Skip to main content

Operator dossier

apos is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 16 public victims claimed by this operator between April 29, 2024 and August 15, 2025. The apos ransomware group is a relatively new threat actor that emerged in April 2024, primarily motivated by financial gain through ransomware operations targeting organizations across multiple countries and sectors. Given their recent emergence and limited public documentation, their country of origin and affiliations with other ransomware groups remain unknown, though their targeting pattern suggests they may operate independently rather than as part of a larger ransomware-as-a-service ecosystem. Based on available data, the group has successfully compromised 16 known victims across Brazil, the United States, Argentina, Canada, and France, with a particular focus on technology, healthcare, business services, and manufacturing sectors, though their attack methodology and specific tools remain undocumented by major threat intelligence firms. No notable high-profile campaigns or major ransom payments have been publicly reported by CISA, FBI, Mandiant, or other reputable security researchers, likely due to the group's recent emergence and relatively small victim count. The group appears to remain active as of current reporting, though their limited public footprint suggests they are either a smaller operation or have managed to maintain a low profile in the threat landscape.

Most-targeted sectors

Most-affected countries

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

All groups

apos

16 victims indexed · first seen 2 years ago · last activity 11 months ago

16
Victims indexed
#174 of 364 tracked operators
1y 4m
Active period
Apr 2024 → Aug 2025
9
Countries hit
top BR · 4

At a glance

Status
inactive
First seen
2 years ago
Last activity
11 months ago
Primary sector
Not Found · 4 hits

About

The apos ransomware group is a relatively new threat actor that emerged in April 2024, primarily motivated by financial gain through ransomware operations targeting organizations across multiple countries and sectors. Given their recent emergence and limited public documentation, their country of origin and affiliations with other ransomware groups remain unknown, though their targeting pattern suggests they may operate independently rather than as part of a larger ransomware-as-a-service ecosystem. Based on available data, the group has successfully compromised 16 known victims across Brazil, the United States, Argentina, Canada, and France, with a particular focus on technology, healthcare, business services, and manufacturing sectors, though their attack methodology and specific tools remain undocumented by major threat intelligence firms. No notable high-profile campaigns or major ransom payments have been publicly reported by CISA, FBI, Mandiant, or other reputable security researchers, likely due to the group's recent emergence and relatively small victim count. The group appears to remain active as of current reporting, though their limited public footprint suggests they are either a smaller operation or have managed to maintain a low profile in the threat landscape.

References

6 links

External sources curated by the MISP threat-intel community.

Timeline

7 months
2024-04-01T00:00:00+00:00 · 42024-10-01T00:00:00+00:00 · 12025-01-01T00:00:00+00:00 · 12025-02-01T00:00:00+00:00 · 12025-03-01T00:00:00+00:00 · 32025-06-01T00:00:00+00:00 · 52025-08-01T00:00:00+00:00 · 1
2024-04-01T00:00:00+00:002025-08-01T00:00:00+00:00

Top countries

🇧🇷 Brazil
4
🇺🇸 United States
2
🇦🇷 Argentina
1
🇨🇦 Canada
1
🇫🇷 France
1
??
1
🇪🇸 Spain
1
🇬🇧 United Kingdom
1

Top sectors

Technology
3
Healthcare
2
Business Services
2
Manufacturing
2
Telecommunication
1
Financial Services
1
Consumer Services
1

MITRE ATT&CK

4 techniques · 3 tactics

Tactics

Initial AccessExecutionImpact

Techniques

  • T1566Phishing
  • T1190Exploit Public-Facing Application
  • T1059Command and Scripting Interpreter
  • T1486Data Encrypted for Impact

Recent victims

Loading…

Source

Updated 11 months ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time apos posts a victim.

Add apos to your watchlist — Pro pings you within 5 minutes of any new apos leak-site post, Telegram callout, or affiliate-rebrand inference.