Operator dossier

AuditTeam (also tracked as audit team) is a ransomware operator currently active on public leak sites. Darkfield has indexed 8 public victims claimed by this operator between April 8, 2026 and May 18, 2026. AuditTeam is a relatively obscure ransomware group that emerged in April 2026 and appears to be financially motivated based on their operational patterns. The group's origin and affiliations remain unclear due to limited public documentation, though their targeting of victims primarily across China, Hong Kong, Philippines, South Korea, and Thailand suggests possible regional focus or language capabilities in Asian markets. With only five documented victims to date, AuditTeam appears to operate as a smaller-scale ransomware operation, showing particular interest in manufacturing and technology sectors alongside unspecified target types. Due to the group's recent emergence and limited scale of operations, there are no publicly documented major campaigns, high-profile victims, or significant law enforcement actions against them by agencies such as CISA, FBI, or major security research firms. The group's current operational status remains unknown given the sparse public intelligence available, and their attack methodology, encryption techniques, and extortion tactics have not been comprehensively documented by reputable security researchers as of available reporting.

Most-targeted sectors

Not Found3 victims
Manufacturing1 victims
Technology1 victims

Most-affected countries

CN1 victims
HK1 victims
PH1 victims
KR1 victims
TH1 victims

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

← All groups

AuditTeam

aka audit team · 8 victims indexed · first seen 1 month ago · last activity 3 days ago

Victims indexed

#216 of 348 tracked operators

Active period

Apr 2026 → May 2026

Countries hit

top CN · 1

At a glance

Status: active
Aliases: audit team
First seen: 1 month ago
Last activity: 3 days ago
Primary sector: Not Found · 3 hits

About

AuditTeam is a relatively obscure ransomware group that emerged in April 2026 and appears to be financially motivated based on their operational patterns. The group's origin and affiliations remain unclear due to limited public documentation, though their targeting of victims primarily across China, Hong Kong, Philippines, South Korea, and Thailand suggests possible regional focus or language capabilities in Asian markets. With only five documented victims to date, AuditTeam appears to operate as a smaller-scale ransomware operation, showing particular interest in manufacturing and technology sectors alongside unspecified target types. Due to the group's recent emergence and limited scale of operations, there are no publicly documented major campaigns, high-profile victims, or significant law enforcement actions against them by agencies such as CISA, FBI, or major security research firms. The group's current operational status remains unknown given the sparse public intelligence available, and their attack methodology, encryption techniques, and extortion tactics have not been comprehensively documented by reputable security researchers as of available reporting.

References

1 link

External sources curated by the MISP threat-intel community.

ransomlook.io/group/audit team

Timeline

1 months

2026-04-01T00:00:00+00:002026-04-01T00:00:00+00:00

Top countries

🇨🇳 CN

🇭🇰 HK

🇵🇭 PH

🇰🇷 KR

🇹🇭 TH

CN dossier →HK dossier →PH dossier →KR dossier →

Top sectors

Not Found

Manufacturing

Technology

Not Found dossier →Manufacturing dossier →Technology dossier →

Recent victims

Loading…

Source

Updated 3 days ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.