Skip to main content

Operator dossier

weyhro is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 14 public victims claimed by this operator between March 6, 2025 and August 11, 2025. Weyhro is an emerging ransomware group that was first observed in March 2025, appearing to be primarily financially motivated based on their targeting patterns and operational behavior. The group's origin and affiliations remain unclear due to their recent emergence, with insufficient public documentation from major threat intelligence sources to confirm their country of origin, potential links to established ransomware families, or whether they operate under a Ransomware-as-a-Service model. With only 14 documented victims since their March 2025 debut, specific details about their attack methodology, initial access vectors, encryption techniques, and data exfiltration practices have not been comprehensively documented by CISA, FBI, Mandiant, or other reputable security researchers. The group has demonstrated a geographically diverse targeting approach, primarily focusing on victims in the United States, Germany, Canada, Barbados, and Italy, with a sector preference for manufacturing, financial services, business services, and technology organizations. Given the group's recent emergence and limited victim count, no major high-profile campaigns, record ransom demands, or law enforcement actions have been publicly reported. Weyhro appears to remain active as of current reporting, though their operational tempo and long-term sustainability remain to be determined given the limited intelligence available on this nascent threat actor.

Most-targeted sectors

Most-affected countries

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

All groups

weyhro

14 victims indexed · first seen 1 year ago · last activity 11 months ago

14
Victims indexed
#191 of 364 tracked operators
5m
Active period
Mar 2025 → Aug 2025
5
Countries hit
top US · 10

At a glance

Status
inactive
First seen
1 year ago
Last activity
11 months ago
Onion sites
1 known endpoint
Primary sector
Not Found · 5 hits

About

Weyhro is an emerging ransomware group that was first observed in March 2025, appearing to be primarily financially motivated based on their targeting patterns and operational behavior. The group's origin and affiliations remain unclear due to their recent emergence, with insufficient public documentation from major threat intelligence sources to confirm their country of origin, potential links to established ransomware families, or whether they operate under a Ransomware-as-a-Service model. With only 14 documented victims since their March 2025 debut, specific details about their attack methodology, initial access vectors, encryption techniques, and data exfiltration practices have not been comprehensively documented by CISA, FBI, Mandiant, or other reputable security researchers. The group has demonstrated a geographically diverse targeting approach, primarily focusing on victims in the United States, Germany, Canada, Barbados, and Italy, with a sector preference for manufacturing, financial services, business services, and technology organizations. Given the group's recent emergence and limited victim count, no major high-profile campaigns, record ransom demands, or law enforcement actions have been publicly reported. Weyhro appears to remain active as of current reporting, though their operational tempo and long-term sustainability remain to be determined given the limited intelligence available on this nascent threat actor.

References

1 link

External sources curated by the MISP threat-intel community.

Timeline

3 months
2025-03-01T00:00:00+00:00 · 82025-05-01T00:00:00+00:00 · 42025-08-01T00:00:00+00:00 · 2
2025-03-01T00:00:00+00:002025-08-01T00:00:00+00:00

Top countries

🇺🇸 United States
10
🇩🇪 Germany
1
🇨🇦 Canada
1
Barbados
1
🇮🇹 Italy
1

Top sectors

Manufacturing
4
Financial Services
2
Business Services
1
Technology
1
Public Sector
1

MITRE ATT&CK

3 techniques · 3 tactics

Tactics

Initial AccessExecutionImpact

Techniques

  • T1566Phishing
  • T1059Command and Scripting Interpreter
  • T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

1 known
  • http://xtxtpqpyaaek4p4525ksepyyy75gfvi47fptm2gftw7cn656rnfhzdqd.onion/leaks

Source

Updated 11 months ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time weyhro posts a victim.

Add weyhro to your watchlist — Pro pings you within 5 minutes of any new weyhro leak-site post, Telegram callout, or affiliate-rebrand inference.