Al-Safi Oil Company

About NASIR

NASIR is an emerging ransomware group first observed in June 2026 with a apparent financial motivation, having claimed responsibility for attacks against at least seven known victims across the Middle East region. The group's targeting pattern strongly suggests a geopolitical or regional focus, with victim organizations concentrated in the United Arab Emirates, Israel, Saudi Arabia, and Kuwait, spanning high-value sectors including government, energy and oil, transportation, aviation, and cultural and memorial institutions. Given the limited open-source intelligence currently available on NASIR, its country of origin, affiliation with known threat actor ecosystems, and whether it operates under a Ransomware-as-a-Service model or as an independent closed group have not been publicly confirmed by authoritative sources such as CISA, the FBI, or Mandiant as of this writing. The group's sector targeting — particularly government, energy infrastructure, and aviation — suggests a deliberate focus on critical national infrastructure across Gulf Cooperation Council states and Israel, which may indicate either a financially motivated actor seeking high-value targets capable of large ransom payments, or an actor with ideological or geopolitical objectives. No specific tools, encryption methods, or extortion tactics employed by NASIR have been publicly documented or attributed by reputable security researchers at this time, and no major law enforcement actions against the group have been publicly reported. NASIR should be considered an emerging and closely monitored threat given its critical infrastructure targeting pattern, with the expectation that additional technical attribution and campaign details will surface as the group's operational tempo develops. The group has been linked to 8 public disclosures across our corpus. First observed on a leak site on June 10, 2026; most recent post June 11, 2026. The operation is currently active.

Timeline of this disclosure

• June 10, 2026Al-Safi Oil Company listed by NASIRon the group's public leak site

Other recent disclosures by NASIR

NASIR has been linked to 8 public victims on Darkfield. A sample of the most recent:

• UAE Federal Customs AuthorityGovernment / Customs · United Arab Emirates · June 11, 2026
• Dubai International AirportTransportation/Aviation · AE · June 10, 2026
• Al-Safi Oil Company (PURE IN)Energy/Oil · June 10, 2026
• UAE Customs (Federal Customs Authority)Government · United Arab Emirates · June 10, 2026
• Dubai AirportTransportation · United Arab Emirates · June 10, 2026
• Kuwait Ministry Of InteriorGovernment · Kuwait · June 10, 2026
• Israel's National Holocaust MuseumCultural/Memorial · Israel · June 10, 2026

See the full NASIR dossier →

Sector and geography

This disclosure adds to ransomware activity in the Energy/Oil & Gas sector. Geographically, Al-Safi Oil Company is reported in Saudi Arabia, a country with 44 ransomware disclosures in our corpus.

If your organisation is affected

A listing by NASIR means Al-Safi Oil Company appeared on a ransomware extortion site and data attributed to it has been published. If this is your organisation, or a supplier you depend on, the priority is to confirm the intrusion and contain it before the window to act closes.

• Engage your incident-response team and preserve forensic evidence before remediating — do not wipe affected systems first.
• Force a password reset and revoke active sessions for exposed accounts; rotate any credentials, API keys or certificates that may have been in the stolen data.
• Assess regulatory notification duties (GDPR, NIS2, sector regulators) — many carry a 72-hour reporting clock from awareness.
• Monitor for the data appearing on NASIR's leak site and across paste and breach channels, and brief downstream partners who may be exposed through you.