xp95
XP95 is an emerging cybercrime extortion group. Reporting cited in the source material says the group was first observed on 4 March, with no prior threat intelligence references linking it to any known organized group or earlier campaigns. XP95 has been described as operating a pure data theft and extortion model rather than deploying ransomware encryption: it steals sensitive data from victim environments, publishes proof-of-compromise samples on a Tor-hosted leak site, cross-posts victim data samples to BreachForums, issues ransom demands with hard payment deadlines, and threatens to publicly release or sell stolen datasets if victims do not pay. Victims mentioned in the source material include Healthdaq, a recruitment platform used by Northern Ireland health trusts; Statistics South Africa; Gauteng Province in South Africa; and Eholo Health, a Spanish mental health SaaS platform serving psychologists in Spain and Andorra. In the Healthdaq incident, XP95 claimed responsibility, demanded a ransom, and said it stole nearly half a million files including driving licences, criminal background checks, and vaccine records. Reporting on that breach says the exposed data may have included names, contact details, CVs, qualifications, passport copies, other government-issued identification, forms, and in some cases health information. In the Statistics South Africa case, XP95 claimed to have stolen 453,362 files totaling 154 GB and demanded $100,000 to prevent release. In the Eholo Health case, XP95 claimed to have stolen 165 GB of data, including 1,146,700 medical notes and personal information of 601,308 users, and said it leaked the data after a $300,000 ransom was not paid. The available reporting in the provided content does not confirm that XP95 encrypts victim systems. No aliases or sub-groups other than the name XP95 are identified in the source material.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Health Care Equipment & Services
- Government & Administration
Where they target
Geographies tied to known operations.
- 🇮🇪 Ireland
- 🇬🇧 United Kingdom
- 🇨🇦 Canada
- 🇦🇺 Australia
Tradecraft
7 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A relatively new extortion-focused threat actor claiming responsibility for attacks against Healthdaq and previously Eholo Health. The group reportedly steals sensitive data and extorts victims without deploying file-encrypting ransomware.
Claimed responsibility for a ransomware-style extortion incident against Healthdaq, alleging theft of nearly half a million sensitive files and demanding a ransom.
Emerging cybercrime group conducting ransomware-associated data theft and extortion operations. The group claims breaches against South African government entities and healthcare-related organizations, steals large volumes of sensitive data, posts victims on a leak site, demands ransom payments, and threatens or carries out public data leaks when victims do not pay.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.