Skip to main content

Operator dossier

ORION is a ransomware operator currently active on public leak sites. Darkfield has indexed 4 public victims claimed by this operator between May 14, 2026 and May 17, 2026. Jan13, 2026: We believe the group might be related to Babuk-Bjorka.

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

All groups

ORION

4 victims indexed · first seen 2 months ago · last activity 2 months ago

4
Victims indexed
#267 of 364 tracked operators
<1m
Active period
May 2026 → May 2026
Countries hit

At a glance

Status
active
First seen
2 months ago
Last activity
2 months ago
Onion sites
1 known endpoint

About

Jan13, 2026: We believe the group might be related to Babuk-Bjorka.

References

1 link

External sources curated by the MISP threat-intel community.

Recent victims

Loading…

Onion infrastructure

1 known
  • http://cjfntkj5qeizxowuy3srceg7zo6namc3kfeor7pfn6bpdkl3w265ooid.onion

Source

Updated 2 months ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time ORION posts a victim.

Add ORION to your watchlist — Pro pings you within 5 minutes of any new ORION leak-site post, Telegram callout, or affiliate-rebrand inference.