Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to threat actors
Financially Motivated1 malware family

Blind Spider

Also known asBLIND SPIDER

Blind Spider is a financially motivated threat actor tracked by CrowdStrike and identified as one of six major operators either based in Latin America or primarily focused on targets in the region, alongside Ocular Spider, Odyssey Spider, Plump Spider, Samba Spider, and Squab Spider. The content also states Blind Spider is also known as Blind Eagle. CrowdStrike included Blind Spider among threat actors that have leveraged AI in their operations. The available content does not provide high-confidence detail on Blind Spider’s specific tactics, techniques, or malware beyond noting that Sophos initially considered whether HeartCrypt activity might be attributable to Blind Spider because of some geographic overlap, but ultimately concluded the HeartCrypt campaigns reflected multiple different threat actors and found enough differences in payloads, injection mechanisms, and targeted locations to distinguish that activity from CrowdStrike’s Blind Spider cluster.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they target

Geographies tied to known operations.

  • 🇨🇴 Colombia
MITRE ATT&CK

Tradecraft

3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

2 of 15 tactics3 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1566
Phishing
T1566.002
Spearphishing Link
TA0005
Stealth
1 technique
T1036
Masquerading
ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen
HeartCryptWe ultimately concluded that these cases were all connected to what has come to be known as the HeartCrypt packer-as-a-service (PaaS) operation.2Jun 14, 2026
IOCS

Observables

1 indicator attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

1 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
the hacker newsNews
Feb 26, 2026
ThreatsDay Bulletin: Kali Linux + Claude, Chrome Crash Traps, WinRAR Flaws, LockBit & 15+ Stories

Referenced as leveraging AI in operations (no additional operational details provided in the content).

Read more
dark readingNews
May 21, 2025
Pandas Galore: Chinese Hackers Boost Attacks in Latin America

Financially motivated criminal activity cluster identified as a major operator in Latin America; described as based in LATAM or primarily focused on targets in the region.

Read more
sophos threat researchNews
Jan 20, 2025
HeartCrypt’s wholesale impersonation effort | SOPHOS

Referenced as a possible but ultimately unconfirmed affiliate or user of the HeartCrypt packer-as-a-service operation, with geographic overlap in targeting, particularly Colombia.

Read more
sophos threat researchNews
Jan 20, 2025
HeartCrypt’s wholesale impersonation effort | SOPHOS

Referenced as a distinct threat actor initially suspected of being behind HeartCrypt-related activity due to geographic target overlap, but the article concludes the broader HeartCrypt activity involved multiple threat actors rather than Blind Spider alone.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping3

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables1

Domains, IPs, and hashes tied to this actor, refreshed continuously.