Operator dossier

Icarus is a ransomware operator currently active on public leak sites. Darkfield has indexed 1 public victims claimed by this operator between May 5, 2026. Based on available threat intelligence, Icarus is an emerging ransomware group first observed in May 2026 with limited documented activity to date. The group appears to be in early operational stages with only one confirmed victim reported in public security advisories. Icarus has demonstrated targeting focus on Indonesia's financial services sector, suggesting either regional operational preferences or specific expertise in compromising financial institutions within Southeast Asian markets. Due to the group's recent emergence and minimal public reporting from established threat intelligence sources, detailed information regarding their specific attack methodologies, initial access vectors, encryption techniques, or organizational structure remains undocumented by major security research firms or government agencies. No confirmed attribution to specific threat actors, state sponsorship, or connections to established ransomware-as-a-service operations has been reported by CISA, FBI, or leading cybersecurity organizations. The group's current operational status remains unclear given the limited intelligence available, though their recent emergence suggests they may still be active or in developmental phases of their ransomware operations.

Most-targeted sectors

Financial Services1 victims

Most-affected countries

ID1 victims

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

← All groups

Icarus

1 victims indexed · first seen 15 days ago · last activity 15 days ago

Victims indexed

#343 of 348 tracked operators

<1m

Active period

May 2026 → May 2026

Countries hit

top ID · 1

At a glance

Status: active
First seen: 15 days ago
Last activity: 15 days ago
Onion sites: 1 known endpoint
Primary sector: Financial Services · 1 hits

About

Based on available threat intelligence, Icarus is an emerging ransomware group first observed in May 2026 with limited documented activity to date. The group appears to be in early operational stages with only one confirmed victim reported in public security advisories. Icarus has demonstrated targeting focus on Indonesia's financial services sector, suggesting either regional operational preferences or specific expertise in compromising financial institutions within Southeast Asian markets. Due to the group's recent emergence and minimal public reporting from established threat intelligence sources, detailed information regarding their specific attack methodologies, initial access vectors, encryption techniques, or organizational structure remains undocumented by major security research firms or government agencies. No confirmed attribution to specific threat actors, state sponsorship, or connections to established ransomware-as-a-service operations has been reported by CISA, FBI, or leading cybersecurity organizations. The group's current operational status remains unclear given the limited intelligence available, though their recent emergence suggests they may still be active or in developmental phases of their ransomware operations.

Timeline

1 months

2026-05-01T00:00:00+00:002026-05-01T00:00:00+00:00

Top countries

🇮🇩 ID

ID dossier →

Top sectors

Financial Services

Financial Services dossier →

MITRE ATT&CK

1 techniques · 1 tactics

Tactics

Impact

Techniques

T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

1 known

http://http://e6ujsppajgb756x7x5ykdryvlcjynltb52eiwi6pd4bfwo6hddd6neid.onion

Source

Updated 15 days ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.