Skip to main content

Operator dossier

lamashtu is a ransomware operator currently active on public leak sites. Darkfield has indexed 34 public victims claimed by this operator between April 13, 2026 and June 17, 2026. Based on the limited available information, Lamashtu is an emerging ransomware group that was first observed in April 2026, appearing to be financially motivated based on their operational patterns. The group's origin and potential affiliations remain unclear due to their recent emergence and limited public documentation by major threat intelligence organizations. Lamashtu's attack methodology and specific technical capabilities have not been extensively documented by established security researchers, though their targeting patterns suggest they employ standard ransomware deployment techniques across multiple industry verticals. The group has conducted at least 8 confirmed attacks, demonstrating a geographically diverse targeting approach with victims identified in France, Italy, the United States, Singapore, and Malaysia, while focusing primarily on business services, manufacturing, transportation and logistics, hospitality and tourism, and energy sectors. Given the group's recent first observation in April 2026 and limited public threat intelligence reporting from established sources like CISA, FBI, or major security firms, Lamashtu appears to represent a newly active threat actor whose current operational status and long-term capabilities require further monitoring and analysis.

Most-targeted sectors

Most-affected countries

Recent disclosures by lamashtu

All 34 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for lamashtu

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

All groups

lamashtu

34 victims indexed · first seen 3 months ago · last activity 28 days ago

34
Victims indexed
#133 of 364 tracked operators
2m
Active period
Apr 2026 → Jun 2026
5
Countries hit
top FR · 3

At a glance

Status
active
First seen
3 months ago
Last activity
28 days ago
Onion sites
1 known endpoint
Primary sector
Business Services · 3 hits

About

Based on the limited available information, Lamashtu is an emerging ransomware group that was first observed in April 2026, appearing to be financially motivated based on their operational patterns. The group's origin and potential affiliations remain unclear due to their recent emergence and limited public documentation by major threat intelligence organizations. Lamashtu's attack methodology and specific technical capabilities have not been extensively documented by established security researchers, though their targeting patterns suggest they employ standard ransomware deployment techniques across multiple industry verticals. The group has conducted at least 8 confirmed attacks, demonstrating a geographically diverse targeting approach with victims identified in France, Italy, the United States, Singapore, and Malaysia, while focusing primarily on business services, manufacturing, transportation and logistics, hospitality and tourism, and energy sectors. Given the group's recent first observation in April 2026 and limited public threat intelligence reporting from established sources like CISA, FBI, or major security firms, Lamashtu appears to represent a newly active threat actor whose current operational status and long-term capabilities require further monitoring and analysis.

References

1 link

External sources curated by the MISP threat-intel community.

Timeline

1 months
2026-04-01T00:00:00+00:00 · 8
2026-04-01T00:00:00+00:002026-04-01T00:00:00+00:00

Top countries

🇫🇷 France
3
🇮🇹 Italy
2
🇺🇸 United States
1
🇸🇬 Singapore
1
🇲🇾 Malaysia
1

Top sectors

Business Services
3
Manufacturing
2
Transportation/Logistics
1
Hospitality and Tourism
1
Energy
1

MITRE ATT&CK

3 techniques · 3 tactics

Tactics

Initial AccessExecutionImpact

Techniques

  • T1566Phishing
  • T1059Command and Scripting Interpreter
  • T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

1 known
  • http://lamashtux5j74mcm7lwwgn5yrvuwtrpxjoyendif3v3hrztjesfoyayd.onion/

Source

Updated 28 days ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time lamashtu posts a victim.

Add lamashtu to your watchlist — Pro pings you within 5 minutes of any new lamashtu leak-site post, Telegram callout, or affiliate-rebrand inference.