Operator dossier

apos is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 16 public victims claimed by this operator between April 29, 2024 and August 15, 2025. The apos ransomware group is a relatively new threat actor that emerged in April 2024, primarily motivated by financial gain through ransomware operations targeting organizations across multiple countries and sectors. Given their recent emergence and limited public documentation, their country of origin and affiliations with other ransomware groups remain unknown, though their targeting pattern suggests they may operate independently rather than as part of a larger ransomware-as-a-service ecosystem. Based on available data, the group has successfully compromised 16 known victims across Brazil, the United States, Argentina, Canada, and France, with a particular focus on technology, healthcare, business services, and manufacturing sectors, though their attack methodology and specific tools remain undocumented by major threat intelligence firms. No notable high-profile campaigns or major ransom payments have been publicly reported by CISA, FBI, Mandiant, or other reputable security researchers, likely due to the group's recent emergence and relatively small victim count. The group appears to remain active as of current reporting, though their limited public footprint suggests they are either a smaller operation or have managed to maintain a low profile in the threat landscape.

Most-targeted sectors

Not Found4 victims
Technology3 victims
Healthcare2 victims
Business Services2 victims
Manufacturing2 victims
Telecommunication1 victims

Most-affected countries

BR4 victims
US2 victims
AR1 victims
CA1 victims
FR1 victims
??1 victims

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

← All groups

apos

16 victims indexed · first seen 2 years ago · last activity 9 months ago

Victims indexed

#171 of 348 tracked operators

1y 4m

Active period

Apr 2024 → Aug 2025

Countries hit

top BR · 4

At a glance

Status: inactive
First seen: 2 years ago
Last activity: 9 months ago
Primary sector: Not Found · 4 hits

About

The apos ransomware group is a relatively new threat actor that emerged in April 2024, primarily motivated by financial gain through ransomware operations targeting organizations across multiple countries and sectors. Given their recent emergence and limited public documentation, their country of origin and affiliations with other ransomware groups remain unknown, though their targeting pattern suggests they may operate independently rather than as part of a larger ransomware-as-a-service ecosystem. Based on available data, the group has successfully compromised 16 known victims across Brazil, the United States, Argentina, Canada, and France, with a particular focus on technology, healthcare, business services, and manufacturing sectors, though their attack methodology and specific tools remain undocumented by major threat intelligence firms. No notable high-profile campaigns or major ransom payments have been publicly reported by CISA, FBI, Mandiant, or other reputable security researchers, likely due to the group's recent emergence and relatively small victim count. The group appears to remain active as of current reporting, though their limited public footprint suggests they are either a smaller operation or have managed to maintain a low profile in the threat landscape.

References

6 links

External sources curated by the MISP threat-intel community.

Timeline

7 months

2024-04-01T00:00:00+00:002025-08-01T00:00:00+00:00

Top countries

🇧🇷 BR

🇺🇸 US

🇦🇷 AR

🇨🇦 CA

🇫🇷 FR

🇪🇸 ES

🇬🇧 GB

BR dossier →US dossier →AR dossier →CA dossier →

Top sectors

Not Found

Technology

Healthcare

Business Services

Manufacturing

Telecommunication

Financial Services

Consumer Services

Not Found dossier →Technology dossier →Healthcare dossier →Business Services dossier →

MITRE ATT&CK

4 techniques · 3 tactics

Tactics

Initial AccessExecutionImpact

Techniques

T1566Phishing
T1190Exploit Public-Facing Application
T1059Command and Scripting Interpreter
T1486Data Encrypted for Impact

Recent victims

Loading…

Source

Updated 9 months ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.