Operator dossier

kazu is a ransomware operator currently active on public leak sites. Darkfield has indexed 12 public victims claimed by this operator between November 11, 2025 and May 20, 2026. The Kazu ransomware group is a relatively new threat actor that emerged in November 2025, operating with apparent financial motivations based on their targeting patterns across multiple sectors and geographic regions. Given their recent emergence and limited public documentation, details about their country of origin and potential affiliations remain unclear, though their targeting of diverse international victims suggests either a ransomware-as-a-service model or an independent operation with broad reach capabilities. With only nine documented victims to date, specific details about Kazu's attack methodology, initial access vectors, and encryption techniques have not been extensively documented by major threat intelligence organizations, though their targeting spans healthcare, public sector, financial services, and technology organizations across the United States, Colombia, South Africa, Nigeria, and Great Britain. The group's recent emergence means there are no widely reported major campaigns or high-profile incidents documented by established security research organizations like Mandiant, CISA, or the FBI. As of the latest available intelligence, Kazu appears to remain active given their very recent first observation date, though their limited victim count and recent emergence make definitive assessments of their operational status preliminary.

Most-targeted sectors

Healthcare3 victims
Not Found2 victims
Public Sector2 victims
Financial Services1 victims
Technology1 victims

Most-affected countries

US2 victims
CO2 victims
SA1 victims
NG1 victims
GB1 victims
ES1 victims

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

← All groups

kazu

12 victims indexed · first seen 6 months ago · last activity 23 hours ago

Victims indexed

#191 of 348 tracked operators

Active period

Nov 2025 → May 2026

Countries hit

top US · 2

At a glance

Status: active
First seen: 6 months ago
Last activity: 23 hours ago
Onion sites: 1 known endpoint
Primary sector: Healthcare · 3 hits

About

The Kazu ransomware group is a relatively new threat actor that emerged in November 2025, operating with apparent financial motivations based on their targeting patterns across multiple sectors and geographic regions. Given their recent emergence and limited public documentation, details about their country of origin and potential affiliations remain unclear, though their targeting of diverse international victims suggests either a ransomware-as-a-service model or an independent operation with broad reach capabilities. With only nine documented victims to date, specific details about Kazu's attack methodology, initial access vectors, and encryption techniques have not been extensively documented by major threat intelligence organizations, though their targeting spans healthcare, public sector, financial services, and technology organizations across the United States, Colombia, South Africa, Nigeria, and Great Britain. The group's recent emergence means there are no widely reported major campaigns or high-profile incidents documented by established security research organizations like Mandiant, CISA, or the FBI. As of the latest available intelligence, Kazu appears to remain active given their very recent first observation date, though their limited victim count and recent emergence make definitive assessments of their operational status preliminary.

References

1 link

External sources curated by the MISP threat-intel community.

ransomlook.io/group/kazu

Timeline

3 months

2025-11-01T00:00:00+00:002026-01-01T00:00:00+00:00

Top countries

🇺🇸 US

🇨🇴 CO

🇸🇦 SA

🇳🇬 NG

🇬🇧 GB

🇪🇸 ES

🇳🇿 NZ

US dossier →CO dossier →SA dossier →NG dossier →

Top sectors

Healthcare

Not Found

Public Sector

Financial Services

Technology

Healthcare dossier →Not Found dossier →Public Sector dossier →Financial Services dossier →

MITRE ATT&CK

4 techniques · 3 tactics

Tactics

Initial AccessExecutionImpact

Techniques

T1566Phishing
T1190Exploit Public-Facing Application
T1059Command and Scripting Interpreter
T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

1 known

http://6czlbd2jfiy6765fbnbnzuwuqocg57ebvp3tbm35kib425k4qnmiiiqd.onion

Source

Updated 23 hours ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.