Threat actor · all actors
Wizard SpiderG0102 state
🇷🇺 RU
aka Wizard Spider, UNC1878, TEMP.MixMaster, Grim Spider, FIN12, GOLD BLACKBURN, ITG23, Periwinkle Tempest, DEV-0193, Pistachio Tempest, DEV-0237
Last updated: 2026-07-03
About this actor
[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)
Source: MITRE ATT&CK
Activity timeline
- 2026 — 1 CVE published
Profile
| CVE | Risk | CVSS | EPSS | Published | Products |
|---|---|---|---|---|---|
CVE-2026-20929 | 5.5 | 7.5 | 0.0114 | 2026-01-13 | see CVE |
T1003T1003.001T1003.002T1003.003T1005T1016T1018T1021T1021.001T1021.002T1021.006T1027T1027.010T1033T1036T1036.004T1041T1047T1048T1048.003T1053T1053.005T1055T1055.001T1059T1059.001T1059.003T1070T1070.004T1071T1071.001T1074T1074.001T1078T1078.002T1082T1087T1087.002T1105T1112T1133T1135T1136T1136.001T1136.002T1197T1204T1204.001T1204.002T1210T1218T1218.011T1222T1222.001T1489T1490T1518T1518.001T1518.002T1543T1543.003T1547T1547.001T1547.004T1550T1550.002T1552T1552.006T1553T1553.002T1555T1555.004T1557T1557.001T1558T1558.003T1560T1560.001T1566T1566.001T1566.002T1567T1567.002T1569T1569.002T1570T1585T1585.002T1588T1588.002T1588.003T1685
Mitigating controls (NIST 800-53)
| Control | Techniques covered | Coverage |
|---|---|---|
SI-4 | 68 / 92 | 74% |
CM-6 | 61 / 92 | 66% |
AC-3 | 52 / 92 | 57% |
AC-6 | 51 / 92 | 55% |
AC-2 | 48 / 92 | 52% |
CM-2 | 48 / 92 | 52% |
CM-7 | 45 / 92 | 49% |
SI-3 | 42 / 92 | 46% |
CA-7 | 40 / 92 | 43% |
AC-5 | 38 / 92 | 41% |
IA-2 | 38 / 92 | 41% |
CM-5 | 37 / 92 | 40% |
SC-7 | 33 / 92 | 36% |
SI-7 | 32 / 92 | 35% |
AC-4 | 30 / 92 | 33% |
Co-occurring actors
- Mustang Panda 1 shared CVEs
- SolarWinds Compromise 1 shared CVEs
- APT38 1 shared CVEs
- Tonto Team 1 shared CVEs
- Ember Bear 1 shared CVEs
- GOLD SOUTHFIELD 1 shared CVEs
- Aquatic Panda 1 shared CVEs
- APT28 1 shared CVEs
- Sandworm Team 1 shared CVEs
- Ajax Security Team 1 shared CVEs
Similar actors
Similar TTPs
- FIN8 0.40
- APT32 0.38
- APT41 0.38
- Operation Wocao 0.36
- FIN6 0.36
Active in same years
- Operation Dream Job 1.00
- SolarWinds Compromise 1.00
- C0027 1.00
- SharePoint ToolShell Exploitation 1.00
- Ke3chang 1.00
Same nation-state
Same category
- Night Dragon 1.00
- FunnyDream 1.00
- C0011 1.00
- Operation Wocao 1.00
- Operation Dream Job 1.00