Falcon Active

Ransomware group first observed in 2016. Uses Rclone for deployment.
PDF Report Back to Groups
0
Total Victims
2016-08-01
First Seen
2026-02-24
Last Seen
20
Known TTPs
42.0d
Avg Delay
0
Negotiations
ONION URLS
tvnk5otxgirnz4eihmvn3jhoy7kfewcpwm26sn2qr5rp5xeiaxbolxst.onion
TOOLS
Rclone Rubeus ADFind SystemBC IcedID
FILE EXTENSIONS
.doom
ACTIVITY TIMELINE
TOP SECTORS
TOP COUNTRIES
ACTIVITY HEATMAP
Date Victim Name Country Sector Status
No victims recorded
Technique ID Technique Name Tactic
T1074.001 Local Data Staging Collection
T1562.009 Safe Mode Boot Defense Evasion
T1069 Permission Groups Discovery Discovery
T1083 File and Directory Discovery Discovery
T1087 Account Discovery Discovery
T1059.001 PowerShell Execution
T1059.003 Windows Command Shell Execution
T1059.006 Python Execution
T1041 Exfiltration Over C2 Channel Exfiltration
T1567.002 Exfiltration to Cloud Storage Exfiltration
T1529 System Shutdown/Reboot Impact
T1133 External Remote Services Initial Access
T1190 Exploit Public-Facing Application Initial Access
T1566.001 Spearphishing Attachment Initial Access
T1021.001 Remote Desktop Protocol Lateral Movement
T1570 Lateral Tool Transfer Lateral Movement
T1098 Account Manipulation Persistence
T1547.001 Registry Run Keys Persistence
T1547.009 Shortcut Modification Persistence
T1134 Access Token Manipulation Privilege Escalation

No YARA rules

No IoCs

No ransom notes