Threat Actor Profile
High APT
Description

Wizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016. Wizard Spider possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)

Confidence Score
90%
Known Aliases
Wizard Spider UNC1878 TEMP.MixMaster Grim Spider FIN12 GOLD BLACKBURN ITG23 Periwinkle Tempest DEV-0193
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (64)
T1005 - Data from Local System
Collection
T1074 - Data Staged
Collection
T1074.001 - Local Data Staging
Collection
T1560.001 - Archive via Utility
Collection
T1071.001 - Web Protocols
Command and Control
T1105 - Ingress Tool Transfer
Command and Control
T1003.001 - LSASS Memory
Credential Access
T1003.002 - Security Account Manager
Credential Access
T1003.003 - NTDS
Credential Access
T1552.006 - Group Policy Preferences
Credential Access
T1555.004 - Windows Credential Manager
Credential Access
T1557.001 - LLMNR/NBT-NS Poisoning and SMB Relay
Credential Access
T1558.003 - Kerberoasting
Credential Access
T1027.010 - Command Obfuscation
Defense Evasion
T1036.004 - Masquerade Task or Service
Defense Evasion
T1055 - Process Injection
Defense Evasion
T1055.001 - Dynamic-link Library Injection
Defense Evasion
T1070.004 - File Deletion
Defense Evasion
T1078 - Valid Accounts
Defense Evasion
T1078.002 - Domain Accounts
Defense Evasion
T1112 - Modify Registry
Defense Evasion
T1197 - BITS Jobs
Defense Evasion
T1218.011 - Rundll32
Defense Evasion
T1222.001 - Windows File and Directory Permissions …
Defense Evasion
T1550.002 - Pass the Hash
Defense Evasion
T1553.002 - Code Signing
Defense Evasion
T1562.001 - Disable or Modify Tools
Defense Evasion
T1016 - System Network Configuration Discovery
Discovery
T1018 - Remote System Discovery
Discovery
T1033 - System Owner/User Discovery
Discovery
T1082 - System Information Discovery
Discovery
T1087.002 - Domain Account
Discovery
T1135 - Network Share Discovery
Discovery
T1518.001 - Security Software Discovery
Discovery
T1518.002 - Backup Software Discovery
Discovery
T1047 - Windows Management Instrumentation
Execution
T1053.005 - Scheduled Task
Execution
T1059.001 - PowerShell
Execution
T1059.003 - Windows Command Shell
Execution
T1204.001 - Malicious Link
Execution
T1204.002 - Malicious File
Execution
T1569.002 - Service Execution
Execution
T1041 - Exfiltration Over C2 Channel
Exfiltration
T1048.003 - Exfiltration Over Unencrypted Non-C2 Pr…
Exfiltration
T1567.002 - Exfiltration to Cloud Storage
Exfiltration
T1489 - Service Stop
Impact
T1490 - Inhibit System Recovery
Impact
T1566.001 - Spearphishing Attachment
Initial Access
T1566.002 - Spearphishing Link
Initial Access
T1021 - Remote Services
Lateral Movement
T1021.001 - Remote Desktop Protocol
Lateral Movement
T1021.002 - SMB/Windows Admin Shares
Lateral Movement
T1021.006 - Windows Remote Management
Lateral Movement
T1210 - Exploitation of Remote Services
Lateral Movement
T1570 - Lateral Tool Transfer
Lateral Movement
T1133 - External Remote Services
Persistence
T1136.001 - Local Account
Persistence
T1136.002 - Domain Account
Persistence
T1543.003 - Windows Service
Persistence
T1547.001 - Registry Run Keys / Startup Folder
Persistence
T1547.004 - Winlogon Helper DLL
Persistence
T1585.002 - Email Accounts
Resource Development
T1588.002 - Tool
Resource Development
T1588.003 - Code Signing Certificates
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['Wizard Spider',
             'UNC1878',
             'TEMP.MixMaster',
             'Grim Spider',
             'FIN12',
             'GOLD BLACKBURN',
             'ITG23',
             'Periwinkle Tempest',
             'DEV-0193'],
 'created': '2020-05-12T18:15:29.396Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Wizard Spider](https://attack.mitre.org/groups/G0102) is a '
                'Russia-based financially motivated threat group originally '
                'known for the creation and deployment of '
                '[TrickBot](https://attack.mitre.org/software/S0266) since at '
                'least 2016. [Wizard '
                'Spider](https://attack.mitre.org/groups/G0102) possesses a '
                'diverse arsenal of tools and has conducted ransomware '
                'campaigns against a variety of organizations, ranging from '
                'major corporations to hospitals.(Citation: CrowdStrike Ryuk '
                'January 2019)(Citation: DHS/CISA Ransomware Targeting '
                'Healthcare October 2020)(Citation: CrowdStrike Wizard Spider '
                'October 2020)',
 'external_references': [{'external_id': 'G0102',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0102'},
                         {'description': '(Citation: CrowdStrike Ryuk January '
                                         '2019)(Citation: CrowdStrike Grim '
                                         'Spider May 2019)',
                          'source_name': 'Grim Spider'},
                         {'description': '(Citation: FireEye KEGTAP SINGLEMALT '
                                         'October 2020)',
                          'source_name': 'UNC1878'},
                         {'description': '(Citation: FireEye Ryuk and Trickbot '
                                         'January 2019)',
                          'source_name': 'TEMP.MixMaster'},
                         {'description': '(Citation: IBM X-Force ITG23 Oct '
                                         '2021)',
                          'source_name': 'ITG23'},
                         {'description': '(Citation: Mandiant FIN12 Oct 2021)',
                          'source_name': 'FIN12'},
                         {'description': '(Citation: Microsoft Threat Actor '
                                         'Naming July 2023)',
                          'source_name': 'Periwinkle Tempest'},
                         {'description': '(Citation: Microsoft Threat Actor '
                                         'Naming July 2023)',
                          'source_name': 'DEV-0193'},
                         {'description': '(Citation: Secureworks Gold '
                                         'Blackburn Mar 2022)',
                          'source_name': 'GOLD BLACKBURN'},
                         {'description': 'DHS/CISA. (2020, October 28). '
                                         'Ransomware Activity Targeting the '
                                         'Healthcare and Public Health Sector. '
                                         'Retrieved October 28, 2020.',
                          'source_name': 'DHS/CISA Ransomware Targeting '
                                         'Healthcare October 2020',
                          'url': 'https://us-cert.cisa.gov/ncas/alerts/aa20-302a'},
                         {'description': 'Goody, K., et al (2019, January 11). '
                                         'A Nasty Trick: From Credential Theft '
                                         'Malware to Business Disruption. '
                                         'Retrieved May 12, 2020.',
                          'source_name': 'FireEye Ryuk and Trickbot January '
                                         '2019',
                          'url': 'https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html'},
                         {'description': 'Hanel, A. (2019, January 10). Big '
                                         'Game Hunting with Ryuk: Another '
                                         'Lucrative Targeted Ransomware. '
                                         'Retrieved May 12, 2020.',
                          'source_name': 'CrowdStrike Ryuk January 2019',
                          'url': 'https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/'},
                         {'description': 'John, E. and Carvey, H. (2019, May '
                                         '30). Unraveling the Spiderweb: '
                                         'Timelining ATT&CK Artifacts Used by '
                                         'GRIM SPIDER. Retrieved May 12, 2020.',
                          'source_name': 'CrowdStrike Grim Spider May 2019',
                          'url': 'https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/'},
                         {'description': 'Kimberly Goody, Jeremy Kennelly, '
                                         'Joshua Shilko, Steve Elovitz, '
                                         'Douglas Bienstock. (2020, October '
                                         '28). Unhappy Hour Special: KEGTAP '
                                         'and SINGLEMALT With a Ransomware '
                                         'Chaser. Retrieved October 28, 2020.',
                          'source_name': 'FireEye KEGTAP SINGLEMALT October '
                                         '2020',
                          'url': 'https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html'},
                         {'description': 'Microsoft . (2023, July 12). How '
                                         'Microsoft names threat actors. '
                                         'Retrieved November 17, 2023.',
                          'source_name': 'Microsoft Threat Actor Naming July '
                                         '2023',
                          'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'},
                         {'description': 'Podlosky, A., Hanel, A. et al. '
                                         '(2020, October 16). WIZARD SPIDER '
                                         'Update: Resilient, Reactive and '
                                         'Resolute. Retrieved June 15, 2021.',
                          'source_name': 'CrowdStrike Wizard Spider October '
                                         '2020',
                          'url': 'https://www.crowdstrike.com/blog/wizard-spider-adversary-update/'},
                         {'description': 'Secureworks Counter Threat Unit. '
                                         '(2022, March 1). Gold Blackburn '
                                         'Threat Profile. Retrieved June 15, '
                                         '2023.',
                          'source_name': 'Secureworks Gold Blackburn Mar 2022',
                          'url': 'https://www.secureworks.com/research/threat-profiles/gold-blackburn'},
                         {'description': 'Shilko, J., et al. (2021, October '
                                         '7). FIN12: The Prolific Ransomware '
                                         'Intrusion Threat Actor That Has '
                                         'Aggressively Pursued Healthcare '
                                         'Targets. Retrieved June 15, 2023.',
                          'source_name': 'Mandiant FIN12 Oct 2021',
                          'url': 'https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf'},
                         {'description': 'Villadsen, O., et al. (2021, October '
                                         '13). Trickbot Rising - Gang Doubles '
                                         'Down on Infection Efforts to Amass '
                                         'Network Footholds. Retrieved June '
                                         '15, 2023.',
                          'source_name': 'IBM X-Force ITG23 Oct 2021',
                          'url': 'https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/'}],
 'id': 'intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7',
 'modified': '2025-03-12T20:33:21.597Z',
 'name': 'Wizard Spider',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Edward Millington', 'Oleksiy Gayda'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack', 'ics-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '4.0'}
Quick Actions
Related TTPs (64)
Data from Local System
Collection
Data Staged
Collection
Local Data Staging
Collection
Archive via Utility
Collection
Web Protocols
Command and Control
View All 64 TTPs
Back to Threat Actors
Dashboard Home