Securotrop is a ransomware threat actor and ransomware-as-a-service operation that emerged publicly in 2025 and has been described as a splinter or affiliate operating within the Qilin ecosystem. The group maintains its own leak site while reportedly leveraging Qilin-associated infrastructure or code, indicating a semi-independent cluster rather than a wholly distinct lineage. Securotrop is associated with double-extortion operations in which data theft is used alongside ransomware pressure, and reporting has characterized the group as placing notable emphasis on exfiltration and public exposure of stolen information. Victimology attributed to Securotrop spans multiple sectors, including energy, transportation and logistics, media, retail, manufacturing, construction, and communications, with observed targeting concentrated at least in part on organizations in the United States. Publicly claimed victims indicate opportunistic enterprise targeting rather than a narrowly specialized vertical focus. The group has been linked to incidents involving large-scale data theft claims and subsequent publication or threatened publication on its leak platform. Securotrop is known primarily by the name Securotrop, including the stylized form SECUROTROP. It has been described as operating within the Qilin network and as a breakaway from the main Qilin gang, but the precise organizational relationship is not fully established at high confidence beyond that reported linkage. No reliable public evidence in the available material supports attribution to a specific nation state. Overall, Securotrop should be understood as a financially motivated ransomware actor aligned with the broader Qilin criminal ecosystem, using extortion centered on stolen data and public victim shaming to coerce payment.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Sectors the actor has been observed targeting.
Geographies tied to known operations.
3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Conducting a ransomware attack resulting in a data breach against ProDirectional Drilling.
Conducting a ransomware attack resulting in a data breach against Charisma Media.
Conducting a ransomware attack and associated data breach against Kriete Truck Centers.
RaaS ransomware group active since at least August 2025, publishing victims on its own leak site, conducting double-extortion attacks, and appearing to emphasize data theft and review of exfiltrated data.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.