Threat actor · all actors
Indrik SpiderG0119 state
🇷🇺 RU
aka Indrik Spider, Evil Corp, Manatee Tempest, DEV-0243, UNC2165
Last updated: 2026-07-03
About this actor
[Indrik Spider](https://attack.mitre.org/groups/G0119) is a Russia-based cybercriminal group that has been active since at least 2014. [Indrik Spider](https://attack.mitre.org/groups/G0119) initially started with the [Dridex](https://attack.mitre.org/software/S0384) banking Trojan, and then by 2017 they began running ransomware operations using [BitPaymer](https://attack.mitre.org/software/S0570), [WastedLocker](https://attack.mitre.org/software/S0612), and Hades ransomware. Following U.S. sanctions and an indictment in 2019, [Indrik Spider](https://attack.mitre.org/groups/G0119) changed their tactics and diversified their toolset.(Citation: Crowdstrike Indrik November 2018)(Citation: Crowdstrike EvilCorp March 2021)(Citation: Treasury EvilCorp Dec 2019)
Source: MITRE ATT&CK
Activity timeline
- 2026 — 1 CVE published
Profile
| CVE | Risk | CVSS | EPSS | Published | Products |
|---|---|---|---|---|---|
CVE-2026-20929 | 5.5 | 7.5 | 0.0114 | 2026-01-13 | see CVE |
T1003T1003.001T1007T1012T1018T1021T1021.001T1021.004T1036T1036.005T1047T1059T1059.001T1059.003T1059.007T1074T1074.001T1078T1078.002T1105T1112T1136T1136.001T1204T1204.002T1484T1484.001T1486T1489T1552T1552.001T1555T1555.005T1558T1558.003T1567T1567.002T1583T1584T1584.004T1585T1585.002T1587T1587.001T1590T1685T1685.005
Mitigating controls (NIST 800-53)
| Control | Techniques covered | Coverage |
|---|---|---|
SI-4 | 31 / 47 | 66% |
AC-6 | 28 / 47 | 60% |
CM-6 | 28 / 47 | 60% |
AC-3 | 27 / 47 | 57% |
AC-2 | 26 / 47 | 55% |
CM-2 | 24 / 47 | 51% |
AC-5 | 20 / 47 | 43% |
IA-2 | 20 / 47 | 43% |
CA-7 | 19 / 47 | 40% |
CM-7 | 19 / 47 | 40% |
SI-7 | 19 / 47 | 40% |
CM-5 | 18 / 47 | 38% |
SI-3 | 18 / 47 | 38% |
IA-5 | 15 / 47 | 32% |
AC-4 | 13 / 47 | 28% |
Co-occurring actors
- Mustang Panda 1 shared CVEs
- SolarWinds Compromise 1 shared CVEs
- APT38 1 shared CVEs
- Tonto Team 1 shared CVEs
- Ember Bear 1 shared CVEs
- GOLD SOUTHFIELD 1 shared CVEs
- Aquatic Panda 1 shared CVEs
- APT28 1 shared CVEs
- Sandworm Team 1 shared CVEs
- Ajax Security Team 1 shared CVEs
Similar actors
Similar TTPs
- Wizard Spider 0.28
- Operation Wocao 0.27
- Fox Kitten 0.26
- APT5 0.25
- SharePoint ToolShell Exploitation 0.25
Active in same years
- Operation Dream Job 1.00
- SolarWinds Compromise 1.00
- C0027 1.00
- SharePoint ToolShell Exploitation 1.00
- Ke3chang 1.00
Same nation-state
Same category
- Night Dragon 1.00
- FunnyDream 1.00
- C0011 1.00
- Operation Wocao 1.00
- Operation Dream Job 1.00