Skip to main content

Operator dossier

TEAM UNDERGROUND is a ransomware operator currently active on public leak sites. Darkfield has indexed 7 public victims claimed by this operator between May 14, 2026 and June 2, 2026. TEAM UNDERGROUND is a ransomware group first observed in May 2026 with an apparent financial motivation, though its limited operational history makes comprehensive attribution difficult at this time. With only a single known victim recorded to date, the group has demonstrated a targeting preference for the Audit, Tax Advisory, and Legal Services sector, suggesting a deliberate focus on organizations that handle sensitive financial, legal, and confidential client data — a common strategic choice among financially motivated threat actors seeking high-value exfiltration leverage. Given the group's extremely recent emergence and minimal operational footprint, detailed technical indicators regarding their initial access vectors, tooling, encryption methodology, or affiliation with broader ransomware ecosystems have not yet been publicly documented by authoritative sources such as CISA, the FBI, Mandiant, or equivalent research bodies. No confirmed affiliations with known ransomware-as-a-service platforms or established threat actor groups have been publicly established, nor have any notable high-profile campaigns, law enforcement actions, or ransom figures been attributed to this group in open-source reporting. TEAM UNDERGROUND should currently be regarded as an emerging and closely monitored threat, with its full capabilities, infrastructure, and operational scope remaining largely uncharacterized pending further observed activity and independent security research.

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

All groups

TEAM UNDERGROUND

7 victims indexed · first seen 2 months ago · last activity 1 month ago

7
Victims indexed
#229 of 364 tracked operators
1m
Active period
May 2026 → Jun 2026
Countries hit

At a glance

Status
active
First seen
2 months ago
Last activity
1 month ago
Onion sites
1 known endpoint

About

TEAM UNDERGROUND is a ransomware group first observed in May 2026 with an apparent financial motivation, though its limited operational history makes comprehensive attribution difficult at this time. With only a single known victim recorded to date, the group has demonstrated a targeting preference for the Audit, Tax Advisory, and Legal Services sector, suggesting a deliberate focus on organizations that handle sensitive financial, legal, and confidential client data — a common strategic choice among financially motivated threat actors seeking high-value exfiltration leverage. Given the group's extremely recent emergence and minimal operational footprint, detailed technical indicators regarding their initial access vectors, tooling, encryption methodology, or affiliation with broader ransomware ecosystems have not yet been publicly documented by authoritative sources such as CISA, the FBI, Mandiant, or equivalent research bodies. No confirmed affiliations with known ransomware-as-a-service platforms or established threat actor groups have been publicly established, nor have any notable high-profile campaigns, law enforcement actions, or ransom figures been attributed to this group in open-source reporting. TEAM UNDERGROUND should currently be regarded as an emerging and closely monitored threat, with its full capabilities, infrastructure, and operational scope remaining largely uncharacterized pending further observed activity and independent security research.

References

1 link

External sources curated by the MISP threat-intel community.

Recent victims

Loading…

Onion infrastructure

1 known
  • http://47glxkuxyayqrvugfumgsblrdagvrah7gttfscgzn56eyss5wg3uvmqd.onion

Source

Updated 1 month ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time TEAM UNDERGROUND posts a victim.

Add TEAM UNDERGROUND to your watchlist — Pro pings you within 5 minutes of any new TEAM UNDERGROUND leak-site post, Telegram callout, or affiliate-rebrand inference.