🇷🇺

CIRCUS SPIDER

APT Group Financial gain ETDA ✓

Also Known As

No alias recorded

Target Countries 34

Countries highlighted in red

Argentina Austria Australia Belgium Brazil Canada Chile China Colombia Germany Spain France Guatemala Hungary Ireland India Islamic Republic of Iran Italy Luxembourg Malaysia Nigeria Nicaragua Netherlands Norway New Zealand Pakistan Poland Saudi Arabia Sweden Thailand Ukraine United States Vietnam South Africa

Sectors Targeted

Healthcare Shipping and Logistics Government Transportation Manufacturing Energy Education

Details

Origin 🇷🇺 RU

Last Updated 13 Apr 2026

MITRE ATT&CK 16

T1003 - OS Credential Dumping T1018 - Remote System Discovery T1021.002 T1070.004 - File Deletion T1078 T1082 - System Information Discovery T1083 - File and Directory Discovery T1106 - Native API T1190 - Exploit Public-Facing Application T1210 T1486 - Data Encrypted for Impact T1490 - Inhibit System Recovery T1518.001 - Security Software Discovery T1562.001 - Disable or Modify Tools T1567.002 - Exfiltration to Cloud Storage T1570 - Lateral Tool Transfer

Related Zero-Days

No zero-day CVE linked to this actor

Known Names 1 entries

Circus Spider CrowdStrike

Observed Target Countries 35

Based on ETDA data — countries highlighted in red

Argentina Australia Austria Belgium Brazil Canada Chile China Colombia France Germany Guatemala Hungary India Iran Ireland Italy Luxembourg Malaysia Netherlands New Zealand Nicaragua Nigeria Norway Pakistan Poland Russia Saudi Arabia South Africa Spain Sweden Thailand Ukraine USA Vietnam

Description

(Carbon Black) MailTo is a ransomware variant that has recently been reported to have been part of a targeted attack against Toll Group, an Australian freight and logistics company. This ransomware makes no attempt to remain stealthy, and quickly encrypts the user’s data as soon as the ransomware is launched. Once the encryption phase completes, the encrypted files are renamed to contain the word “mailto”, which is where the name originated from.

Tools Used 1

NetWalker

Operations 13

2020-02 Ransomware Attack Hinders Toll Group Operations https://threatpost.com/ransomware-attack-hinders-toll-group-operations/152552/

2020-03 Netwalker Ransomware Infecting Users via Coronavirus Phishing https://www.bleepingcomputer.com/news/security/netwalker-ransomware-infecting-users-via-coronavirus-phishing/

2020-03 Spanish hospitals targeted with coronavirus-themed phishing lures in Netwalker ransomware attacks https://www.computing.co.uk/news/4012969/hospitals-coronavirus-ransomware

2020-05 Michigan State University hit by ransomware gang https://www.zdnet.com/article/michigan-state-university-hit-by-ransomware-gang/

2020-05 Ransomware recruits affiliates with huge payouts, automated leaks https://www.bleepingcomputer.com/news/security/ransomware-recruits-affiliates-with-huge-payouts-automated-leaks/

2020-06 Netwalker ransomware continues assault on US colleges, hits UCSF https://www.bleepingcomputer.com/news/security/netwalker-ransomware-continues-assault-on-us-colleges-hits-ucsf/

2020-06 Philadelphia-area health system says it 'isolated' a malware attack https://www.cyberscoop.com/crozer-keystone-cyber-attack-netwalker-ransomware/

2020-07 Netwalker Ransomware Stole Data After Targeting Lorien Health Services https://latesthackingnews.com/2020/07/23/netwalker-ransomware-stole-data-after-targeting-lorien-health-services/

2020-09 Netwalker ransomware hits Pakistan's largest private power utility https://www.bleepingcomputer.com/news/security/netwalker-ransomware-hits-pakistans-largest-private-power-utility/

2020-09 Netwalker ransomware hits Argentinian government, demands $4 million https://www.bleepingcomputer.com/news/security/netwalker-ransomware-hits-argentinian-government-demands-4-million/

2020-09 Cyber threat startup Cygilant hit by ransomware https://techcrunch.com/2020/09/03/cygilant-ransomware/

2020-09 Equinix data center giant hit by Netwalker Ransomware, $4.5M ransom https://www.bleepingcomputer.com/news/security/equinix-data-center-giant-hit-by-netwalker-ransomware-45m-ransom/

2020-10 Enel Group hit by ransomware again, Netwalker demands $14 million https://www.bleepingcomputer.com/news/security/enel-group-hit-by-ransomware-again-netwalker-demands-14-million/

Reports & References 2

https://www.carbonblack.com/blog/threat-analysis-unit-tau-threat-intelligence-notification-mailto-netwalker-ransomware/ https://blog.chainalysis.com/reports/netwalker-ransomware-disruption-arrest

ETDA Profile

Circus Spider

Origin

[Unknown]

First Seen 2019

Motivation

Financial gain

View on ETDA APT Groups ↗