Tunnel Spider


TUNNEL SPIDER is a prolific Ransomware-as-a-Service (RaaS) affiliate active since at least February 2022. Since that time, the adversary primarily used HIVE SPIDER’s Hive RaaS. After the Hive RaaS was disrupted by law enforcement in January 2023, TUNNEL SPIDER has used BITWISE SPIDER’s LockBit RaaS, the Black Basta RaaS, ROYAL SPIDER’s Royal RaaS, and Cactus ransomware. Cactus was first identified...

Community Identifiers



  • TMUg5H8rJDZI2ad


  • mxwKzIjZ

Contact our team about
IOCs for this adversary


During a cybersecurity incident, indicators of compromise (IoC) are clues and evidence of a data breach.