Skip to content
Ransomware group

Payload.bin

Payload.bin is a ransomware variant associated with the financially motivated cybercrime group GOLD DRAKE, also known as Evil Corp.

Profile source: Mallory opens in a new tab

Payload.bin

Family profile

Payload.bin is a ransomware variant associated with the financially motivated cybercrime group GOLD DRAKE, also known as Evil Corp. The provided content states that after U.S. Treasury sanctions in 2019, Evil Corp shifted from earlier ransomware families and began using variants including WastedLocker, Hades, Phoenix CryptoLocker, and Payload.bin. This shift was accompanied by changes in tooling and intrusion tradecraft intended to reduce attribution and make victims less aware they were paying Evil Corp. The content does not provide specific technical details on Payload.bin’s encryption behavior, infection chain, targeted sectors, or unique indicators of compromise, but it places the malware within Evil Corp’s broader post-2019 ransomware operations.

Ransomware.live

Operational record

View group record ↗

Reported operators

Threat actors

1 named in public reporting
Indrik Spider

"...shifted to using ransomware variants such as ... Payload.bin."

MITRE ATT&CK

Payload.bin in ATT&CK

7 distinct techniques

Reporting

Research mentioning Payload.bin

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.