Skip to main content

Operator dossier

Icarus is a ransomware operator currently active on public leak sites. Darkfield has indexed 11 public victims claimed by this operator between May 5, 2026 and June 23, 2026. Based on available threat intelligence, Icarus is an emerging ransomware group first observed in May 2026 with limited documented activity to date. The group appears to be in early operational stages with only one confirmed victim reported in public security advisories. Icarus has demonstrated targeting focus on Indonesia's financial services sector, suggesting either regional operational preferences or specific expertise in compromising financial institutions within Southeast Asian markets. Due to the group's recent emergence and minimal public reporting from established threat intelligence sources, detailed information regarding their specific attack methodologies, initial access vectors, encryption techniques, or organizational structure remains undocumented by major security research firms or government agencies. No confirmed attribution to specific threat actors, state sponsorship, or connections to established ransomware-as-a-service operations has been reported by CISA, FBI, or leading cybersecurity organizations. The group's current operational status remains unclear given the limited intelligence available, though their recent emergence suggests they may still be active or in developmental phases of their ransomware operations.

Most-targeted sectors

Most-affected countries

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

All groups

Icarus

11 victims indexed · first seen 2 months ago · last activity 22 days ago

11
Victims indexed
#204 of 364 tracked operators
1m
Active period
May 2026 → Jun 2026
1
Countries hit
top ID · 1

At a glance

Status
active
First seen
2 months ago
Last activity
22 days ago
Onion sites
2 known endpoints
Primary sector
Financial Services · 1 hits

About

Based on available threat intelligence, Icarus is an emerging ransomware group first observed in May 2026 with limited documented activity to date. The group appears to be in early operational stages with only one confirmed victim reported in public security advisories. Icarus has demonstrated targeting focus on Indonesia's financial services sector, suggesting either regional operational preferences or specific expertise in compromising financial institutions within Southeast Asian markets. Due to the group's recent emergence and minimal public reporting from established threat intelligence sources, detailed information regarding their specific attack methodologies, initial access vectors, encryption techniques, or organizational structure remains undocumented by major security research firms or government agencies. No confirmed attribution to specific threat actors, state sponsorship, or connections to established ransomware-as-a-service operations has been reported by CISA, FBI, or leading cybersecurity organizations. The group's current operational status remains unclear given the limited intelligence available, though their recent emergence suggests they may still be active or in developmental phases of their ransomware operations.

References

1 link

External sources curated by the MISP threat-intel community.

Timeline

1 months
2026-05-01T00:00:00+00:00 · 1
2026-05-01T00:00:00+00:002026-05-01T00:00:00+00:00

Top countries

🇮🇩 Indonesia
1

Top sectors

Financial Services
1

MITRE ATT&CK

1 techniques · 1 tactics

Tactics

Impact

Techniques

  • T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

2 known
  • http://e6ujsppajgb756x7x5ykdryvlcjynltb52eiwi6pd4bfwo6hddd6neid.onion
  • http://http://e6ujsppajgb756x7x5ykdryvlcjynltb52eiwi6pd4bfwo6hddd6neid.onion

Source

Updated 22 days ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time Icarus posts a victim.

Add Icarus to your watchlist — Pro pings you within 5 minutes of any new Icarus leak-site post, Telegram callout, or affiliate-rebrand inference.