Typhoon Active

Ransomware group first observed in 2024. Uses WinSCP for deployment.
PDF Report Back to Groups
2
Total Victims
2024-07-01
First Seen
2026-03-06
Last Seen
24
Known TTPs
9.1d
Avg Delay
0
Negotiations
ONION URLS
jh4jdm6n5bvmss4uce2k27nw4uvncrl7effhjztdwmehipwtmoco7ia2.onion
TOOLS
WinSCP BloodHound LaZagne TDSSKiller Rclone
FILE EXTENSIONS
.doom
ACTIVITY TIMELINE
TOP SECTORS
TOP COUNTRIES
ACTIVITY HEATMAP
Date Victim Name Country Sector Status
2026-03-06 Frontier Networks France Government Published
2026-03-06 Platinum Enterprises Italy Aerospace & Defense Published
Technique ID Technique Name Tactic
T1005 Data from Local System Collection
T1074.001 Local Data Staging Collection
T1560.001 Archive via Utility Collection
T1105 Ingress Tool Transfer Command and Control
T1003.003 NTDS Credential Access
T1110.003 Password Spraying Credential Access
T1555.003 Credentials from Web Browsers Credential Access
T1558.003 Kerberoasting Credential Access
T1036.005 Match Legitimate Name or Location Defense Evasion
T1070.004 File Deletion Defense Evasion
T1140 Deobfuscate/Decode Files Defense Evasion
T1218.011 Rundll32 Defense Evasion
T1562.001 Disable or Modify Tools Defense Evasion
T1016 System Network Configuration Discovery Discovery
T1087 Account Discovery Discovery
T1135 Network Share Discovery Discovery
T1053.005 Scheduled Task Execution
T1059.003 Windows Command Shell Execution
T1059.006 Python Execution
T1531 Account Access Removal Impact
T1078 Valid Accounts Initial Access
T1133 External Remote Services Initial Access
T1190 Exploit Public-Facing Application Initial Access
T1543.003 Windows Service Persistence

No YARA rules

No IoCs

No ransom notes