ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > Narwhal Spider

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Other threat group: Narwhal Spider

NamesNarwhal Spider (CrowdStrike)
Gold Essex (SecureWorks)
MotivationFinancial gain
First seen2007
Description(CrowdStrike) CrowdStrike Falcon Intelligence has observed a new Cutwail spam campaign from NARWHAL SPIDER on 24 October 2018. NARWHAL SPIDER is the adversary name designated by Falcon Intelligence for the criminal operator of Cutwail version 2. NARWHAL SPIDER primarily provides spam services with a large customer base that has included malware operators such as Wizard Spider, Gold Blackburn (developer of TrickBot), affiliates of BAMBOO SPIDER (developer of Panda Zeus), and many others including URLZone, Nymaim and Gozi ISFB. The targets and payloads delivered through Cutwail spam campaigns are determined by the customers of NARWHAL SPIDER.

Cutwail has been observed to distribute Dyre (Wizard Spider, Gold Blackburn), Zeus Panda (Bamboo Spider, TA544) and much of the malware from TA505, Graceful Spider, Gold Evergreen.
ObservedCountries: Worldwide.
Tools usedCutwail.
Operations performedAug 2011Cutwail botnet resurfaces in major Facebook scam-paign
Oct 2013Without the Blackhole exploit kit around to inject malware such as the Zeus Trojan, keepers of the Cutwail spam bot have been forced to resort to some old-school methods of sending malware such as direct email attachments.
Oct 2018The Japanese-language spam campaign uses a mixture of malicious PowerShell (PS) and steganography — a method of sending data in a concealed format — to distribute the eCrime malware family URLZone (a.k.a. Bebloh).
Counter operationsAug 2010Security researchers have dealt a mighty blow to a spam botnet known as Pushdo, a massive grouping of hacked PCs that until recently was responsible for sending more than 10 percent of all junk e-mail worldwide.

Last change to this card: 10 August 2021

Download this actor card in PDF or JSON format

Previous: Mummy Spider, TA542
Next: NetSec, USDoD

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]