Skip to main content
Mallory
Back to threat actors
🇷🇺 RU1 malware family

CyberVolk

Also known asCyberVolk

CyberVolk is a pro-Russian hacktivist group, also referred to as GLORIAMIST, first documented in late 2024. Multiple sources in the provided content describe the group as conducting attacks aligned with Russian government interests, including attacks against public and government entities opposing Russia or siding with Ukraine. The content also states CyberVolk is reportedly India-based or of Indian origin. CyberVolk is associated with both DDoS activity and ransomware operations. In 2025, after a period of dormancy attributed to Telegram enforcement actions, the group resurfaced in August with a ransomware-as-a-service offering called VolkLocker, also referred to as CyberVolk 2.x. VolkLocker is described as a Golang-based, cross-platform ransomware targeting Windows and Linux, including VMware ESXi environments. The operation is managed through Telegram, which is used for payload building, command-and-control, affiliate management, victim messaging, decryption workflows, and broader automation. The provided content states that VolkLocker uses AES-256-GCM for file encryption, attempts privilege escalation via the Windows ms-settings UAC bypass, performs system and environment discovery, enumerates drives, checks for virtualization and sandbox artifacts, modifies the Windows Registry, deletes volume shadow copies, and terminates security or analysis-related processes. The ransomware also includes destructive enforcement behavior, including deletion of user folders and other wipe actions if payment deadlines expire or incorrect decryption keys are entered repeatedly. A consistently reported implementation flaw in VolkLocker is that the master encryption key is hard-coded in the executable and also written in plaintext to %TEMP%\system_backup.key, apparently due to a test artifact left in production builds. The content states this flaw can allow victims to recover encrypted files without paying. Multiple sources also describe CyberVolk as reusing, tweaking, and rebranding leaked ransomware source code, including derivation from AzzaSec-related code. CyberVolk monetizes access to VolkLocker through tiered RaaS pricing and, according to the content, expanded its offerings to include standalone remote access trojan and keylogger tools. The content further notes repeated Telegram bans and channel removals, aggressive recruitment of lesser-skilled affiliates, and operational quality-control issues reflected in debug or test artifacts shipped in live builds.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they're from

Attributed origin per open-source reporting.

  • RU
MITRE ATT&CK

Tradecraft

2 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

1 of 15 tactics2 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0040
Impact
2 techniques
T1486×2
Data Encrypted for Impact
T1490
Inhibit System Recovery
ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen
VolkLockerA new version of VolkLocker, wielded by the pro-Russia RaaS group CyberVolk, has some key enhancements but one fatal flaw. VolkLocker is the ransomware-as-a-service (RaaS) offering of CyberVolk, a group first documented in late 2024 that uses multiple ransomware tools to conduct attacks aligned with the interests of the Russian government.2Mar 18, 2026
ACTIVITY FEED

Recent activity

17 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

17 SOURCESView more in app
register securityNews
Jun 2, 2026
'Dumbass' criminal breaks the 'first rule of ransomware club'

Pro-Russian hacktivist crew that launched a ransomware service but made implementation mistakes by hardcoding master keys into executables, enabling victim recovery without payment.

Read more
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

Pro-Russian hacktivist group operating a ransomware-as-a-service offering (VolkLocker) with noted cryptographic/implementation weaknesses enabling free decryption.

Read more
sentinelone blogNews
Jan 6, 2026
12 Months of Fighting Cybercrime & Defending Enterprises | The SentinelLABS 2025 Review

A pro-Russian hacktivist collective known for reusing and rebranding leaked ransomware code, recently active with VolkLocker.

Read more
sentinelone blogNews
Dec 25, 2025
The Best, the Worst and the Ugliest in Cybersecurity | 2025 Edition

Running large-scale ransomware operations using AI-driven tooling for negotiation, phishing, and multilingual attacks, orchestrated via Telegram.

Read more
+13 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping2

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.