Operator dossier

weyhro is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 14 public victims claimed by this operator between March 6, 2025 and August 11, 2025. Weyhro is an emerging ransomware group that was first observed in March 2025, appearing to be primarily financially motivated based on their targeting patterns and operational behavior. The group's origin and affiliations remain unclear due to their recent emergence, with insufficient public documentation from major threat intelligence sources to confirm their country of origin, potential links to established ransomware families, or whether they operate under a Ransomware-as-a-Service model. With only 14 documented victims since their March 2025 debut, specific details about their attack methodology, initial access vectors, encryption techniques, and data exfiltration practices have not been comprehensively documented by CISA, FBI, Mandiant, or other reputable security researchers. The group has demonstrated a geographically diverse targeting approach, primarily focusing on victims in the United States, Germany, Canada, Barbados, and Italy, with a sector preference for manufacturing, financial services, business services, and technology organizations. Given the group's recent emergence and limited victim count, no major high-profile campaigns, record ransom demands, or law enforcement actions have been publicly reported. Weyhro appears to remain active as of current reporting, though their operational tempo and long-term sustainability remain to be determined given the limited intelligence available on this nascent threat actor.

Most-targeted sectors

Not Found5 victims
Manufacturing4 victims
Financial Services2 victims
Business Services1 victims
Technology1 victims
Public Sector1 victims

Most-affected countries

US10 victims
DE1 victims
CA1 victims
BB1 victims
IT

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

← All groups

weyhro

14 victims indexed · first seen 1 year ago · last activity 9 months ago

Victims indexed

#182 of 348 tracked operators

Active period

Mar 2025 → Aug 2025

Countries hit

top US · 10

At a glance

Status: inactive
First seen: 1 year ago
Last activity: 9 months ago
Onion sites: 1 known endpoint
Primary sector: Not Found · 5 hits

About

Weyhro is an emerging ransomware group that was first observed in March 2025, appearing to be primarily financially motivated based on their targeting patterns and operational behavior. The group's origin and affiliations remain unclear due to their recent emergence, with insufficient public documentation from major threat intelligence sources to confirm their country of origin, potential links to established ransomware families, or whether they operate under a Ransomware-as-a-Service model. With only 14 documented victims since their March 2025 debut, specific details about their attack methodology, initial access vectors, encryption techniques, and data exfiltration practices have not been comprehensively documented by CISA, FBI, Mandiant, or other reputable security researchers. The group has demonstrated a geographically diverse targeting approach, primarily focusing on victims in the United States, Germany, Canada, Barbados, and Italy, with a sector preference for manufacturing, financial services, business services, and technology organizations. Given the group's recent emergence and limited victim count, no major high-profile campaigns, record ransom demands, or law enforcement actions have been publicly reported. Weyhro appears to remain active as of current reporting, though their operational tempo and long-term sustainability remain to be determined given the limited intelligence available on this nascent threat actor.

References

1 link

External sources curated by the MISP threat-intel community.

ransomlook.io/group/weyhro

Timeline

3 months

2025-03-01T00:00:00+00:002025-08-01T00:00:00+00:00

Top countries

🇺🇸 US

🇩🇪 DE

🇨🇦 CA

🇧🇧 BB

🇮🇹 IT

US dossier →DE dossier →CA dossier →BB dossier →

Top sectors

Not Found

Manufacturing

Financial Services

Business Services

Technology

Public Sector

Not Found dossier →Manufacturing dossier →Financial Services dossier →Business Services dossier →

MITRE ATT&CK

3 techniques · 3 tactics

Tactics

Initial AccessExecutionImpact

Techniques

T1566Phishing
T1059Command and Scripting Interpreter
T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

1 known

http://xtxtpqpyaaek4p4525ksepyyy75gfvi47fptm2gftw7cn656rnfhzdqd.onion/leaks

Source

Updated 9 months ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.