Apos Security Active

Data extortion group with professional-looking leak site.
PDF Report Back to Groups
0
Total Victims
2024-05-01
First Seen
N/A
Last Seen
0
Known TTPs
8.5d
Avg Delay
0
Negotiations
ONION URLS
e47avfjrsh7jrjfyo3puwbzneweqpiwbn2itul32idlozes2qjdlkjg2.onion
5vm7x4b3yz2eev5a7vsekyzshhue6ojxbzo5tx6rywaqy4xoxfqqwtb3.onion
TOOLS
Custom tools
FILE EXTENSIONS
.apos
ACTIVITY TIMELINE
TOP SECTORS
TOP COUNTRIES
ACTIVITY HEATMAP
Date Victim Name Country Sector Status
No victims recorded

No TTPs data

Apos_Security_rule_1 InQuest 
rule Apos_Security_ransomware_1 {
    meta:
        description = "Detects Apos Security ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "9abef4b6daa7b13efec5de44beb5a5ac025baf49fb83b50d201619be6de57a56"

    strings:
        $h0 = { C7 A5 C1 A8 11 17 CB 8F DC 25 EC CD D9 C9 32 DF 60 2C CA E0 F }
        $h1 = { 32 A6 9E C3 99 E9 45 E6 6D B3 06 39 F }
        $s2 = "Apos Security" nocase
        $s3 = ".apos_security" nocase
        $h4 = { CE 4A C2 11 40 5C BE 6B 87 8F E8 E4 19 89 84 02 83 3 }
        $r5 = /README\..{3,10}/i
        $h6 = { 62 1E 93 E1 2D BC 88 B2 74 A3 }
        $r7 = /README\..{3,10}/i

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}
Apos_Security_rule_2 Florian Roth 
rule Apos_Security_ransomware_2 {
    meta:
        description = "Detects Apos Security ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "7d3a473f48c498026d432064044c7f7f539ca3343785b9470fa2c0647dab25ed"

    strings:
        $h0 = { 69 47 57 B3 69 9F 12 BF 52 BB EB CD 37 3D FB 96 F0 D0 45 DC F4 6 }
        $h1 = { 66 29 B0 C6 BC EA 5D 9C 60 DA 5A DF E6 00 81 B0 88 72 FC D8 5F 0 }
        $h2 = { 53 E7 A4 D5 CE F5 42 CF F1 76 31 }
        $r3 = /README\..{3,10}/i
        $h4 = { 04 62 B5 2C F3 15 6B A5 C2 B7 09 8A 8 }
        $r5 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}
TypeValueDescriptionCopy
sha1 61a2143b4956035a33a29d8fb5e370c7c3b6d1be Associated with Apos Security ransomware
email contact607@cock.li Contact email observed in Apos Security attacks
ip 108.192.221.55 Infrastructure linked to Apos Security
tox FBEAA992DF6FEF5FF4C7B00C86DCF1D2EBB7E6DECFEC1CA6AC6B7B0ED751E623DBF2ACD8A8A4 Associated with Apos Security ransomware
md5 ed7eb2928eb71d6278155f7551968206 Malware sample hash - Apos Security campaign
tox 5A3CD72B684E2CB21FAFDFBCAA15CE2FFDCEF9AA95D2FAEDBCBCEE4C1D05DDA11DFA8E04DFCD Tox messenger ID - Apos Security campaign
btc bc1q3h33t5flfof7ky9a9t46iuhgecukuh2h0l9klz Bitcoin ransom address - Apos Security campaign
btc bc1q1uqfu8j0vfr1pfj35gz5lsqwlcnejg0uys9013 Bitcoin ransom address observed in Apos Security attacks
btc bc1q1nwwwrc1yfrjvqyweikfag8oa3wtyxgyim4l8j Associated with Apos Security ransomware

No ransom notes