Skip to main content

Operator dossier

netrunner is a ransomware operator currently active on public leak sites. Darkfield has indexed 9 public victims claimed by this operator between April 3, 2026 and May 16, 2026. Based on the limited publicly available information, netrunner is a relatively new ransomware group that first emerged in April 2026 with documented attacks against at least six organizations. The group appears to be financially motivated, targeting a diverse range of sectors including healthcare, consumer services, telecommunications, manufacturing, and agriculture across multiple countries including Japan, the United States, Jordan, Italy, and South Korea. Due to the recent emergence of this group and limited public reporting from established threat intelligence sources, detailed information about their country of origin, operational affiliations, specific attack methodologies, encryption techniques, or whether they operate as a Ransomware-as-a-Service model remains undocumented by major cybersecurity organizations such as CISA, FBI, or Mandiant. The group's targeting pattern suggests opportunistic victim selection rather than geopolitically motivated attacks, given the broad geographic and sectoral distribution of their documented victims. No major high-profile campaigns or significant law enforcement actions against netrunner have been publicly reported by reputable security researchers at this time. Given the group's recent emergence in 2026, current activity status and operational capabilities require further monitoring and analysis by the cybersecurity community.

Most-targeted sectors

Most-affected countries

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

All groups

netrunner

9 victims indexed · first seen 3 months ago · last activity 2 months ago

9
Victims indexed
#214 of 364 tracked operators
1m
Active period
Apr 2026 → May 2026
5
Countries hit
top JP · 2

At a glance

Status
active
First seen
3 months ago
Last activity
2 months ago
Onion sites
1 known endpoint
Primary sector
Healthcare · 2 hits

About

Based on the limited publicly available information, netrunner is a relatively new ransomware group that first emerged in April 2026 with documented attacks against at least six organizations. The group appears to be financially motivated, targeting a diverse range of sectors including healthcare, consumer services, telecommunications, manufacturing, and agriculture across multiple countries including Japan, the United States, Jordan, Italy, and South Korea. Due to the recent emergence of this group and limited public reporting from established threat intelligence sources, detailed information about their country of origin, operational affiliations, specific attack methodologies, encryption techniques, or whether they operate as a Ransomware-as-a-Service model remains undocumented by major cybersecurity organizations such as CISA, FBI, or Mandiant. The group's targeting pattern suggests opportunistic victim selection rather than geopolitically motivated attacks, given the broad geographic and sectoral distribution of their documented victims. No major high-profile campaigns or significant law enforcement actions against netrunner have been publicly reported by reputable security researchers at this time. Given the group's recent emergence in 2026, current activity status and operational capabilities require further monitoring and analysis by the cybersecurity community.

References

1 link

External sources curated by the MISP threat-intel community.

Timeline

1 months
2026-04-01T00:00:00+00:00 · 6
2026-04-01T00:00:00+00:002026-04-01T00:00:00+00:00

Top countries

🇯🇵 Japan
2
🇺🇸 United States
1
🇯🇴 Jordan
1
🇮🇹 Italy
1
🇰🇷 South Korea
1

Top sectors

Healthcare
2
Consumer Services
1
Telecommunication
1
Manufacturing
1
Agriculture and Food Production
1

MITRE ATT&CK

3 techniques · 3 tactics

Tactics

Initial AccessExecutionImpact

Techniques

  • T1566Phishing
  • T1059Command and Scripting Interpreter
  • T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

1 known
  • http://netrunrsb3bivj5gnwajzxlig5qkteb6edgthxj7fmsvhkzxtwfxwaad.onion

Source

Updated 2 months ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time netrunner posts a victim.

Add netrunner to your watchlist — Pro pings you within 5 minutes of any new netrunner leak-site post, Telegram callout, or affiliate-rebrand inference.