Huntress Acquires Inside Agent: A New Era for Identity Protection
Portal LoginSupportContact
Search
Portal LoginSupportContact
Search
Get a Demo
Free Trial
HomeThreat Actors
Tunnel Spider
Threat Actor Profile

Tunnel Spider

TUNNEL SPIDER is an advanced, financially motivated cybercriminal group known for its "Big Game Hunting" tactics. This group targets large, lucrative organizations to deploy ransomware for high-value payouts. They are the primary actors associated with Cactus ransomware and have been observed as affiliates for several other major Ransomware-as-a-Service (RaaS) operations, making them a significant and versatile threat.


Threat Actor Profile

Tunnel Spider

Country of Origin

The specific country of origin for TUNNEL SPIDER is not publicly known. Like many sophisticated eCrime groups, they operate with a high degree of operational security, making attribution difficult. Their targeting patterns do not suggest an allegiance to a specific nation-state, and their motivations appear to be purely financial.

Members

The exact size and composition of TUNNEL SPIDER are unknown. However, their ability to conduct multiple campaigns and participate in various RaaS affiliate programs suggests a skilled and organized team. The group likely consists of specialized operators who handle different phases of the attack lifecycle, from initial access to ransomware deployment and negotiation.

Leadership

There is currently no publicly available information identifying the specific leaders or key figures behind the TUNNEL SPIDER threat group. The group's structure is likely decentralized, which helps protect its core operators from being identified and apprehended.

Tunnel Spider TTPs

Tactics

The primary tactic of TUNNEL SPIDER is "Big Game Hunting," where they specifically go after large enterprises with the resources to pay substantial ransoms. Their operations are centered around double extortion—they not only encrypt their victims' files but also steal sensitive data and threaten to leak it publicly if the ransom is not paid. This puts immense pressure on victims to comply.

Techniques

To achieve their goals, TUNNEL SPIDER uses various techniques to gain and maintain access. While their initial access methods are not as publicly documented as groups like Scattered Spider, they likely leverage common enterprise infiltration vectors like exploiting unpatched vulnerabilities, phishing, or purchasing stolen credentials.

Once inside a network, they use tunneling techniques—creating encrypted channels using VPNs or other proxy tools—to move laterally, communicate with their command-and-control (C2) servers, and exfiltrate data while evading detection by security tools. This ability to "tunnel" through a network is a core part of their operational playbook.

Procedures

TUNNEL SPIDER is most known for deploying the Cactus ransomware. This particular strain is notable for its use of double extortion tactics. In addition to their primary payload, TUNNEL SPIDER has also operated as an affiliate for other prominent RaaS groups, including:

  • LockBit

  • Black Basta

  • Royal

This affiliate activity shows their adaptability and deep integration within the cybercrime ecosystem, allowing them to switch malware strains based on effectiveness and opportunity.

Want to Shut Down Threats Before They Start?

Schedule a Demo Todayright arrow

Notable Cyberattacks

While specific, named attacks attributed directly to TUNNEL SPIDER are not as widely publicized as those from other groups, their primary impact is felt through the deployment of Cactus ransomware. Security researchers have tracked numerous Cactus incidents throughout 2024 and 2025, noting the ransomware's increasing sophistication and TUNNEL SPIDER's efficiency in executing attacks that lead to multi-million dollar ransom demands.

Law Enforcement & Arrests

As of September 2025, there have been no publicly announced arrests of individuals associated with TUNNEL SPIDER. International law enforcement agencies continue to track and disrupt ransomware groups, but the anonymous and decentralized nature of actors like TUNNEL SPIDER makes arrests challenging.


How to Defend Against Tunnel Spider

1

Vulnerability and Patch Management: Keep all systems, software, and applications updated. TUNNEL SPIDER, like many attackers, often exploits known vulnerabilities to get in.

2

Strong Access Controls: Implement multi-factor authentication (MFA) everywhere possible to prevent credential abuse. Don't make it easy for them.

3

Network Segmentation: Segment your network to limit lateral movement. If they get into one part of your network, you don't want them to have free rein over the rest.

4

Employee Training: Educate employees to recognize phishing attempts and other social engineering tactics. A well-trained team is your first line of defense.

5

Backup and Recovery: Maintain regular, offline, and tested backups. If the worst happens, you need a way to restore your data without paying a dime.

The Huntress Managed Security Platform provides 24/7 monitoring from our expert Security Operations Center (SOC) to detect and respond to threats like Cactus ransomware before they can cause damage. We spot suspicious activities and shut them down fast. ✔️

Schedule a Demo

References

Detect, Respond, Protect

See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.

Try Huntress for Free