- Notifications
You must be signed in to change notification settings - Fork23
This repository contains indicators of compromise (IOCs) of our various investigations.
License
NotificationsYou must be signed in to change notification settings
prodaft/malware-ioc
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
This repository contains indicators of compromise (IOCs) of our various investigations.
| Avatars | Threat Actors | Description | Motivation |
|---|---|---|---|
 | ArcaneMantis | Arcane Mantis (a.k.a. Vice Society, Rhysida) is a ransomware group that first appeared in the summer of 2021. | Ransomware |
 | CrypticSilverfish | Cryptic Silverfish, also known as Evil Corp, is a notorious Russian cybercriminal group active since at least 2007. | Organized Crime |
 | DiabolicLadybug | Diabolic Ladybug, also known as TA505, is a financially motivated cybercriminal group active since at least 2014, known for orchestrating large-scale malicious email campaigns to distribute various malware families. | Financial Crime |
 | ElysianMantis | Elysian Mantis, also known as Conti, was a ransomware group active from 2019 to 2022, known for operating a ransomware-as-a-service (RaaS) model.. | Ransomware |
 | LARVA-140 | LARVA-140, also known as Brunhilda, is the threat actor behind the Brunhilda DaaS operation, an Android malware dropper targeting banking apps, cryptocurrency wallets, and social media platforms in specific regions. | Criminal Service |
 | LARVA-147 | LARVA-147, also known as CryptoChameleon, UNK-12, or Perm, is a cybercriminal threat actor specializing in advanced phishing campaigns targeting cryptocurrency users and exchanges like Binance, Uphold, and Kraken. | Criminal Service |
 | LARVA-15 | LARVA-15, also known as Wazawaka and identified as Mikhail Pavlovich Matveev, is a prominent cybercriminal linked to ransomware groups such as Monti, Ragnar Locker, NoEscape, and LockBit RaaS. | Initial Access Broker |
 | LARVA-17 | LARVA-17, a.k.a. Adminko, is a threat actor behind a phishing email campaign first observed in 2020, targeting users in Europe. | Financial Crime |
 | LARVA-18 | LARVA-18, publicly known as Tramp or TA577, is a prolific cybercrime threat actor tracked by cybersecurity researchers since mid-2020. | Initial Access Broker |
 | LARVA-208 | LARVA-208, also known as "EncryptHub," is a cybercriminal threat actor specializing in highly sophisticated spear-phishing attacks. | Initial Access Broker |
 | LARVA-39 | LARVA-39, also known as PTI-249, is the developer and maintainer of PcWebControl, a Remote Access Trojan (RAT) used by threat actors primarily for financial crimes and ransomware attacks. | Criminal Service |
 | LARVA-47 | LARVA-47, commonly referred to as the RIG Exploit Kit operator, is a cybercriminal group that has been active since 2014. | Initial Access Broker |
 | LARVA-57 | LARVA-57, also known as PTI-257, is a sub-group within the cybercrime organization Wizard Spider (Mystical Silverfish), known for deploying LockBit ransomware in high-profile attacks. | Ransomware |
 | MysticalSilverfish | Mystical Silverfish (a.k.a Wizard Spider) is a sophisticated and financially motivated cybercrime group, known for its deployment of the TrickBot malware and the highly destructive Ryuk and Conti ransomware. | Organized Crime |
 | PrimalSnail | Primal Snail, also known as Nomadic Octopus, is a Russian-speaking cyber espionage group active since at least 2014, primarily targeting Central Asian entities such as local governments, diplomatic missions, and individuals. | Espionage |
 | RuthlessMantis | Ruthless Mantis, or PTI-288, is a ransomware group that employs double extortion by exfiltrating data before encrypting systems. They collaborate with numerous ransomware affiliate programs, such as Ragnar Locker, INC Ransom, and others, to enhance their operational reliability and expand their range of actions. | Ransomware |
 | SavageLadybug | Savage Ladybug (a.k.a. FIN7) is a sophisticated cybercriminal group notorious for targeting financial institutions, hospitality, and retail sectors. | Financial Crime |
 | TenaciousMantis | Tenacious Mantis, also known as LockBit, is a highly prolific ransomware group that operates under a Ransomware-as-a-Service (RaaS) model, allowing affiliates to utilize the ransomware for launching attacks. | Ransomware |
 | TranquilWasp | Tranquil Wasp (also known as UNC1151) is a sophisticated, state-sponsored threat actor linked to Belarus, primarily known for its cyber espionage and disinformation campaigns, including the infamous Ghostwriter operations. | State Sponsored |
 | VeiledMantis | Veiled Mantis, also known as PYSA or Mespinoza, is a highly organized ransomware threat actor that primarily targets large organizations across sectors such as healthcare, education, and government. | Ransomware |
| Name | Description | Type |
|---|---|---|
| FluBot | FluBot is a mobile banking Trojan that primarily targets Android devices through SMS phishing (smishing) campaigns. It spreads by sending malicious text messages containing links to fake websites that trick users into downloading the malware. | RAT |
| Kurisu | Kurisu is a malware known for targeting Windows systems. It operates by executing malicious payloads that has keylogger functionality, meaning it's created to spy on victims and capture everything they type. | RAT |
| PlutoCrypt | PlutoCrypt is a variant of CryptoJoker ransomware. The decryptor in this repository has been developed for PlutoCrypt - but with a small modification, it can also work for other CryptoJoker variants. | Ransomware |
| RagnarLoader | Ragnar Loader, also known as Sardonic, is a sophisticated toolkit of the Monstrous Mantis (a.k.a. Ragnar Locker) ransomware group, which has been inflicting targeted cyberattacks on organizations since its emergence in 2020. Ragnar Loader often referred to as the Ragnar Framework by its affiliates—plays an essential role by establishing persistent access to compromised systems and ensuring long-term fixation. | Loader |
| ShadowRansomware | Shadow ransomware is a custom-built ransomware that is written in the .NET platform. It is dubbed as shadow because of the extension of the encrypted files | Ransomware |
| Solarmarker | Solarmarker is a multi-stage, heavily obfuscated malware targeting thousands of victims globally. Developers changed several installation steps in time, such as the initial point of entry in MSI installation files, making this advanced persistent threat even more dangerous. | Backdoor |
| AnubisBackdoor | A Python-based backdoor used by the Savage Ladybug group is developed to provide remote access, execute commands, and steal data. It is obfuscated to avoid detection. | Backdoor |
| Name | Description | Type |
|---|---|---|
| Private Encrypter | Threat actors, including Cuba Ransomware group, Wizard Spider and others, are using a private encrypting service to evade AV detections. The system is designed explicitly for the Cobalt Strike beacons, making conducting reverse engineering on the samples challenging. | Encrypter |
Copyright © PRODAFT 2025