Operator dossier

netrunner is a ransomware operator currently active on public leak sites. Darkfield has indexed 9 public victims claimed by this operator between April 3, 2026 and May 16, 2026. Based on the limited publicly available information, netrunner is a relatively new ransomware group that first emerged in April 2026 with documented attacks against at least six organizations. The group appears to be financially motivated, targeting a diverse range of sectors including healthcare, consumer services, telecommunications, manufacturing, and agriculture across multiple countries including Japan, the United States, Jordan, Italy, and South Korea. Due to the recent emergence of this group and limited public reporting from established threat intelligence sources, detailed information about their country of origin, operational affiliations, specific attack methodologies, encryption techniques, or whether they operate as a Ransomware-as-a-Service model remains undocumented by major cybersecurity organizations such as CISA, FBI, or Mandiant. The group's targeting pattern suggests opportunistic victim selection rather than geopolitically motivated attacks, given the broad geographic and sectoral distribution of their documented victims. No major high-profile campaigns or significant law enforcement actions against netrunner have been publicly reported by reputable security researchers at this time. Given the group's recent emergence in 2026, current activity status and operational capabilities require further monitoring and analysis by the cybersecurity community.

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

← All groups

netrunner

9 victims indexed · first seen 2 months ago · last activity 5 days ago

Victims indexed

#206 of 348 tracked operators

Active period

Apr 2026 → May 2026

Countries hit

top JP · 2

At a glance

Status: active
First seen: 2 months ago
Last activity: 5 days ago
Onion sites: 1 known endpoint
Primary sector: Healthcare · 2 hits

About

Based on the limited publicly available information, netrunner is a relatively new ransomware group that first emerged in April 2026 with documented attacks against at least six organizations. The group appears to be financially motivated, targeting a diverse range of sectors including healthcare, consumer services, telecommunications, manufacturing, and agriculture across multiple countries including Japan, the United States, Jordan, Italy, and South Korea. Due to the recent emergence of this group and limited public reporting from established threat intelligence sources, detailed information about their country of origin, operational affiliations, specific attack methodologies, encryption techniques, or whether they operate as a Ransomware-as-a-Service model remains undocumented by major cybersecurity organizations such as CISA, FBI, or Mandiant. The group's targeting pattern suggests opportunistic victim selection rather than geopolitically motivated attacks, given the broad geographic and sectoral distribution of their documented victims. No major high-profile campaigns or significant law enforcement actions against netrunner have been publicly reported by reputable security researchers at this time. Given the group's recent emergence in 2026, current activity status and operational capabilities require further monitoring and analysis by the cybersecurity community.

References

1 link

External sources curated by the MISP threat-intel community.

ransomlook.io/group/netrunner

Timeline

1 months

2026-04-01T00:00:00+00:002026-04-01T00:00:00+00:00

Top countries

🇯🇵 JP

🇺🇸 US

🇯🇴 JO

🇮🇹 IT

🇰🇷 South Korea

JP dossier →US dossier →JO dossier →IT dossier →

Top sectors

Healthcare

Consumer Services

Telecommunication

Manufacturing

Agriculture and Food Production

Healthcare dossier →Consumer Services dossier →Telecommunication dossier →Manufacturing dossier →

MITRE ATT&CK

3 techniques · 3 tactics

Tactics

Initial AccessExecutionImpact

Techniques

T1566Phishing
T1059Command and Scripting Interpreter
T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

1 known

http://netrunrsb3bivj5gnwajzxlig5qkteb6edgthxj7fmsvhkzxtwfxwaad.onion

Source

Updated 5 days ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.