During 2018, Evil Corp had a short lived partnership with TheTrick group; specifically, leasing out access to BitPaymer for a while, prior to their use of Ryuk.
Subgroup of Indrik Spider splitted in 2019
Dridex has also been delivered by Emotet since 2017. This suggests that there is a functional relationship between the two groups (they share resources).
Evil Corp has almost exclusively obtained initial access to victims' networks from UNC1543. UNC1543 is a financially motivated threat cluster that has distributed FAKEUPDATES since at least April 2018. In the months prior to the indictments, Mandiant reported on FAKEUPDATES being used as the initial infection vector for DRIDEX infections that later resulted in the deployment of BITPAYMER or DOPPELPAYMER