Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareRansomware

Dire Wolf

Dire Wolf is a ransomware operation first observed in 2025 and described as a new Golang-based ransomware threat. Reporting states it has impacted victims in 11 countries and uses double extortion, encrypting victim data while also threatening to publish exfiltrated information. Separate reporting also notes file-wiping behavior. Dire Wolf has been tracked as an emerging ransomware group in 2025, including in industrial-sector ransomware reporting, and was listed among newly identified groups affecting industrial organizations. Multiple sources characterize it as part of a broader 2025 trend in which newer ransomware groups increasingly relied on data theft and leak-site extortion, in some cases without deploying ransomware lockers. Dire Wolf launched a dark web leak site in 2025; one report said the site initially listed four victims, while another source noted the group had recorded roughly 10 to 13 incidents. High-confidence details in the provided content do not specify precise infection vectors, malware family lineage, or technical indicators of compromise beyond its Golang implementation, double-extortion model, leak-site activity, and reported file-wiping behavior.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

2 distinct techniques documented for this family, organized by ATT&CK tactic.

Impact

2 techniques
T1485Data DestructionEvidence1

Dire Wolf Ransomware: New Golang Threat Hits 11 Countries with Double Extortion & File Wiping

T1486Data Encrypted for ImpactEvidence1

Dire Wolf Ransomware: New Golang Threat Hits 11 Countries with Double Extortion & File Wiping

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app
cyberthroneNews
Dec 31, 2025
New Ransomware Emerged in 2025 – Threat Intel Report

A ransomware family that appeared in 2025, using identity-based access vectors for initial compromise.

Read more
cyble comNews
Dec 30, 2025
Top 10 Threat Actor Trends from 2025 — and What They Signal for 2026 

Extortion-focused group that conducts data theft and leak-based extortion attacks, often without deploying traditional ransomware encryption.

Read more
dragos blogNews
Dec 9, 2025
Dragos Industrial Ransomware Analysis: Q3 2025 | Dragos

Ransomware operation referenced as a mid-volume group impacting industrial sectors.

Read more
the hacker newsNews
Aug 25, 2025
⚡ Weekly Recap: Password Manager Flaws, Apple 0-Day, Hidden AI Prompts, In-the-Wild Exploits & More

Double-extortion ransomware that encrypts victim data and threatens to leak exfiltrated data unless ransom is paid.

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping2

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.