Space Bears

Space Bears is a ransomware and extortion group first identified in April 2024. Multiple sources in the provided content associate it with the Phobos ransomware-as-a-service (RaaS) ecosystem, and one source states its leak site is believed to function as a shared publishing point for activity related to Phobos infrastructure. The group is described as a data-theft-and-extortion operation that sometimes deploys encryption but often focuses on exfiltrating sensitive files and threatening publication or sale if victims do not pay. The content also describes Space Bears as using a dedicated leak site with countdown timers, contact forms, and offers to sell stolen data to third parties. Reported targeting in the provided content spans telecommunications, managed services, manufacturing, and critical infrastructure-related organizations across multiple countries. Cited victims or claimed victims include Vertel in Australia, 3P Corporation in Australia, Texcomp in Saudi Arabia, Kymco in Taiwan, Quasar Inc. in Georgia, and Comcast-related material allegedly obtained via Quasar. One source explicitly characterizes Space Bears as focused on critical infrastructure and using stealthy encryption. The content also notes Space Bears activity against Korean and Japanese organizations, including two incidents attributed to the group in Japan in the first half of 2025 and inclusion among groups responsible for attacks on Korean companies in 2024. Observed extortion behavior in the provided content includes publishing victim entries on a leak site, setting deadlines for public release, claiming exfiltration of SQL databases and sensitive business data, and advertising stolen data for sale. Reported data types include client personal information, financial documents, patent and innovation data, customer and partner data, network project documents, city drawings, communication layouts, city design documentation, and detailed utility plans. The only alias directly provided in the content is "space_bears."