Skip to content

Hide Navigation Hide TOC

WIZARD SPIDER (bdf4fe4f-af8a-495f-a719-cf175cecda1f)

Wizard Spider is reportedly associated with Grim Spider and Lunar Spider. The WIZARD SPIDER threat group is the Russia-based operator of the TrickBot banking malware. This group represents a growing criminal enterprise of which GRIM SPIDER appears to be a subset. The LUNAR SPIDER threat group is the Eastern European-based operator and developer of the commodity banking malware called BokBot (aka IcedID), which was first observed in April 2017. The BokBot malware provides LUNAR SPIDER affiliates with a variety of capabilities to enable credential theft and wire fraud, through the use of webinjects and a malware distribution function. GRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER, a criminal enterprise of which GRIM SPIDER appears to be a cell. The WIZARD SPIDER threat group, known as the Russia-based operator of the TrickBot banking malware, had focused primarily on wire fraud in the past.

Cluster A Galaxy A Cluster B Galaxy B Level
WIZARD SPIDER (bdf4fe4f-af8a-495f-a719-cf175cecda1f) Threat Actor Periwinkle Tempest (120dc1ae-e850-5059-a4fb-520748ca6881) Microsoft Activity Group actor 1
WIZARD SPIDER (bdf4fe4f-af8a-495f-a719-cf175cecda1f) Threat Actor Pistachio Tempest (567ea386-a78f-5550-ae7c-9c9eacdf45af) Microsoft Activity Group actor 1