17 CVEs this actor has used in observed campaigns. 17 of them exploited in the wild.

CVE-2020-1472ZerologonIn the wildEvidence3

Afin de se latéraliser, les opérateurs du MOA ont tenté, sans succès, d’exploiter les vulnérabilités PrintNightmare (CVE-2021-34527), BlueKeep (CVE-2019-0708), puis ZeroLogon (CVE-2020-1472) via l’outil Mimikatz.

CVE-2021-40444Microsoft MSHTML Remote Code Execution VulnerabilityIn the wildEvidence2

DEV-0193 infrastructure has also been implicated in attacks deploying novel techniques, including exploitation of CVE-2021-40444.

CVE-2022-41082ProxyNotShell RCE in Microsoft Exchange Server PowerShellIn the wildEvidence2

De plus, grâce à des liens d’infrastructure, l’ANSSI a pu rattacher au même MOA plusieurs exploitations de la vulnérabilité ProxyNotShell (CVE-2022-41080 et CVE-2022-41082) ayant mené au déploiement de Play.

CVE-2025-9491Microsoft Windows LNK File UI Misrepresentation Remote Code Execution VulnerabilityIn the wildEvidence2

This detection identifies instances where Windows Explorer.exe spawns PowerShell or cmd.exe processes, particularly focusing on executions initiated by LNK files. This behavior is associated with the ZDI-CAN-25373 Windows shortcut zero-day vulnerability, where specially crafted LNK files are used to trigger malicious code execution through cmd.exe or powershell.exe. This technique has been actively exploited by multiple APT groups in targeted attacks through both HTTP and SMB delivery methods.

CVE-2017-0144EternalBlue SMBv1 Remote Code Execution in Microsoft WindowsIn the wildEvidence1

Ember Bear has used exploits for vulnerabilities such as MS17-010, also known as Eternal Blue, during operations.

12 more CVEs tied to this actor tracked in Mallory.

IOCS

Observables

287 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

287 IOCsView more in app

Domains

152 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru+144

ip.v4

78 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+70

uri

25 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+17

hash.sha256

13 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+5

hash.md5

12 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+4

hash.sha1

6 total

•••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

splunk researchNews

Apr 22, 2026

Detection: PowerShell PInvoke Process Injection API Chain | Splunk Security Content

Listed as a threat actor associated with the PowerShell P/Invoke process injection API chain detection and related ATT&CK techniques.

splunk researchNews

Apr 20, 2026

Detection: PowerShell Environment Variable Execution | Splunk Security Content

Listed as a threat actor associated with PowerShell execution behavior relevant to this detection analytic.

splunk researchNews

Apr 16, 2026

Detection: Windows Anomalous Registry Value Length in Environment Key | Splunk Security Content

Referenced as a threat actor associated with registry modification behavior (MITRE ATT&CK T1112: Modify Registry) in the context of this detection analytic.

splunk researchNews

Apr 15, 2026

Detection: MacOS Network Share Discovery | Splunk Security Content

Referenced as a threat actor associated with the Network Share Discovery technique (T1135).

+196 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping59

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal36

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs17

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables287

Domains, IPs, and hashes tied to this actor, refreshed continuously.