D1R is a ransomware and data-extortion threat group publicly associated with attacks against organizations in the technology and manufacturing sectors, including reported victims such as ARM, Bosch, and Synopsys. The group appears to operate as an extortion actor that publicizes alleged breaches and leaked data, positioning itself within the broader ransomware ecosystem. Observed reporting links D1R to opportunistic targeting of high-value enterprises and to the exploitation of information exposed through prior third-party or supply-chain compromises. The group has claimed to analyze technical leaks from other threat actors and use those materials to identify additional targets, discover access paths, and prioritize valuable intellectual property or engineering-related data. In reported incidents, D1R has emphasized theft and exposure of sensitive corporate information rather than providing a well-corroborated picture of bespoke malware development or a distinctive intrusion toolkit. The group’s claimed tradecraft includes leveraging previously leaked data, cross-referencing victim information across multiple breaches, and attempting to capitalize on downstream trust relationships and third-party access. Its victimology suggests an interest in organizations holding proprietary engineering, semiconductor, software, or industrial data. Publicly available information currently supports describing D1R primarily as a ransomware-associated extortion actor; there is not enough high-confidence evidence to attribute it to a specific nation state, to define stable sub-groups, or to establish widely recognized aliases beyond D1R itself.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Sectors the actor has been observed targeting.
Geographies tied to known operations.
4 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Conducting a ransomware/data breach operation against ARM and claiming access enabled by leaked Synopsys data, with theft of the Athena Download Manager tool and publication of breach details.
Conducting a ransomware/data extortion attack against Bosch and claiming leaked access and archives obtained via a third-party exposure involving Synopsys.
Conducting a ransomware attack resulting in a data breach and leak involving Synopsys.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.