GOLD DRAKE

GOLD DRAKE, also known as Evil Corp, is a financially motivated cybercriminal threat group that started operating the Dridex (also known as Bugat v5) botnet in 2014. However, individual operators of GOLD DRAKE have been involved in malware-aided financial fraud since at least early 2011 and are former affiliates of the GOLD EVERGREEN threat group. GOLD EVERGREEN, also known as The Business Club, operated the Zeus and Gameover Zeus botnets until international law enforcement action in May 2014.

GOLD DRAKE original distributed Dridex in high-volume campaigns intended to infect large numbers of individual victims but started to decrease the cadence of distribution campaigns in 2016, using Dridex instead for more targeted attacks. From July 2017 to early 2020, GOLD DRAKE developed and distributed the BitPaymer ransomware during post-intrusion attacks facilitated by Dridex.

After the U.S. Treasury Department sanctioned some members in 2019, GOLD DRAKE shifted to using ransomware variants such as WastedLocker, Hades, Phoenix CryptoLocker and Payload.bin. The group also abandoned signature tools and modified their intrusion techniques to avoid victims necessarily realizing that they were paying GOLD DRAKE. In 2024, a member of Evil Corp was identified as an affiliate of the LockBit ransomware-as-a-service (RaaS) scheme.

Despite the sanctions, GOLD DRAKE also briefly resumed high-volume Dridex campaigns in 2020, with distribution via spam emails from GOLD ESSEX's Cutwail botnet, second-stage downloads from instances of Gozi ISFB and GOLD CRESTWOOD's Emotet botnet, drive-by downloads using GOLD PRELUDE's SocGholish, and a variety of other methods. However, when GOLD DRAKE swapped BitPaymer for WastedLocker in May 2020, they abandoned use of Dridex, instead preferring to rely on PowerShell scripts distributed by SocGholish to execute payloads based on Donut and the Covenant post-exploitation framework. With Hades attacks, GOLD DRAKE made extensive use of Cobalt Strike, as well as other tools including Mimikatz, Advanced Port Scanner, PsExec, Metasploit, MSBuild, batch scripts to repeatedly stop services and clear event logs, MEGASync for data exfiltration, RDP, and reverse SOCKS proxies. SocGholish has continued to be used for initial access, although CTU researchers also observed Hades ransomware attacks in early 2021 where stolen credentials were used as the initial access vector.

In September 2024, the third phase of international law enforcement Operation Cronos revealed that a LockBit affiliate known as "Beverley" was a member of Evil Corp. This individual was named as Aleksandr Ryzhenkov and indicted by the U.S. Department of Justice (DOJ). He and two other individuals (Maksim Yakubets and Igor Turashev), originally indicted by the DOJ in 2019, were jointly sanctioned by the U.S., UK and Australian authorities. A further 13 individuals linked to Evil Corp were also sanctioned by the U.S. and UK, and two companies associated with a group member were sanctioned by the U.S.