Skip to main content

Operator dossier

Spacebears (also tracked as space bears) is a ransomware operator currently active on public leak sites. Darkfield has indexed 185 public victims claimed by this operator between April 29, 2024 and July 13, 2026. Spacebears is a recently emerged ransomware group first observed in April 2024, operating with apparent financial motivations and demonstrating a broad targeting approach across multiple sectors and geographic regions. The group's origin and potential affiliations remain unclear due to limited public documentation from established threat intelligence sources, though their targeting pattern suggests a professional operation focused on maximizing financial returns rather than geopolitical objectives. With 117 known victims since their emergence, Spacebears has shown particular focus on organizations in the United States, Germany, Spain, Italy, and Canada, with their attacks primarily affecting technology, healthcare, manufacturing, and business services sectors, indicating they likely employ opportunistic targeting rather than sector-specific specialization. Their attack methodology, initial access vectors, and specific technical capabilities have not been extensively documented in public reporting from major cybersecurity firms or law enforcement agencies, limiting detailed analysis of their operational procedures and tools. Due to the group's recent emergence and limited public intelligence reporting, notable high-profile campaigns and specific victim details remain largely undocumented in established threat intelligence channels. The group's current operational status appears active given their recent emergence timeline, though comprehensive analysis is constrained by the lack of detailed public reporting from authoritative cybersecurity sources.

Most-targeted sectors

Most-affected countries

Recent disclosures by Spacebears

Most recent 150 of 185 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for Spacebears

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

All groups

Spacebears

aka space bears · 185 victims indexed · first seen 2 years ago · last activity 2 days ago

185
Victims indexed
#45 of 364 tracked operators
2y 3m
Active period
Apr 2024 → Jul 2026
30
Countries hit
top United States · 42

At a glance

Status
active
Aliases
space bears
First seen
2 years ago
Last activity
2 days ago
Onion sites
2 known endpoints
Primary sector
Not Found · 42 hits

About

Spacebears is a recently emerged ransomware group first observed in April 2024, operating with apparent financial motivations and demonstrating a broad targeting approach across multiple sectors and geographic regions. The group's origin and potential affiliations remain unclear due to limited public documentation from established threat intelligence sources, though their targeting pattern suggests a professional operation focused on maximizing financial returns rather than geopolitical objectives. With 117 known victims since their emergence, Spacebears has shown particular focus on organizations in the United States, Germany, Spain, Italy, and Canada, with their attacks primarily affecting technology, healthcare, manufacturing, and business services sectors, indicating they likely employ opportunistic targeting rather than sector-specific specialization. Their attack methodology, initial access vectors, and specific technical capabilities have not been extensively documented in public reporting from major cybersecurity firms or law enforcement agencies, limiting detailed analysis of their operational procedures and tools. Due to the group's recent emergence and limited public intelligence reporting, notable high-profile campaigns and specific victim details remain largely undocumented in established threat intelligence channels. The group's current operational status appears active given their recent emergence timeline, though comprehensive analysis is constrained by the lack of detailed public reporting from authoritative cybersecurity sources.

References

1 link

External sources curated by the MISP threat-intel community.

Timeline

24 months
2024-06-01T00:00:00+00:00 · 102024-07-01T00:00:00+00:00 · 82024-08-01T00:00:00+00:00 · 32024-09-01T00:00:00+00:00 · 12024-10-01T00:00:00+00:00 · 12024-11-01T00:00:00+00:00 · 52024-12-01T00:00:00+00:00 · 42025-01-01T00:00:00+00:00 · 122025-02-01T00:00:00+00:00 · 42025-03-01T00:00:00+00:00 · 22025-04-01T00:00:00+00:00 · 52025-05-01T00:00:00+00:00 · 62025-06-01T00:00:00+00:00 · 32025-07-01T00:00:00+00:00 · 22025-08-01T00:00:00+00:00 · 42025-09-01T00:00:00+00:00 · 62025-10-01T00:00:00+00:00 · 62025-11-01T00:00:00+00:00 · 32025-12-01T00:00:00+00:00 · 102026-02-01T00:00:00+00:00 · 102026-03-01T00:00:00+00:00 · 92026-04-01T00:00:00+00:00 · 32026-05-01T00:00:00+00:00 · 322026-06-01T00:00:00+00:00 · 17
2024-06-01T00:00:00+00:002026-06-01T00:00:00+00:00

Top countries

🇺🇸 United States
42
🇩🇪 Germany
9
🇪🇸 Spain
8
🇮🇹 Italy
8
🇨🇦 Canada
6
🇫🇷 France
6
🇧🇷 Brazil
5
🇦🇺 Australia
4

Top sectors

Healthcare
20
Manufacturing
17
Technology
16
Business Services
12
Transportation/Logistics
8
Consumer Services
4
Construction
3
Agriculture and Food Production
3

MITRE ATT&CK

7 techniques · 5 tactics

Tactics

Initial AccessExecutionDefense EvasionDiscoveryImpact

Techniques

  • T1566Phishing
  • T1190Exploit Public-Facing Application
  • T1059Command and Scripting Interpreter
  • T1027Obfuscated Files or Information
  • T1082System Information Discovery
  • T1083File and Directory Discovery
  • T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

2 known
  • http://5butbkrljkaorg5maepuca25oma7eiwo6a2rlhvkblb4v6mf3ki2ovid.onion
  • http://5butbkrljkaorg5maepuca25oma7eiwo6a2rlhvkblb4v6mf3ki2ovid.onion/

Source

Updated 2 days ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time Spacebears posts a victim.

Add Spacebears to your watchlist — Pro pings you within 5 minutes of any new Spacebears leak-site post, Telegram callout, or affiliate-rebrand inference.