Skip to main content

Operator dossier

Cloak is a ransomware operator currently active on public leak sites. Darkfield has indexed 166 public victims claimed by this operator between August 24, 2023 and June 18, 2026. Cloak is a relatively new ransomware group that emerged in August 2023, operating with primarily financial motivations and demonstrating a broad international targeting scope with 162 documented victims across multiple sectors. The group's origin and specific affiliations remain undocumented in public threat intelligence reporting, though their operational patterns suggest they may operate independently rather than as part of a larger ransomware-as-a-service ecosystem. Limited public documentation exists regarding their specific attack methodologies, encryption techniques, or data exfiltration practices, though their targeting patterns indicate sophisticated capabilities to compromise organizations across diverse sectors including business services, technology, healthcare, and manufacturing. The group has demonstrated a preference for targeting victims in English-speaking countries and Western Europe, with the United States, Germany, United Kingdom, Canada, and Italy representing their primary geographic focus areas. Cloak appears to remain active as of current reporting, though the relative scarcity of detailed public analysis from major threat intelligence firms suggests either operational security effectiveness or a lower profile compared to more established ransomware operations.

Most-targeted sectors

Most-affected countries

Recent disclosures by Cloak

Most recent 150 of 166 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for Cloak

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

All groups

Cloak

166 victims indexed · first seen 3 years ago · last activity 27 days ago

166
Victims indexed
#54 of 364 tracked operators
2y 10m
Active period
Aug 2023 → Jun 2026
30
Countries hit
top United States · 44

At a glance

Status
active
First seen
3 years ago
Last activity
27 days ago
Onion sites
2 known endpoints
Primary sector
Not Found · 59 hits

About

Cloak is a relatively new ransomware group that emerged in August 2023, operating with primarily financial motivations and demonstrating a broad international targeting scope with 162 documented victims across multiple sectors. The group's origin and specific affiliations remain undocumented in public threat intelligence reporting, though their operational patterns suggest they may operate independently rather than as part of a larger ransomware-as-a-service ecosystem. Limited public documentation exists regarding their specific attack methodologies, encryption techniques, or data exfiltration practices, though their targeting patterns indicate sophisticated capabilities to compromise organizations across diverse sectors including business services, technology, healthcare, and manufacturing. The group has demonstrated a preference for targeting victims in English-speaking countries and Western Europe, with the United States, Germany, United Kingdom, Canada, and Italy representing their primary geographic focus areas. Cloak appears to remain active as of current reporting, though the relative scarcity of detailed public analysis from major threat intelligence firms suggests either operational security effectiveness or a lower profile compared to more established ransomware operations.

References

6 links

External sources curated by the MISP threat-intel community.

Timeline

24 months
2024-02-01T00:00:00+00:00 · 82024-03-01T00:00:00+00:00 · 62024-04-01T00:00:00+00:00 · 82024-05-01T00:00:00+00:00 · 42024-06-01T00:00:00+00:00 · 72024-07-01T00:00:00+00:00 · 82024-08-01T00:00:00+00:00 · 92024-09-01T00:00:00+00:00 · 72024-10-01T00:00:00+00:00 · 12024-11-01T00:00:00+00:00 · 102024-12-01T00:00:00+00:00 · 102025-01-01T00:00:00+00:00 · 82025-02-01T00:00:00+00:00 · 72025-03-01T00:00:00+00:00 · 52025-04-01T00:00:00+00:00 · 62025-05-01T00:00:00+00:00 · 12025-06-01T00:00:00+00:00 · 22025-07-01T00:00:00+00:00 · 22025-08-01T00:00:00+00:00 · 52025-09-01T00:00:00+00:00 · 12025-10-01T00:00:00+00:00 · 22025-11-01T00:00:00+00:00 · 22025-12-01T00:00:00+00:00 · 32026-02-01T00:00:00+00:00 · 4
2024-02-01T00:00:00+00:002026-02-01T00:00:00+00:00

Top countries

🇺🇸 United States
44
🇩🇪 Germany
37
🇬🇧 United Kingdom
10
🇨🇦 Canada
7
🇮🇹 Italy
6
🇫🇷 France
4
🇨🇭 Switzerland
3
🇪🇸 Spain
3

Top sectors

Business Services
27
Technology
20
Healthcare
9
Manufacturing
8
Financial Services
6
Government
5
Transportation/Logistics
5
Legal
4

MITRE ATT&CK

5 techniques · 4 tactics

Tactics

Initial AccessExecutionDefense EvasionImpact

Techniques

  • T1566Phishing
  • T1190Exploit Public-Facing Application
  • T1204User Execution
  • T1027Obfuscated Files or Information
  • T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

2 known
  • http://cloak.su
  • http://cloak7jpvcb73rtx2ff7kaw2kholu7bdiivxpzbhlny4ybz75dpxckqd.onion

Source

Updated 27 days ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time Cloak posts a victim.

Add Cloak to your watchlist — Pro pings you within 5 minutes of any new Cloak leak-site post, Telegram callout, or affiliate-rebrand inference.