Evil Corp is reportedly distancing itself from its previous signature moves by shifting tactics and tools to prevent identification and continue its nefarious activity. Evil Corp has pivoted to the LockBit ransomware after US sanctions have made it extremely difficult for the group to benefit financially from its activity. Mandiant has been tracking a group it refers to as a financially motivated threat cluster that has numerous overlaps with Evil Corp and is likely just the same group under a different disguise. This group is leveraging a combination of the FakeUpdate infection chain to gain initial access into networks.
Mandiant stated that numerous reports have highlighted the progression of the activity, including the development of new ransomware families. Although the group is attempting to obscure attribution, the cluster tracked by Mandaint bears too many similarities to operations attributed to Evil Corp to ignore, leading many security researchers to believe that it is the same actors.