Payload.bin is a ransomware variant associated with the financially motivated cybercrime group GOLD DRAKE, also known as Evil Corp. The provided content states that after U.S. Treasury sanctions in 2019, Evil Corp shifted from earlier ransomware families and began using variants including WastedLocker, Hades, Phoenix CryptoLocker, and Payload.bin. This shift was accompanied by changes in tooling and intrusion tradecraft intended to reduce attribution and make victims less aware they were paying Evil Corp. The content does not provide specific technical details on Payload.bin’s encryption behavior, infection chain, targeted sectors, or unique indicators of compromise, but it places the malware within Evil Corp’s broader post-2019 ransomware operations.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"...shifted to using ransomware variants such as ... Payload.bin."
7 distinct techniques documented for this family, organized by ATT&CK tactic.
calls STS GetCallerIdentity / AssumeRole, and enumerates Secrets Manager (ListSecrets / GetSecretValue) across 16+ regions | npm: validates tokens through /-/whoami and enumerates publish access through /-/npm/v1/tokens... Stolen npm publish tokens enable downstream supply-chain pivoting
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.