Threat Actor Profile
Description
NetWalker ransomware group operates by the threat actor known as "CIRCUS SPIDER". The NetWalker ransomware was discovered in 2019. The group mainly targeting the Asia Pacific region but can attack globally. The group uses common attacking tools like Mimikatz and other legitimate tools (LOLBINS) like PSTools, AnyDesk, TeamViewer, NLBrute, and more. The group knowing by targeting the healthcare sector. Finally, in January 2021, Netwalker was takedown by the authorities, the police have confiscated hundreds of thousands of dollars in ransom payments collected by the Netwalker group, and they seized servers and disrupted the infrastructure and the darknet websites of the Netwalker ransomware group.
Confidence Score
Tags
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'added_date': None,
'client': '2003264@sit.singaporetech.edu.sg',
'description': 'NetWalker ransomware group operates by the threat actor known '
'as "CIRCUS SPIDER". The NetWalker ransomware was discovered '
'in 2019. The group mainly targeting the Asia Pacific region '
'but can attack globally. The group uses common attacking '
'tools like Mimikatz and other legitimate tools (LOLBINS) like '
'PSTools, AnyDesk, TeamViewer, NLBrute, and more. The group '
'knowing by targeting the healthcare sector. Finally, in '
'January 2021, Netwalker was takedown by the authorities, the '
'police have confiscated hundreds of thousands of dollars in '
'ransom payments collected by the Netwalker group, and they '
'seized servers and disrupted the infrastructure and the '
'darknet websites of the Netwalker ransomware group.\n',
'firstseen': '2020-01-31T00:00:00+00:00',
'group': 'netwalker',
'has_negotiations': False,
'has_ransomnote': True,
'lastseen': '2020-12-12T00:00:00+00:00',
'locations': [{'available': False,
'fqdn': 'rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion',
'slug': 'http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion',
'title': '',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 1,
'tiaras_metadata': {'has_negotiations': False,
'has_ransomnote': True,
'locations': [{'available': False,
'fqdn': 'rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion',
'slug': 'http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion',
'title': '',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 1,
'ransomware_live_group': 'netwalker',
'tools': {'CredentialTheft': ['Mimikatz', 'ProcDump'],
'DefenseEvasion': [],
'DiscoveryEnum': ['AdFind'],
'Exfiltration': [],
'LOLBAS': ['PsExec'],
'Networking': [],
'Offsec': ['Cobalt Strike'],
'RMM-Tools': []},
'url': 'https://www.ransomware.live/group/netwalker',
'victims': 26,
'vulnerabilities': []},
'tiaras_source': 'ransomware.live',
'tools': {'CredentialTheft': ['Mimikatz', 'ProcDump'],
'DefenseEvasion': [],
'DiscoveryEnum': ['AdFind'],
'Exfiltration': [],
'LOLBAS': ['PsExec'],
'Networking': [],
'Offsec': ['Cobalt Strike'],
'RMM-Tools': []},
'ttps': [],
'url': 'https://www.ransomware.live/group/netwalker',
'victims': 26,
'vulnerabilities': []}