Operator dossier

pear is a ransomware operator currently active on public leak sites. Darkfield has indexed 87 public victims claimed by this operator between August 5, 2025 and May 20, 2026. The Pear ransomware group is a relatively new threat actor that emerged in August 2025, operating with primarily financial motivations and targeting victims across multiple countries and sectors. Based on their recent emergence and limited public documentation, specific details about their country of origin and organizational structure remain unclear, though their targeting patterns suggest a financially-driven operation that may operate independently or as part of a smaller ransomware-as-a-service model. With 65 documented victims since their August 2025 debut, the group has demonstrated a preference for targeting organizations in the United States, New Zealand, Australia, Egypt, and Switzerland, with particular focus on healthcare, business services, manufacturing, and technology sectors. Their attack methodology and specific technical details have not been extensively documented by major threat intelligence firms or law enforcement agencies, though their rapid victim acquisition suggests they have established effective initial access and encryption capabilities. Notable campaigns and high-profile attacks have not been publicly detailed by CISA, FBI, or major security research organizations, likely due to the group's recent emergence and relatively small scale compared to established ransomware operations. As of late 2025, Pear appears to remain active given their recent emergence and ongoing victim targeting across multiple geographic regions and industry verticals.

Most-targeted sectors

Not Found29 victims
Healthcare10 victims
Business Services7 victims
Manufacturing5 victims
Technology4 victims
Education3 victims

Most-affected countries

US60 victims
NZ1 victims
AU1 victims
EG1 victims
CH1 victims

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

← All groups

pear

87 victims indexed · first seen 10 months ago · last activity 14 hours ago

Victims indexed

#76 of 348 tracked operators

Active period

Aug 2025 → May 2026

Countries hit

top US · 60

At a glance

Status: active
First seen: 10 months ago
Last activity: 14 hours ago
Onion sites: 1 known endpoint
Primary sector: Not Found · 29 hits

About

The Pear ransomware group is a relatively new threat actor that emerged in August 2025, operating with primarily financial motivations and targeting victims across multiple countries and sectors. Based on their recent emergence and limited public documentation, specific details about their country of origin and organizational structure remain unclear, though their targeting patterns suggest a financially-driven operation that may operate independently or as part of a smaller ransomware-as-a-service model. With 65 documented victims since their August 2025 debut, the group has demonstrated a preference for targeting organizations in the United States, New Zealand, Australia, Egypt, and Switzerland, with particular focus on healthcare, business services, manufacturing, and technology sectors. Their attack methodology and specific technical details have not been extensively documented by major threat intelligence firms or law enforcement agencies, though their rapid victim acquisition suggests they have established effective initial access and encryption capabilities. Notable campaigns and high-profile attacks have not been publicly detailed by CISA, FBI, or major security research organizations, likely due to the group's recent emergence and relatively small scale compared to established ransomware operations. As of late 2025, Pear appears to remain active given their recent emergence and ongoing victim targeting across multiple geographic regions and industry verticals.

References

1 link

External sources curated by the MISP threat-intel community.

ransomlook.io/group/pear

Timeline

8 months

2025-08-01T00:00:00+00:002026-03-01T00:00:00+00:00

Top countries

🇺🇸 US

🇳🇿 NZ

🇦🇺 AU

🇪🇬 EG

🇨🇭 CH

🇩🇪 DE

US dossier →NZ dossier →AU dossier →EG dossier →

Top sectors

Not Found

Healthcare

Business Services

Manufacturing

Technology

Education

Financial Services

Public Sector

Not Found dossier →Healthcare dossier →Business Services dossier →Manufacturing dossier →

MITRE ATT&CK

4 techniques · 3 tactics

Tactics

Initial AccessExecutionImpact

Techniques

T1566Phishing
T1190Exploit Public-Facing Application
T1059Command and Scripting Interpreter
T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

1 known

http://peargxn3oki34c4savcbcfqofjjwjnnyrlrbszfv6ujlx36mhrh57did.onion

Source

Updated 14 hours ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.