Operator dossier

Spacebears (also tracked as space bears) is a ransomware operator currently active on public leak sites. Darkfield has indexed 147 public victims claimed by this operator between April 29, 2024 and May 13, 2026. Spacebears is a recently emerged ransomware group first observed in April 2024, operating with apparent financial motivations and demonstrating a broad targeting approach across multiple sectors and geographic regions. The group's origin and potential affiliations remain unclear due to limited public documentation from established threat intelligence sources, though their targeting pattern suggests a professional operation focused on maximizing financial returns rather than geopolitical objectives. With 117 known victims since their emergence, Spacebears has shown particular focus on organizations in the United States, Germany, Spain, Italy, and Canada, with their attacks primarily affecting technology, healthcare, manufacturing, and business services sectors, indicating they likely employ opportunistic targeting rather than sector-specific specialization. Their attack methodology, initial access vectors, and specific technical capabilities have not been extensively documented in public reporting from major cybersecurity firms or law enforcement agencies, limiting detailed analysis of their operational procedures and tools. Due to the group's recent emergence and limited public intelligence reporting, notable high-profile campaigns and specific victim details remain largely undocumented in established threat intelligence channels. The group's current operational status appears active given their recent emergence timeline, though comprehensive analysis is constrained by the lack of detailed public reporting from authoritative cybersecurity sources.

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

← All groups

Spacebears

aka space bears · 147 victims indexed · first seen 2 years ago · last activity 8 days ago

147

Victims indexed

#55 of 348 tracked operators

2y 1m

Active period

Apr 2024 → May 2026

Countries hit

top United States · 26

At a glance

Status: active
Aliases: space bears
First seen: 2 years ago
Last activity: 8 days ago
Onion sites: 2 known endpoints
Primary sector: Not Found · 38 hits

About

Spacebears is a recently emerged ransomware group first observed in April 2024, operating with apparent financial motivations and demonstrating a broad targeting approach across multiple sectors and geographic regions. The group's origin and potential affiliations remain unclear due to limited public documentation from established threat intelligence sources, though their targeting pattern suggests a professional operation focused on maximizing financial returns rather than geopolitical objectives. With 117 known victims since their emergence, Spacebears has shown particular focus on organizations in the United States, Germany, Spain, Italy, and Canada, with their attacks primarily affecting technology, healthcare, manufacturing, and business services sectors, indicating they likely employ opportunistic targeting rather than sector-specific specialization. Their attack methodology, initial access vectors, and specific technical capabilities have not been extensively documented in public reporting from major cybersecurity firms or law enforcement agencies, limiting detailed analysis of their operational procedures and tools. Due to the group's recent emergence and limited public intelligence reporting, notable high-profile campaigns and specific victim details remain largely undocumented in established threat intelligence channels. The group's current operational status appears active given their recent emergence timeline, though comprehensive analysis is constrained by the lack of detailed public reporting from authoritative cybersecurity sources.

References

1 link

External sources curated by the MISP threat-intel community.

ransomlook.io/group/space bears

Timeline

23 months

2024-04-01T00:00:00+00:002026-03-01T00:00:00+00:00

Top countries

🇺🇸 United States

🇪🇸 Spain

🇩🇪 Germany

🇮🇹 Italy

🇮🇳 India

🇨🇦 Canada

🇯🇵 Japan

🇧🇷 Brazil

United States dossier →Spain dossier →Germany dossier →Italy dossier →

Top sectors

Not Found

Technology

Healthcare

Manufacturing

Business Services

Transportation/Logistics

Consumer Services

Telecommunication

Not Found dossier →Technology dossier →Healthcare dossier →Manufacturing dossier →

MITRE ATT&CK

7 techniques · 5 tactics

Tactics

Initial AccessExecutionDefense EvasionDiscoveryImpact

Techniques

T1566Phishing
T1190Exploit Public-Facing Application
T1059Command and Scripting Interpreter
T1027Obfuscated Files or Information
T1082System Information Discovery
T1083File and Directory Discovery
T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

2 known

http://5butbkrljkaorg5maepuca25oma7eiwo6a2rlhvkblb4v6mf3ki2ovid.onion
http://5butbkrljkaorg5maepuca25oma7eiwo6a2rlhvkblb4v6mf3ki2ovid.onion/

Source

Updated 8 days ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.