Evil Corp / Indrik Spider: Threat Actor Profile
Evil Corp is the rare criminal organization that evolved from the Dridex banking trojan to enterprise ransomware — stealing $100M+ — and then survived U.S. sanctions by repeatedly rebranding. A full profile.
Reviewed & fact-checked against primary sources by the TI News Feed Editorial Team. See our editorial & corrections policy.
Evil Corp is the rare criminal organization that successfully evolved from banking malware to enterprise ransomware without abandoning its core monetization DNA. The U.S. Treasury said its Dridex operations alone generated at least $100 million and likely much more.
Evil Corp: at a glance
- Aliases: Evil Corp, Indrik Spider, Manatee Tempest, DEV-0243, UNC2165
- Country / affiliation: Russia-based cybercrime ecosystem
- Assessed status (as of July 2026): Active / evolved
- Primary objectives: Banking theft, enterprise ransomware, extortion, and credential theft
- Financial destruction / gain: At least $100 million from Dridex alone, with the U.S. Treasury saying the true total is likely significantly higher
- Type: Financially motivated cybercrime syndicate
Who is Evil Corp?
MITRE tracks Indrik Spider — a closely related, overlapping cluster — as having started with Dridex and then moved into BitPaymer, WastedLocker, and Hades after 2017, changing tactics after 2019 sanctions and indictments. The best 2026 assessment is not 'gone,' but 'adapted and fragmented.'
Aliases and attribution
Evil Corp and Indrik Spider are overlapping labels for the same Russia-based threat actor nexus. After the U.S. sanctioned the group in 2019 — making ransom payments to it legally risky — it repeatedly rebranded through affiliates and variants such as UNC2165, WastedLocker, and Hades to evade the restrictions, a defining example of how sanctioned actors persist.
Financial impact and damage
The Treasury attributed at least $100 million in theft from banks and financial institutions to Dridex, and assessed the true total as significantly higher. The 2019 sanctions were notable for targeting a cybercrime group directly and naming its alleged leadership; Evil Corp's subsequent rebrands were largely designed to keep ransoms flowing despite the legal exposure sanctions created for victims.
Evil Corp timeline
- 2014: Dridex-era banking-trojan growth
- 2017: Shift into BitPaymer-style enterprise ransomware
- 2019: U.S. Treasury sanctions and indictments name the group
- 2020s: WastedLocker and Hades-era evolution and rebrands (e.g., UNC2165)
Notable attacks and campaigns
Dridex was one of the most damaging banking trojans of the 2010s, stealing credentials to drain accounts. After 2019 sanctions, Evil Corp pivoted to enterprise ransomware (BitPaymer, WastedLocker, Hades) and cycled through affiliate names specifically to obscure attribution and let victims pay without obviously breaching sanctions.
Tactics, techniques, and procedures (TTPs)
The techniques below are compact, high-confidence mappings to the MITRE ATT&CK framework, drawn from the group's MITRE ATT&CK profile and corroborating government and vendor reporting. The live ATT&CK matrix remains the authoritative reference for full coverage.
- T1583 — Acquire Infrastructure: Indrik Spider purchased victim VPN access from initial-access brokers. Tighten third-party remote access, MFA, and impossible-travel/unusual-ASN detection.
- T1567.002 — Exfiltration to Cloud Storage: Indrik Spider exfiltrated with Rclone or MEGASync before ransomware. Detect unsanctioned cloud-sync tools on servers and admin hosts.
- T1486 — Data Encrypted for Impact: The group deploys BitPaymer and WastedLocker. Monitor staged archives followed by PsExec / service-stop / encryption workflows.
Detection and defense against Evil Corp
Evil Corp buys access and exfiltrates before encrypting, so identity and egress controls matter most:
- Tighten third-party remote/VPN access with MFA and unusual-ASN / impossible-travel detection.
- Detect unsanctioned cloud-sync tools (Rclone, MEGASync) on servers and admin hosts.
- Constrain scripting (PowerShell Empire, batch, JavaScript) and alert on multi-language script abuse.
- Monitor for PsExec-driven service-stop-then-encrypt workflows.
- Remember that paying sanctioned actors like Evil Corp can carry legal risk — plan incident response accordingly.
The bottom line
Evil Corp shows how a sanctioned cybercrime group adapts rather than dies — rebranding through affiliates to keep stealing while dodging the legal fallout of its own notoriety. See how Evil Corp ranks among the most dangerous threat actors, and track its latest activity on our live threat intelligence feed, aggregated from dozens of authoritative sources.
Frequently asked questions
What is Evil Corp?
Evil Corp is a Russia-based cybercrime group, overlapping with the cluster MITRE calls Indrik Spider. It began with the Dridex banking trojan and evolved into enterprise ransomware such as BitPaymer and WastedLocker.
How much has Evil Corp stolen?
The U.S. Treasury attributed at least $100 million in theft to Dridex and said the true total is likely significantly higher.
Why was Evil Corp sanctioned?
The U.S. sanctioned Evil Corp in 2019 for its Dridex campaigns, naming its alleged leaders. The sanctions make paying ransoms to the group legally risky, which is why Evil Corp repeatedly rebrands.
Is Evil Corp still active?
Yes, in evolved and fragmented form. After sanctions, it cycled through ransomware variants and affiliate names (such as UNC2165) to evade restrictions and keep operating.
Primary sources & further reading
This guide is reviewed and fact-checked against authoritative primary sources: