Skip to main content

Operator dossier

D1R is a ransomware operator currently active on public leak sites. Darkfield has indexed 3 public victims claimed by this operator between July 13, 2026. D1R is a ransomware group first observed in July 2026 with an apparent primary motivation of financial gain, though limited public documentation exists given the group's recent emergence and relatively small operational footprint. The group has claimed or been attributed to three known victims to date, with targeting concentrated in the United States, Great Britain, and Germany, suggesting a focus on English- and German-speaking Western economies. Based on available victim telemetry, D1R has demonstrated a preference for the Technology and Manufacturing sectors, which are commonly targeted by financially motivated ransomware actors due to the operational disruption leverage these industries present and their historically higher propensity to pay ransoms. No authoritative public reporting from CISA, FBI, Mandiant, or equivalent reputable security research organizations has been published at this time confirming D1R's specific initial access vectors, tooling, encryption methods, or affiliation with known ransomware-as-a-service ecosystems, and it remains unclear whether the group operates independently or as part of a broader affiliate network. Given the group's July 2026 first observation date and minimal victim count, D1R should be considered an emerging or nascent threat actor warranting continued monitoring, as early-stage ransomware groups frequently escalate in tempo and sophistication as they mature their operations and, potentially, affiliate with established RaaS platforms. Current status cannot be definitively assessed pending further public attribution and reporting from law enforcement or security research communities.

Most-targeted sectors

Most-affected countries

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

All groups

D1R

3 victims indexed · first seen 2 days ago · last activity 2 days ago

3
Victims indexed
#280 of 364 tracked operators
<1m
Active period
Jul 2026 → Jul 2026
3
Countries hit
top US · 1

At a glance

Status
active
First seen
2 days ago
Last activity
2 days ago
Onion sites
1 known endpoint
Primary sector
Technology · 2 hits

About

D1R is a ransomware group first observed in July 2026 with an apparent primary motivation of financial gain, though limited public documentation exists given the group's recent emergence and relatively small operational footprint. The group has claimed or been attributed to three known victims to date, with targeting concentrated in the United States, Great Britain, and Germany, suggesting a focus on English- and German-speaking Western economies. Based on available victim telemetry, D1R has demonstrated a preference for the Technology and Manufacturing sectors, which are commonly targeted by financially motivated ransomware actors due to the operational disruption leverage these industries present and their historically higher propensity to pay ransoms. No authoritative public reporting from CISA, FBI, Mandiant, or equivalent reputable security research organizations has been published at this time confirming D1R's specific initial access vectors, tooling, encryption methods, or affiliation with known ransomware-as-a-service ecosystems, and it remains unclear whether the group operates independently or as part of a broader affiliate network. Given the group's July 2026 first observation date and minimal victim count, D1R should be considered an emerging or nascent threat actor warranting continued monitoring, as early-stage ransomware groups frequently escalate in tempo and sophistication as they mature their operations and, potentially, affiliate with established RaaS platforms. Current status cannot be definitively assessed pending further public attribution and reporting from law enforcement or security research communities.

Timeline

1 months
2026-07-01T00:00:00+00:00 · 3
2026-07-01T00:00:00+00:002026-07-01T00:00:00+00:00

Top countries

🇺🇸 United States
1
🇬🇧 United Kingdom
1
🇩🇪 Germany
1

Top sectors

Technology
2
Manufacturing
1

MITRE ATT&CK

13 techniques · 7 tactics

Tactics

Initial AccessExecutionDefense EvasionDiscoveryCollectionExfiltrationImpact

Techniques

  • T1190Exploit Public-Facing Application
  • T1133External Remote Services
  • T1059Command and Scripting Interpreter
  • T1027Obfuscated Files or Information
  • T1562.001Impair Defenses: Disable or Modify Tools
  • T1083File and Directory Discovery
  • T1082System Information Discovery
  • T1057Process Discovery
  • T1005Data from Local System
  • T1041Exfiltration Over C2 Channel
  • T1567Exfiltration Over Web Service
  • T1486Data Encrypted for Impact
  • T1490Inhibit System Recovery

Recent victims

Loading…

Onion infrastructure

1 known
  • http://dirone3rl3vvq64ckcnrvhe2ogrhjrwu5u7hqzrlotu3rfvmqmmbsuqd.onion

Source

Updated 2 days ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time D1R posts a victim.

Add D1R to your watchlist — Pro pings you within 5 minutes of any new D1R leak-site post, Telegram callout, or affiliate-rebrand inference.