Operator dossier

TRIDENT (also tracked as DAGGER PANDA, IceFog, RedFoxtrot, Red Wendigo) is a ransomware operator currently active on public leak sites. Operate since at least 2011, from several locations in China, with members in Korea and Japan as well. Possibly linked to Onion Dog. This threat actor targets government institutions, military contractors, maritime and shipbuilding groups, telecommunications operators, and others, primarily in Japan and South Korea.

Suspected origin: CN (community attribution, not authoritative).

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

← All groups

TRIDENT

aka DAGGER PANDA, IceFog, RedFoxtrot, Red Wendigo, PLA Unit 69010, UAT-7290, Red Foxtrot · 0 victims indexed

Victims indexed

—

Active period

—

Countries hit

At a glance

Status: active
Aliases: DAGGER PANDA, IceFog, RedFoxtrot, Red Wendigo, PLA Unit 69010, UAT-7290, Red Foxtrot
First seen: —
Last activity: —
Onion sites: 1 known endpoint
Suspected origin: 🇨🇳CN

Attribution

Community-assessed by the MISP threat-intel community — not Darkfield's own attribution.

Suspected sponsor: 🇨🇳China
Activity type: Espionage
Attribution confidence: Moderate · 50/100

About

Operate since at least 2011, from several locations in China, with members in Korea and Japan as well. Possibly linked to Onion Dog. This threat actor targets government institutions, military contractors, maritime and shipbuilding groups, telecommunications operators, and others, primarily in Japan and South Korea.

References

7 links

External sources curated by the MISP threat-intel community.

Recent victims

Loading…

Onion infrastructure

1 known

http://tridentfrdy6jydwywfx4vx422vnto7pktao2gyx2qdcwjanogq454ad.onion/articles

Source

Updated recently

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time TRIDENT posts a victim.

Add TRIDENT to your watchlist — Pro pings you within 5 minutes of any new TRIDENT leak-site post, Telegram callout, or affiliate-rebrand inference.