Skip to main content
Mallory
Back to threat actors

Zeon

Also known asZeon

Zeon is a ransomware group identified in reporting as one of the successor or splinter groups that emerged after the 2022 breakup of the Russian-language Conti ransomware collective. Multiple sources in the provided content state that former Conti members rebranded under three subgroups: Zeon, Black Basta, and Quantum; other reporting also lists ZEON among groups that former Conti members later joined, formed, infiltrated, or took over. The content places Zeon activity in 2022, with Trend Micro observation cited for September 2022 and possible earlier activity as early as late January 2022. Zeon is therefore best understood here as part of the broader post-Conti ransomware ecosystem tied to Russian-language cybercrime actors. Known related groups and aliases directly mentioned in the content include Conti as its predecessor context, and peer successor groups Black Basta and Quantum; Quantum is further described as later rebranding to Royal and then BlackSuit. No additional Zeon-specific victimology, TTPs, or sub-groups are directly provided in the content beyond its association with former Conti members and its place in that rebranding/splintering timeline.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

1 of 15 tactics1 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0040
Impact
1 technique
T1486
Data Encrypted for Impact
ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app
cyberscoopNews
Jun 12, 2026
Conti ransomware group member pleads guilty, faces up to 20 years in prison | CyberScoop

Named as one of the successor groups formed by former Conti members after Conti disbanded.

Read more
bleeping computerNews
Jun 12, 2026
Ukrainian national pleads guilty to role in Conti ransomware operation

Named as one of the ransomware groups that former Conti members reportedly splintered into after Conti shut down.

Read more
cyberscoopNews
May 5, 2026
Latvian national sentenced for ransomware attacks run by former Conti leaders | CyberScoop

One of the named subgroups formed by former Conti members after Conti disbanded.

Read more
cyberscoopNews
Jan 21, 2026
Black Basta’s alleged ringleader identified as authorities raid homes of other members | CyberScoop

Named as a rebranded subgroup emerging from the Conti ecosystem after Conti’s 2022 disbandment.

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping1

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.