Operator dossier

Cloak is a ransomware operator currently active on public leak sites. Darkfield has indexed 162 public victims claimed by this operator between August 24, 2023 and February 24, 2026. Cloak is a relatively new ransomware group that emerged in August 2023, operating with primarily financial motivations and demonstrating a broad international targeting scope with 162 documented victims across multiple sectors. The group's origin and specific affiliations remain undocumented in public threat intelligence reporting, though their operational patterns suggest they may operate independently rather than as part of a larger ransomware-as-a-service ecosystem. Limited public documentation exists regarding their specific attack methodologies, encryption techniques, or data exfiltration practices, though their targeting patterns indicate sophisticated capabilities to compromise organizations across diverse sectors including business services, technology, healthcare, and manufacturing. The group has demonstrated a preference for targeting victims in English-speaking countries and Western Europe, with the United States, Germany, United Kingdom, Canada, and Italy representing their primary geographic focus areas. Cloak appears to remain active as of current reporting, though the relative scarcity of detailed public analysis from major threat intelligence firms suggests either operational security effectiveness or a lower profile compared to more established ransomware operations.

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

← All groups

Cloak

162 victims indexed · first seen 3 years ago · last activity 3 months ago

162

Victims indexed

#52 of 348 tracked operators

2y 6m

Active period

Aug 2023 → Feb 2026

Countries hit

top United States · 39

At a glance

Status: active
First seen: 3 years ago
Last activity: 3 months ago
Onion sites: 2 known endpoints
Primary sector: Not Found · 59 hits

About

Cloak is a relatively new ransomware group that emerged in August 2023, operating with primarily financial motivations and demonstrating a broad international targeting scope with 162 documented victims across multiple sectors. The group's origin and specific affiliations remain undocumented in public threat intelligence reporting, though their operational patterns suggest they may operate independently rather than as part of a larger ransomware-as-a-service ecosystem. Limited public documentation exists regarding their specific attack methodologies, encryption techniques, or data exfiltration practices, though their targeting patterns indicate sophisticated capabilities to compromise organizations across diverse sectors including business services, technology, healthcare, and manufacturing. The group has demonstrated a preference for targeting victims in English-speaking countries and Western Europe, with the United States, Germany, United Kingdom, Canada, and Italy representing their primary geographic focus areas. Cloak appears to remain active as of current reporting, though the relative scarcity of detailed public analysis from major threat intelligence firms suggests either operational security effectiveness or a lower profile compared to more established ransomware operations.

References

6 links

External sources curated by the MISP threat-intel community.

Timeline

24 months

2024-02-01T00:00:00+00:002026-02-01T00:00:00+00:00

Top countries

🇺🇸 United States

🇩🇪 Germany

🇬🇧 United Kingdom

🇨🇦 Canada

🇮🇹 Italy

🇫🇷 France

🇨🇭 Switzerland

🇱🇰 Sri Lanka

United States dossier →Germany dossier →United Kingdom dossier →Canada dossier →

Top sectors

Not Found

Business Services

Technology

Healthcare

Manufacturing

Transportation/Logistics

Government

Public Sector

Not Found dossier →Business Services dossier →Technology dossier →Healthcare dossier →

MITRE ATT&CK

5 techniques · 4 tactics

Tactics

Initial AccessExecutionDefense EvasionImpact

Techniques

T1566Phishing
T1190Exploit Public-Facing Application
T1204User Execution
T1027Obfuscated Files or Information
T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

2 known

http://cloak.su
http://cloak7jpvcb73rtx2ff7kaw2kholu7bdiivxpzbhlny4ybz75dpxckqd.onion

Source

Updated 3 months ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.