Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to threat actors
Financially Motivated36 malware familiesExploits CVEs in the wild

WIZARD SPIDER

Also known asConti Team 1DEV-0193DEV-0237FIN12G0102Gold BlackburnGold UlrickGrim SpiderITG23Periwinkle TempestPistachio TempestStorm-0230TEMP.MixMasterTrickbot gangUNC1878UNC2053WIZARD SPIDER

Wizard Spider is a financially motivated cybercriminal threat actor associated in the provided content with TrickBot and later Conti-related operations. Known aliases in the content include Conti Team 1, DEV-0193, DEV-0237, FIN12, G0102, GOLD BLACKBURN, GOLD ULRICK, Grim Spider, ITG23, Periwinkle Tempest, Pistachio Tempest, Storm-0230, TEMP.MixMaster, TrickBot Gang, UNC1878, and UNC2053. The content also notes overlap between GOLD ULRICK as the operator of Conti ransomware and GOLD BLACKBURN as the operator of TrickBot, and states that Conti appeared to merge with TrickBot, aka Wizard Spider, by the end of 2021. FIN12 is described as a financially motivated group active since at least October 2018 that specializes in post-compromise deployment of Ryuk ransomware. The actor is linked in the content to TrickBot, Ryuk, Conti, Bazar, Emotet, and Bokbot delivery or deployment chains. The content states that Wizard Spider installed TrickBot as a Windows service named ControlServiceA for persistence, used spearphishing attachments containing macros to lure victims into downloading Emotet, Bokbot, TrickBot, or Bazar, and used PowerShell for command execution. It is also associated with HTTP network communications. Post-compromise behavior directly attributed in the content includes use of whoami to identify the local user and privileges; ipconfig to identify victim network configuration; PowerShell Get-ADComputer to collect IP address data and account names from Active Directory; and net group "Domain admins" /DOMAIN to identify domain administrators. The content also states that Wizard Spider has used WMIC and vssadmin to manually delete volume shadow copies, and has used Conti ransomware to automatically delete volume shadow copies with vssadmin. Additional ATT&CK-related annotations in the content associate Wizard Spider with PowerShell execution, remote services, impair defenses, exploitation for privilege escalation, and Windows service persistence/installation. The content further references a possible infrastructure link to an ex-Conti sysadmin and former Conti technical lead known as Bentley, raising a possible connection to Wizard Spider, but this is presented only as a suggested link rather than a confirmed attribution.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

57 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

14 of 15 tactics88 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0042
Resource Development
2 techniques
T1583
Acquire Infrastructure
T1583.001
Domains
T1583.003
Virtual Private Server
T1588
Obtain Capabilities
T1588.002
Tool
TA0001
Initial Access
4 techniques
T1078×3
Valid Accounts
T1133
External Remote Services
T1190×3
Exploit Public-Facing Application
T1566
Phishing
T1566.001×3
Spearphishing Attachment
T1566.002×2
Spearphishing Link
TA0002
Execution
4 techniques
T1047×2
Windows Management Instrumentation
T1053
Scheduled Task/Job
T1053.005×2
Scheduled Task
T1059
Command and Scripting Interpreter
T1059.001×3
PowerShell
T1059.003×2
Windows Command Shell
T1059.005×2
Visual Basic
T1204
User Execution
T1204.002
Malicious File
TA0003
Persistence
8 techniques
T1053
Scheduled Task/Job
T1053.005×2
Scheduled Task
T1078×3
Valid Accounts
T1098
Account Manipulation
T1112×2
Modify Registry
T1133
External Remote Services
T1543
Create or Modify System Process
T1543.003×2
Windows Service
T1547×2
Boot or Logon Autostart Execution
T1547.001×2
Registry Run Keys / Startup Folder
T1556
Modify Authentication Process
T1556.001
Domain Controller Authentication
TA0004
Privilege Escalation
7 techniques
T1053
Scheduled Task/Job
T1053.005×2
Scheduled Task
T1055×2
Process Injection
T1078×3
Valid Accounts
T1098
Account Manipulation
T1484
Domain or Tenant Policy Modification
T1484.001
Group Policy Modification
T1543
Create or Modify System Process
T1543.003×2
Windows Service
T1547×2
Boot or Logon Autostart Execution
T1547.001×2
Registry Run Keys / Startup Folder
TA0005
Stealth
3 techniques
T1055×2
Process Injection
T1070×2
Indicator Removal
T1070.004×3
File Deletion
T1078×3
Valid Accounts
TA0112
Defense Impairment
3 techniques
T1112×2
Modify Registry
T1484
Domain or Tenant Policy Modification
T1484.001
Group Policy Modification
T1556
Modify Authentication Process
T1556.001
Domain Controller Authentication
TA0006
Credential Access
4 techniques
T1003
OS Credential Dumping
T1003.001
LSASS Memory
T1555
Credentials from Password Stores
T1555.003
Credentials from Web Browsers
T1556
Modify Authentication Process
T1556.001
Domain Controller Authentication
T1558
Steal or Forge Kerberos Tickets
T1558.003
Kerberoasting
TA0007
Discovery
7 techniques
T1016
System Network Configuration Discovery
T1018×3
Remote System Discovery
T1033
System Owner/User Discovery
T1069
Permission Groups Discovery
T1069.002
Domain Groups
T1082
System Information Discovery
T1087
Account Discovery
T1087.002
Domain Account
T1482
Domain Trust Discovery
TA0008
Lateral Movement
3 techniques
T1021×2
Remote Services
T1021.001
Remote Desktop Protocol
T1021.003
Distributed Component Object Model
T1550
Use Alternate Authentication Material
T1550.002
Pass the Hash
T1570×2
Lateral Tool Transfer
TA0009
Collection
3 techniques
T1005×3
Data from Local System
T1074×2
Data Staged
T1560
Archive Collected Data
TA0011
Command and Control
4 techniques
T1071
Application Layer Protocol
T1071.001×3
Web Protocols
T1090
Proxy
T1105
Ingress Tool Transfer
T1219×2
Remote Access Tools
TA0010
Exfiltration
2 techniques
T1041×4
Exfiltration Over C2 Channel
T1567
Exfiltration Over Web Service
T1567.002
Exfiltration to Cloud Storage
TA0040
Impact
2 techniques
T1486×7
Data Encrypted for Impact
T1490×3
Inhibit System Recovery
ARSENAL

Associated malware families

36 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
TrickBotTrickBot establishes persistence by creating an autostart service that allows it to run whenever the machine boots. Wizard Spider has installed TrickBot as a service named ControlServiceA in order to establish persistence.20Jun 14, 2026
ContiThe crypto-locking malware first emerged around the middle of 2018 and seemed to have its heyday largely in 2019, before rebranding as Conti around May 2020, and appearing to merge with TrickBot - aka Wizard Spider - by the end of 2021.13May 31, 2026
Cobalt StrikeAPT29 has obtained and used a variety of tools including Mimikatz, SDelete, Tor, meek, and Cobalt Strike.9May 26, 2026
RyukExample 8 — Pivot from malware to infrastructure You found a Ryuk ransomware sample (SHA256 hash).7Jun 16, 2026
BazarLoaderAfter a break in FIN12 activity from late March 2020 to late August 2020, FIN12 resumed operations shifting their reliance for initial access away from TRICKBOT to BAZARLOADER malware in September 2020.5May 26, 2026

31 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

17 CVEs this actor has used in observed campaigns. 17 of them exploited in the wild.

CVE-2020-1472Zerologon in Microsoft Netlogon Remote ProtocolIn the wildEvidence3

Afin de se latéraliser, les opérateurs du MOA ont tenté, sans succès, d’exploiter les vulnérabilités PrintNightmare (CVE-2021-34527), BlueKeep (CVE-2019-0708), puis ZeroLogon (CVE-2020-1472) via l’outil Mimikatz.

CVE-2021-40444Microsoft MSHTML Remote Code Execution VulnerabilityIn the wildEvidence2

DEV-0193 infrastructure has also been implicated in attacks deploying novel techniques, including exploitation of CVE-2021-40444.

CVE-2022-41082ProxyNotShell RCE in Microsoft Exchange ServerIn the wildEvidence2

De plus, grâce à des liens d’infrastructure, l’ANSSI a pu rattacher au même MOA plusieurs exploitations de la vulnérabilité ProxyNotShell (CVE-2022-41080 et CVE-2022-41082) ayant mené au déploiement de Play.

CVE-2025-9491Microsoft Windows LNK File UI Misrepresentation Remote Code Execution VulnerabilityIn the wildEvidence2

This detection identifies instances where Windows Explorer.exe spawns PowerShell or cmd.exe processes, particularly focusing on executions initiated by LNK files. This behavior is associated with the ZDI-CAN-25373 Windows shortcut zero-day vulnerability, where specially crafted LNK files are used to trigger malicious code execution through cmd.exe or powershell.exe. This technique has been actively exploited by multiple APT groups in targeted attacks through both HTTP and SMB delivery methods.

CVE-2017-0144EternalBlue SMBv1 Remote Code ExecutionIn the wildEvidence1

Ember Bear has used exploits for vulnerabilities such as MS17-010, also known as Eternal Blue, during operations.

12 more CVEs tied to this actor tracked in Mallory.

IOCS

Observables

396 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

396 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
infosec writeupsNews
Jun 16, 2026
The Intelligent Shield. OpenCTI. Beyond Ingestion Subtitle: Deploying… | by Andrey Pautov | May, 2026 | InfoSec Write-ups

Referenced as the threat actor associated with Ryuk ransomware in an example malware-to-infrastructure pivot workflow.

Read more
splunk researchNews
Jun 14, 2026
Detection: PTC Windchill Gateway Command Execution | Splunk Security Content

Listed as an associated threat actor in the detection annotation for exploitation of the public-facing PTC Windchill vulnerability CVE-2026-4681.

Read more
splunk researchNews
May 20, 2026
Detection: Cisco IOS XE VTY Access Class Tampering | Splunk Security Content

Referenced in annotations associated with remote services, lateral movement, and impair defenses tactics, but no specific campaign details are provided in the content.

Read more
splunk researchNews
May 18, 2026
Detection: Windows Cloud Files Filter Loaded by Uncommon Process | Splunk Security Content

Listed as an associated threat actor for exploitation activity related to abuse of the Windows Cloud Files API / cldapi.dll detection.

Read more
+196 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping57

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal36

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs17

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables396

Domains, IPs, and hashes tied to this actor, refreshed continuously.