Skip to main content

Operator dossier

kazu is a ransomware operator currently active on public leak sites. Darkfield has indexed 14 public victims claimed by this operator between November 11, 2025 and May 27, 2026. The Kazu ransomware group is a relatively new threat actor that emerged in November 2025, operating with apparent financial motivations based on their targeting patterns across multiple sectors and geographic regions. Given their recent emergence and limited public documentation, details about their country of origin and potential affiliations remain unclear, though their targeting of diverse international victims suggests either a ransomware-as-a-service model or an independent operation with broad reach capabilities. With only nine documented victims to date, specific details about Kazu's attack methodology, initial access vectors, and encryption techniques have not been extensively documented by major threat intelligence organizations, though their targeting spans healthcare, public sector, financial services, and technology organizations across the United States, Colombia, South Africa, Nigeria, and Great Britain. The group's recent emergence means there are no widely reported major campaigns or high-profile incidents documented by established security research organizations like Mandiant, CISA, or the FBI. As of the latest available intelligence, Kazu appears to remain active given their very recent first observation date, though their limited victim count and recent emergence make definitive assessments of their operational status preliminary.

Most-targeted sectors

Most-affected countries

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

All groups

kazu

14 victims indexed · first seen 8 months ago · last activity 2 months ago

14
Victims indexed
#191 of 364 tracked operators
6m
Active period
Nov 2025 → May 2026
7
Countries hit
top US · 2

At a glance

Status
active
First seen
8 months ago
Last activity
2 months ago
Onion sites
1 known endpoint
Primary sector
Healthcare · 3 hits

About

The Kazu ransomware group is a relatively new threat actor that emerged in November 2025, operating with apparent financial motivations based on their targeting patterns across multiple sectors and geographic regions. Given their recent emergence and limited public documentation, details about their country of origin and potential affiliations remain unclear, though their targeting of diverse international victims suggests either a ransomware-as-a-service model or an independent operation with broad reach capabilities. With only nine documented victims to date, specific details about Kazu's attack methodology, initial access vectors, and encryption techniques have not been extensively documented by major threat intelligence organizations, though their targeting spans healthcare, public sector, financial services, and technology organizations across the United States, Colombia, South Africa, Nigeria, and Great Britain. The group's recent emergence means there are no widely reported major campaigns or high-profile incidents documented by established security research organizations like Mandiant, CISA, or the FBI. As of the latest available intelligence, Kazu appears to remain active given their very recent first observation date, though their limited victim count and recent emergence make definitive assessments of their operational status preliminary.

References

1 link

External sources curated by the MISP threat-intel community.

Timeline

3 months
2025-11-01T00:00:00+00:00 · 32025-12-01T00:00:00+00:00 · 42026-01-01T00:00:00+00:00 · 2
2025-11-01T00:00:00+00:002026-01-01T00:00:00+00:00

Top countries

🇺🇸 United States
2
🇨🇴 Colombia
2
🇸🇦 Saudi Arabia
1
🇳🇬 Nigeria
1
🇬🇧 United Kingdom
1
🇪🇸 Spain
1
🇳🇿 New Zealand
1

Top sectors

Healthcare
3
Public Sector
2
Financial Services
1
Technology
1

MITRE ATT&CK

4 techniques · 3 tactics

Tactics

Initial AccessExecutionImpact

Techniques

  • T1566Phishing
  • T1190Exploit Public-Facing Application
  • T1059Command and Scripting Interpreter
  • T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

1 known
  • http://6czlbd2jfiy6765fbnbnzuwuqocg57ebvp3tbm35kib425k4qnmiiiqd.onion

Source

Updated 2 months ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time kazu posts a victim.

Add kazu to your watchlist — Pro pings you within 5 minutes of any new kazu leak-site post, Telegram callout, or affiliate-rebrand inference.