Operator dossier

direwolf is a ransomware operator currently active on public leak sites. Darkfield has indexed 71 public victims claimed by this operator between May 27, 2025 and January 13, 2026. Direwolf is a ransomware group that emerged in May 2025 with primarily financial motivations, having targeted 71 known victims across multiple sectors and geographic regions. The group's origin and potential affiliations remain undocumented in public threat intelligence reports, with no confirmed information regarding whether they operate as a Ransomware-as-a-Service model or as an independent entity. Their attack methodology and technical capabilities have not been extensively documented by major cybersecurity firms or government agencies, though their targeting patterns indicate a focus on manufacturing, technology, healthcare, and transportation/logistics sectors across Malaysia, the United States, Thailand, Singapore, and Taiwan. No major high-profile campaigns or significant ransomware demands have been publicly attributed to this group by CISA, FBI, or established security researchers such as Mandiant. Given the group's recent emergence and limited public documentation, their current operational status and long-term threat posture remain unclear, requiring continued monitoring by the cybersecurity community to establish a more comprehensive threat profile.

Most-targeted sectors

Not Found21 victims
Manufacturing11 victims
Technology7 victims
Healthcare6 victims
Transportation/Logistics5 victims
Construction4 victims

Most-affected countries

MY9 victims
TH6 victims
US6 victims
SG5 victims
TW5 victims
BR4 victims

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

← All groups

direwolf

71 victims indexed · first seen 1 year ago · last activity 4 months ago

Victims indexed

#87 of 348 tracked operators

Active period

May 2025 → Jan 2026

Countries hit

top MY · 9

At a glance

Status: active
First seen: 1 year ago
Last activity: 4 months ago
Primary sector: Not Found · 21 hits

About

Direwolf is a ransomware group that emerged in May 2025 with primarily financial motivations, having targeted 71 known victims across multiple sectors and geographic regions. The group's origin and potential affiliations remain undocumented in public threat intelligence reports, with no confirmed information regarding whether they operate as a Ransomware-as-a-Service model or as an independent entity. Their attack methodology and technical capabilities have not been extensively documented by major cybersecurity firms or government agencies, though their targeting patterns indicate a focus on manufacturing, technology, healthcare, and transportation/logistics sectors across Malaysia, the United States, Thailand, Singapore, and Taiwan. No major high-profile campaigns or significant ransomware demands have been publicly attributed to this group by CISA, FBI, or established security researchers such as Mandiant. Given the group's recent emergence and limited public documentation, their current operational status and long-term threat posture remain unclear, requiring continued monitoring by the cybersecurity community to establish a more comprehensive threat profile.

References

4 links

External sources curated by the MISP threat-intel community.

Timeline

9 months

2025-05-01T00:00:00+00:002026-01-01T00:00:00+00:00

Top countries

🇲🇾 MY

🇹🇭 TH

🇺🇸 US

🇸🇬 SG

🇹🇼 TW

🇧🇷 BR

🇹🇷 TR

🇬🇧 GB

MY dossier →TH dossier →US dossier →SG dossier →

Top sectors

Not Found

Manufacturing

Technology

Healthcare

Transportation/Logistics

Construction

Financial Services

Business Services

Not Found dossier →Manufacturing dossier →Technology dossier →Healthcare dossier →

MITRE ATT&CK

3 techniques · 3 tactics

Tactics

Initial AccessExecutionImpact

Techniques

T1566Phishing
T1059Command and Scripting Interpreter
T1486Data Encrypted for Impact

Recent victims

Loading…

Source

Updated 4 months ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.