HornetTeam Active
Ransomware group first observed in 2019. Uses QBot for deployment.1
Total Victims
2019-01-01
First Seen
2026-03-05
Last Seen
11
Known TTPs
19.1d
Avg Delay
0
Negotiations
ONION URLS
qscx3botiomrxtlodscxooy3uthscdutvasqhgh222ipslrl5bhyl5qp.onion
TOOLS
QBot
PowerShell Empire
WinSCP
ConnectWise
FILE EXTENSIONS
.doom
ACTIVITY TIMELINE
TOP SECTORS
TOP COUNTRIES
ACTIVITY HEATMAP
| Date | Victim Name | Country | Sector | Status |
|---|---|---|---|---|
| 2026-03-05 | Vector Healthcare | United States | Government | Published |
| Technique ID | Technique Name | Tactic |
|---|---|---|
| T1071.001 | Web Protocols | Command and Control |
| T1105 | Ingress Tool Transfer | Command and Control |
| T1047 | Windows Management Instrumentation | Execution |
| T1053.005 | Scheduled Task | Execution |
| T1059.003 | Windows Command Shell | Execution |
| T1204.001 | Malicious Link | Execution |
| T1567.002 | Exfiltration to Cloud Storage | Exfiltration |
| T1570 | Lateral Tool Transfer | Lateral Movement |
| T1136.001 | Local Account | Persistence |
| T1543.003 | Windows Service | Persistence |
| T1068 | Exploitation for Privilege Escalation | Privilege Escalation |
No YARA rules
No IoCs
No ransom notes