Tracking Adversaries: EvilCorp, the RansomHub affiliate

This CTI blog links the sanctioned Russia-based cybercriminal EvilCorp with the RansomHub ransomware-as-a-service operation, documenting that SocGholish (FakeUpdates) infections frequently lead to deployment of a custom Python backdoor (VIPERTUNNEL) and ultimately RansomHub ransomware; it synthesizes reporting from Microsoft, Google, Guidepoint, and Trend Micro and highlights operational, legal (sanctions) and response implications for victims and defenders.