Inactive ransomware operator
← All groupsSlug
1 victims indexed · first seen 2 years ago · last activity 2 years ago
1
Victims indexed
#338 of 348 tracked operators
<1m
Active period
Jan 2024 → Jan 2024
1
Countries hit
top Ireland · 1
At a glance
- Status
- inactive
- First seen
- 2 years ago
- Last activity
- 2 years ago
- Onion sites
- 2 known endpoints
- Primary sector
- Transportation/Logistics · 1 hits
About
Slug is an obscure ransomware group that first emerged in January 2024, appearing to operate with financial motivations typical of most ransomware actors. Based on limited public reporting, the group has maintained a very low profile with minimal documented activity since its emergence. The group's origin and potential affiliations remain unknown due to the limited scope of their operations, and there is insufficient public information to determine whether they operate as part of a ransomware-as-a-service model or as an independent entity. Attack methodology details have not been publicly documented by major security firms or government agencies, reflecting the group's minimal operational footprint and limited impact on the broader threat landscape. The group's most notable characteristic is their apparent focus on Ireland's transportation and logistics sector, though with only one documented victim, this targeting pattern may not represent a deliberate specialization. Based on available intelligence from established security researchers, Slug remains a marginal player in the ransomware ecosystem with unclear current operational status.
References
1 linkExternal sources curated by the MISP threat-intel community.
Timeline
1 months2024-01-01T00:00:00+00:002024-01-01T00:00:00+00:00
Top countries
🇮🇪 Ireland
1
Top sectors
Transportation/Logistics
1
MITRE ATT&CK
130 techniques · 15 tacticsTactics
CollectionCommand And ControlCredential AccessDefense ImpairmentDiscoveryExecutionExfiltrationImpactInitial AccessLateral MovementPersistencePrivilege EscalationReconnaissanceResource DevelopmentStealth
Techniques
- T1003.001LSASS Memory
- T1005Data from Local System
- T1007System Service Discovery
- T1012Query Registry
- T1016System Network Configuration Discovery
- T1020Automated Exfiltration
- T1021.001Remote Desktop Protocol
- T1027Obfuscated Files or Information
- T1027.001Binary Padding
- T1027.002Software Packing
- T1027.007Dynamic API Resolution
- T1027.010Command Obfuscation
- T1027.012LNK Icon Smuggling
- T1027.013Encrypted/Encoded File
- T1027.015Compression
- T1027.016Junk Code Insertion
- T1033System Owner/User Discovery
- T1036.004Masquerade Task or Service
- T1036.005Match Legitimate Resource Name or Location
- T1036.007Double File Extension
- T1040Network Sniffing
- T1041Exfiltration Over C2 Channel
- T1053.005Scheduled Task
- T1055Process Injection
- T1055.001Dynamic-link Library Injection
- T1055.012Process Hollowing
- T1056.001Keylogging
- T1056.003Web Portal Capture
- T1057Process Discovery
- T1059.001PowerShell
- T1059.003Windows Command Shell
- T1059.005Visual Basic
- T1059.006Python
- T1059.007JavaScript
- T1070.004File Deletion
- T1070.006Timestomp
- T1071.001Web Protocols
- T1071.002File Transfer Protocols
- T1071.003Mail Protocols
- T1074.001Local Data Staging
- T1078.003Local Accounts
- T1082System Information Discovery
- T1083File and Directory Discovery
- T1098.007Additional Local or Domain Groups
- T1102.001Dead Drop Resolver
- T1102.002Bidirectional Communication
- T1105Ingress Tool Transfer
- T1106Native API
- T1111Multi-Factor Authentication Interception
- T1112Modify Registry
- T1113Screen Capture
- T1114.002Remote Email Collection
- T1114.003Email Forwarding Rule
- T1115Clipboard Data
- T1124System Time Discovery
- T1132.002Non-Standard Encoding
- T1133External Remote Services
- T1136.001Local Account
- T1140Deobfuscate/Decode Files or Information
- T1176.001Browser Extensions
- T1185Browser Session Hijacking
- T1190Exploit Public-Facing Application
- T1204.001Malicious Link
- T1204.002Malicious File
- T1204.004Malicious Copy and Paste
- T1205Traffic Signaling
- T1217Browser Information Discovery
- T1218.005Mshta
- T1218.010Regsvr32
- T1218.011Rundll32
- T1219.002Remote Desktop Software
- T1480.002Mutual Exclusion
- T1489Service Stop
- T1497.001System Checks
- T1505.003Web Shell
- T1518.001Security Software Discovery
- T1534Internal Spearphishing
- T1539Steal Web Session Cookie
- T1543.003Windows Service
- T1546.001Change Default File Association
- T1547.001Registry Run Keys / Startup Folder
- T1550.002Pass the Hash
- T1552.001Credentials In Files
- T1552.004Private Keys
- T1553.002Code Signing
- T1555.003Credentials from Web Browsers
- T1557Adversary-in-the-Middle
- T1559.001Component Object Model
- T1560.001Archive via Utility
- T1560.003Archive via Custom Method
- T1564.002Hidden Users
- T1564.003Hidden Window
- T1564.011Ignore Process Interrupts
- T1566Phishing
- T1566.001Spearphishing Attachment
- T1566.002Spearphishing Link
- T1567.002Exfiltration to Cloud Storage
- T1568Dynamic Resolution
- T1583Acquire Infrastructure
- T1583.001Domains
- T1583.004Server
- T1583.006Web Services
- T1584.001Domains
- T1585Establish Accounts
- T1585.001Social Media Accounts
- T1585.002Email Accounts
- T1586.002Email Accounts
- T1587Develop Capabilities
- T1587.001Malware
- T1588.002Tool
- T1588.003Code Signing Certificates
- T1588.005Exploits
- T1589.002Email Addresses
- T1589.003Employee Names
- T1591Gather Victim Org Information
- T1593.001Social Media
- T1593.002Search Engines
- T1594Search Victim-Owned Websites
- T1596Search Open Technical Databases
- T1598Phishing for Information
- T1598.003Spearphishing Link
- T1608.001Upload Malware
- T1620Reflective Code Loading
- T1657Financial Theft
- T1678Delay Execution
- T1680Local Storage Discovery
- T1682Query Public AI Services
- T1684.001Impersonation
- T1685Disable or Modify Tools
- T1686Disable or Modify System Firewall
Recent victims
Loading…
Onion infrastructure
2 known- http://3ytm3d25hfzvbylkxiwyqmpvzys5of7l4pbosm7ol7czlkplgukjq6yd.onion
- http://3ytm3d25hfzvbylkxiwyqmpvzys5of7l4pbosm7ol7czlkplgukjq6yd.onion/atom.xml
Source
Updated 2 years agoData on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.