Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to threat actors
8 malware families

EvilCorp

Also known asevilcorp

EvilCorp is a financially motivated cybercriminal threat actor with reported connections to the Russian government and is sanctioned by the U.S. Treasury, including in relation to ransom payments. The group is associated in the provided content with ransomware and initial-access activity, including attribution of the WastedLocker ransomware to EvilCorp. The content also states that DoppelPaymer evolved from EvilCorp, and that Grief is an offshoot of DoppelPaymer, linking those groups by lineage. The actor is referenced alongside aliases and related cluster names including UNC2165, Indrik Spider, and Microsoft’s Manatee Tempest / DEV-0243. UNC2165 is described as associated with or closely linked to EvilCorp. Reporting in the content links UNC2165 to the ViperTunnel Python backdoor, which is often deployed after FAKEUPDATES/SocGholish infections, establishes persistent access, creates a SOCKS5 proxy over port 443, and is often used with the ShadowCoil credential stealer. SocGholish is also described as a key initial access vector for ransomware groups linked to EvilCorp and has delivered follow-on tooling such as Cobalt Strike, NetSupport, and WastedLocker. The content further states that Mandiant associated EvilCorp with use of LockBit ransomware in some attacks, and that EvilCorp allegedly used LockBit without LockBit’s consent to evade sanctions. Additional reporting cited in the content notes alleged ties or associations between EvilCorp and other major criminal ecosystems or actors, including FIN7, Wizard Spider, and possibly Mikhail Matveev (Wazawaka). The content also notes public reporting that members of groups like EvilCorp have flaunted wealth publicly in Moscow.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

7 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

5 of 15 tactics7 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1189×2
Drive-by Compromise
TA0005
Stealth
2 techniques
T1027
Obfuscated Files or Information
T1036
Masquerading
TA0011
Command and Control
2 techniques
T1090×2
Proxy
T1105
Ingress Tool Transfer
TA0010
Exfiltration
1 technique
T1041
Exfiltration Over C2 Channel
TA0040
Impact
1 technique
T1486
Data Encrypted for Impact
ARSENAL

Associated malware families

8 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
SocGholishSocGholish is a JavaScript-based framework that threat actors have used to gain initial access to systems since 2017. SocGholish uses social engineering to infect systems: it tricks users into running a malicious JavaScript payload that masquerades as a system or software update, such as a critical browser update.2Jun 14, 2026
VIPERTUNNELA new Python-based backdoor, named ViperTunnel, has been discovered infiltrating the networks of businesses in the UK and US.2Apr 14, 2026
Black Basta"Black Basta ransomware emerged in April 2022..."1Mar 18, 2026
DoppelPaymerGrief is an offshoot of the DoppelPaymer ransomware group that evolved from EvilCorp, said Gershuni.1May 26, 2026
GriefAfter the notorious Grief ransomware group added the National Rifle Association to its public list of victims, messages of the breach was reportedly amplified by a network of fake Twitter accounts.1May 26, 2026

3 additional families tracked in Mallory.

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app
sentinelone labsNews
May 7, 2026
SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders | SentinelOne

Attributed operator of WastedLocker ransomware mentioned in the context of post-compromise activity following SocGholish infections.

Read more
scworldNews
Apr 14, 2026
ViperTunnel backdoor targets UK, US businesses with advanced Python techniques | brief | SC Media

Referenced as the threat actor associated with UNC2165 in activity involving the ViperTunnel backdoor and ShadowCoil credential stealer.

Read more
hackreadNews
Apr 14, 2026
Ransomware-Linked ViperTunnel Malware Hits UK and US Businesses

Referenced as the threat actor closely linked to UNC2165 in relation to ViperTunnel activity.

Read more
securityaffairsNews
Nov 26, 2025
For the first time, a RomCom payload has been observed being distributed via SocGholish

Referenced as a ransomware ecosystem linked to groups that have used SocGholish as an initial access vector (no specific EvilCorp operation details provided in this content).

Read more
+6 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping7

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal8

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.