Skip to content
Ransomware group

Hades

Hades is ransomware associated in public reporting with Evil Corp and Indrik Spider activity, including intrusions tracked as UNC2165.

Profile source: Ransomware.live opens in a new tab

Hades

Family profile

Hades is ransomware associated in public reporting with Evil Corp and Indrik Spider activity, including intrusions tracked as UNC2165. This profile excludes the unrelated software supply-chain malware that also uses the Hades name.

Ransomware.live

Operational record

View group record ↗

Reporting

Research mentioning Hades

Jul 9
Toms Hardware

New hack exploits AI hallucinations to trick agents into running malicious code - 'HalluSquatting' attack exploits a fundamental weakness in every available model | Tom's Hardware

You may like AI coding agents can be tricked into installing malware via 'clean' GitHub repositories ... Hades malware campaign tricks AI scanners with fake nuclear weapon prompts

Jun 30
Xakep

Червь Miasma атаковал LeoPlatform и пакеты RStreams - Хакер

В конце прошлой недели исследователи обнаружили новую волну атак малвари семейства Shai-Hulud, Miasma и Hades.

Jun 28
Toms Hardware

AI coding agents can be tricked into installing malware via 'clean' GitHub repositories - Mozilla's 0din team shows how Claude Code can be exploited by its own helpfulness | Tom's Hardware

You may like Hades malware campaign tricks AI scanners with fake nuclear weapon prompts

Jun 26
The Hacker News

Miasma Malware Targets npm Packages and GitHub Actions in Supply Chain Attack

According to Endor Labs and OX Security, the malware also polls GitHub every hour for commits matching the string "firedalazer" to retrieve and execute the Hades variant of the malware.

Jun 26
Cyber Security News

Miasma Malware Uses binding.gyp and Bun to Execute Hidden Payloads in npm Packages

Researchers at Socket.dev said... this campaign is part of a broader threat cluster also connected to related malware families called Mini Shai-Hulud and Hades.

Jun 26
Security Affairs

macOS.Gaslight: North Korea-Linked Malware That Tries to Gaslight the Analyst - Security Affairs

Similar prompt-injection techniques have been seen before, including Windows PoCs documented by Check Point in 2025 and supply-chain payloads like Hades and Shai-Hulud, which used simpler single-block injections rather than this more complex multi-message setup.

Jun 25
Cyber Security News

Shai-Hulud Payload Steals GitHub, npm, Cloud, CI/CD, and SSH Credentials From Developers

The threat, known as the Shai-Hulud payload carrying the Hades malware family, has now expanded its reach to the Leo/RStreams ecosystem...

Jun 21
Security Online Info

NPM Package Tests AI Malware Scanner Evasion Techniques

Earlier campaigns used packages named Mini Shai-Hulud, Miasma, and Hades. Those malicious packages embedded fake prompt-injection headers. They placed these headers before obfuscated JavaScript payloads.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.