Operator dossier

lamashtu is a ransomware operator currently active on public leak sites. Darkfield has indexed 30 public victims claimed by this operator between April 13, 2026 and May 19, 2026. Based on the limited available information, Lamashtu is an emerging ransomware group that was first observed in April 2026, appearing to be financially motivated based on their operational patterns. The group's origin and potential affiliations remain unclear due to their recent emergence and limited public documentation by major threat intelligence organizations. Lamashtu's attack methodology and specific technical capabilities have not been extensively documented by established security researchers, though their targeting patterns suggest they employ standard ransomware deployment techniques across multiple industry verticals. The group has conducted at least 8 confirmed attacks, demonstrating a geographically diverse targeting approach with victims identified in France, Italy, the United States, Singapore, and Malaysia, while focusing primarily on business services, manufacturing, transportation and logistics, hospitality and tourism, and energy sectors. Given the group's recent first observation in April 2026 and limited public threat intelligence reporting from established sources like CISA, FBI, or major security firms, Lamashtu appears to represent a newly active threat actor whose current operational status and long-term capabilities require further monitoring and analysis.

Most-targeted sectors

Most-affected countries

FR3 victims
IT2 victims
US1 victims
SG1 victims
MY1 victims

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

← All groups

lamashtu

30 victims indexed · first seen 1 month ago · last activity 2 days ago

Victims indexed

#140 of 348 tracked operators

Active period

Apr 2026 → May 2026

Countries hit

top FR · 3

At a glance

Status: active
First seen: 1 month ago
Last activity: 2 days ago
Onion sites: 1 known endpoint
Primary sector: Business Services · 3 hits

About

Based on the limited available information, Lamashtu is an emerging ransomware group that was first observed in April 2026, appearing to be financially motivated based on their operational patterns. The group's origin and potential affiliations remain unclear due to their recent emergence and limited public documentation by major threat intelligence organizations. Lamashtu's attack methodology and specific technical capabilities have not been extensively documented by established security researchers, though their targeting patterns suggest they employ standard ransomware deployment techniques across multiple industry verticals. The group has conducted at least 8 confirmed attacks, demonstrating a geographically diverse targeting approach with victims identified in France, Italy, the United States, Singapore, and Malaysia, while focusing primarily on business services, manufacturing, transportation and logistics, hospitality and tourism, and energy sectors. Given the group's recent first observation in April 2026 and limited public threat intelligence reporting from established sources like CISA, FBI, or major security firms, Lamashtu appears to represent a newly active threat actor whose current operational status and long-term capabilities require further monitoring and analysis.

References

1 link

External sources curated by the MISP threat-intel community.

ransomlook.io/group/lamashtu

Timeline

1 months

2026-04-01T00:00:00+00:002026-04-01T00:00:00+00:00

Top countries

🇫🇷 FR

🇮🇹 IT

🇺🇸 US

🇸🇬 SG

🇲🇾 MY

FR dossier →IT dossier →US dossier →SG dossier →

Top sectors

Business Services

Manufacturing

Transportation/Logistics

Hospitality and Tourism

Energy

Business Services dossier →Manufacturing dossier →Transportation/Logistics dossier →Hospitality and Tourism dossier →

MITRE ATT&CK

3 techniques · 3 tactics

Tactics

Initial AccessExecutionImpact

Techniques

T1566Phishing
T1059Command and Scripting Interpreter
T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

1 known

http://lamashtux5j74mcm7lwwgn5yrvuwtrpxjoyendif3v3hrztjesfoyayd.onion/

Source

Updated 2 days ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.