Cyber Resilience

Threat actor · all actors

Indrik SpiderG0119 state

🇷🇺 RU

aka Indrik Spider, Evil Corp, Manatee Tempest, DEV-0243, UNC2165

Last updated: 2026-07-03

1attributed CVEs
47ATT&CK techniques
1.2IDF score (tooling uniqueness)
0exclusive CVEs
2026years active

About this actor

[Indrik Spider](https://attack.mitre.org/groups/G0119) is a Russia-based cybercriminal group that has been active since at least 2014. [Indrik Spider](https://attack.mitre.org/groups/G0119) initially started with the [Dridex](https://attack.mitre.org/software/S0384) banking Trojan, and then by 2017 they began running ransomware operations using [BitPaymer](https://attack.mitre.org/software/S0570), [WastedLocker](https://attack.mitre.org/software/S0612), and Hades ransomware. Following U.S. sanctions and an indictment in 2019, [Indrik Spider](https://attack.mitre.org/groups/G0119) changed their tactics and diversified their toolset.(Citation: Crowdstrike Indrik November 2018)(Citation: Crowdstrike EvilCorp March 2021)(Citation: Treasury EvilCorp Dec 2019)

Source: MITRE ATT&CK

Activity timeline

Profile

CVERiskCVSSEPSSPublishedProducts
CVE-2026-20929 5.57.50.01142026-01-13see CVE

Mitigating controls (NIST 800-53)

ControlTechniques coveredCoverage
SI-431 / 4766%
AC-628 / 4760%
CM-628 / 4760%
AC-327 / 4757%
AC-226 / 4755%
CM-224 / 4751%
AC-520 / 4743%
IA-220 / 4743%
CA-719 / 4740%
CM-719 / 4740%
SI-719 / 4740%
CM-518 / 4738%
SI-318 / 4738%
IA-515 / 4732%
AC-413 / 4728%

Co-occurring actors

Similar actors

Overlapping CVEs