SCULLY SPIDER
SCULLY SPIDER is a Russia-based eCrime adversary tracked by CrowdStrike and associated with the DanaBot malware operation. CrowdStrike describes SCULLY SPIDER as a cybercrime group operating a malware-as-a-service model in which it maintains command-and-control infrastructure and sells access to its malware and infrastructure to affiliates, who then distribute their own malware. The group is identified as the operator of DanaBot, which debuted in 2018 as a banking trojan and evolved into a modular platform used for credential theft, credit card theft, wire fraud, keystroke logging, screen recording, hidden VNC access, exfiltration of cryptocurrency-related files, and later distribution of other malware families. According to the provided content, SCULLY SPIDER initially targeted victims in Ukraine, Poland, Italy, Germany, Austria, and Australia, and later expanded to target U.S. and Canada-based financial institutions. CrowdStrike reporting cited in the content states that DanaBot was also distributed through the 2021 compromises of the NPM packages ua-parser-js and coa, affecting organizations across transportation, media, technology, and financial services sectors. The content further states that DanaBot sub-botnet 5 was tasked in March 2022 to support HTTP-based DDoS attacks against Ukrainian government targets, including the Ukrainian Ministry of Defence webmail server and the National Security and Defense Council of Ukraine. The DOJ indictment referenced in the content also revealed that DanaBot sub-botnets 24 and 25 were used for espionage. The content characterizes SCULLY SPIDER as more than a purely financially motivated criminal group. CrowdStrike assessed that the group benefited from Russian state tolerance and that DanaBot activity aligned with Russian government interests; the content specifically notes support for Russian military objectives in 2022 and use of DanaBot sub-botnets for espionage. SCULLY SPIDER is also listed in Five Eyes and related reporting as a Russian-aligned cybercrime group that may pose a threat to critical infrastructure organizations. No additional aliases or sub-groups beyond the name SCULLY SPIDER are directly provided in the content.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Transportation
- Financial Services
- Software & Services
- Media & Entertainment
- Government & Administration
Where they target
Geographies tied to known operations.
- 🇺🇦 Ukraine
- 🇵🇱 Poland
- 🇮🇹 Italy
- 🇩🇪 Germany
- 🇦🇹 Austria
- 🇦🇺 Australia
- 🇺🇸 United States
- 🇨🇦 Canada
Where they're from
Attributed origin per open-source reporting.
- RU
Tradecraft
10 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
2 malware families attributed to this actor across reporting.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named threat actor referenced in global threat reporting.
Russian cybercriminal group highlighted in the alert as part of the broader Russian cyber threat landscape.
Russian cybercrime group named in the alert as a threat to foreign targets and critical infrastructure.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.