Payload Ransomware: Early Profile
Tags: Payload ransomware, data broker extortion, double extortion, Tor leak site, ESXi ransomware, RECOVERY-xx0001.txt, IOCs, incident response
Evidence-led cyber threat intelligence for defenders. Incident reports, actor profiles and vulnerability analysis — written for the people who have to act on it.
Tags: Payload ransomware, data broker extortion, double extortion, Tor leak site, ESXi ransomware, RECOVERY-xx0001.txt, IOCs, incident response
APT33, Elfin, Peach Sandstorm, HOLMIUM, Refined Kitten, Iran, aerospace, energy, petrochemical, spearphishing, password spraying, Outlook Home Page, Ruler, TurnedUp, DropShot, ShapeShift, StoneDrill
CISA has now flagged CVE-2026-1731 —a critical, pre-authentication remote code execution flaw in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) as being used in ransomware…
Ivanti Endpoint Manager Mobile (EPMM) sits in a uniquely privileged position: it manages device enrollment, policy enforcement, and app/content distribution across entire mobile fleets. When an…
Publish date: 21 February 2026 Category: Threat Intelligence / Defense Evasion / Endpoint Security Tags: EDR, XDR, ransomware, defense evasion, BYOVD, Windows drivers, tamper protection, detection…
Bring Your Own Vulnerable Driver (BYOVD) is a post-compromise technique where attackers load a legitimately signed (but vulnerable) kernel driver and then abuse it to gain ring-0 capabilities…
APT29, also known as Cozy Bear, is a Russian hacker group believed to be affiliated with one or more Russian intelligence agencies. The group has been operating for the Russian Federation since at…
APT28 is a long-running Russian state-aligned cyber espionage actor widely attributed to the GRU’s 85th Main Special Service Center (GTsSS), military unit 26165, active since at least 2004. (…
APT31 is a China-linked cyber espionage actor assessed by the U.S. Department of Justice and U.S. Treasury as operating in support of the PRC Ministry of State Security , specifically the Hubei…
LAPSUS$ is an extortion-focused cybercriminal collective best known for high-tempo intrusions against large enterprises and service providers, frequently leveraging social engineering and identity…
Cl0p (often written “CL0P”) is a financially motivated extortion operation best known for high-scale data theft campaigns that disproportionately impact organisations running internet-facing…
Mandiant and Google Threat Intelligence Group (GTIG) have released critical findings regarding UNC6201 , a suspected PRC-nexus threat cluster. This group has been actively exploiting a Dell…