cmdorganization is a ransomware threat actor publicly associated with data-theft extortion activity against organizations in multiple countries during 2026. Reported victims span diverse sectors including financial services, education, healthcare, manufacturing, business services, public administration, refrigeration and food-related services, indicating broad opportunistic targeting rather than a narrowly specialized victimology. Observed geographic scope includes organizations in the United Kingdom, Canada, Norway, the United States, India, Georgia, and Colombia. The group has been linked to ransomware incidents described as data breaches, suggesting operations that combine network compromise with exfiltration and extortion. Reported victim narratives indicate the actor targets both public- and private-sector entities, including municipalities, universities, healthcare providers, manufacturers, and service firms. This pattern is consistent with financially motivated ransomware operations that seek leverage through operational disruption and threatened exposure of stolen data. There is currently no high-confidence public information in the available material establishing cmdorganization’s nationality, state affiliation, malware family lineage, initial access methods, persistence mechanisms, or distinctive tradecraft beyond ransomware-enabled data breach and extortion activity. No corroborated sub-groups or widely used alternate aliases are established here beyond the name cmdorganization itself.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Conducting a ransomware attack against Finance Yorkshire, a UK-based financial services organization.
Conducting a ransomware attack and associated data breach against Mount Royal University, with claims of more than 10TB of data affected.
Conducting a ransomware attack resulting in a data breach against Medlink Georgia, a healthcare organization.
Named as the ransomware group responsible for the attack against Port Angeles Composite, a US manufacturing organization.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.