MalwareRansomware

Zeon

Zeon is an in-house ransomware encryptor/name associated with the post-Conti ecosystem and early activity that later evolved into Royal ransomware. Reporting cited in the content states Royal’s first known in-house encryptor was named Zeon, that Zeon-generated ransom notes were very similar to Conti’s, and that FBI/CISA assess Royal evolved from earlier iterations that used Zeon as a loader. Activity associated with Zeon was observed around September 2022, with some reporting noting possible related infrastructure activity as early as late January 2022. The malware is linked to actors from the Conti syndicate; multiple sources in the content describe Conti members fragmenting into successor groups including Zeon, and one report says the Russian-language collective rebranded under subgroups including Zeon, Black Basta, and Quantum. High-confidence behavioral detail in the provided content is limited specifically for Zeon itself, but in context it is tied to enterprise-targeting ransomware operations and the Royal/Conti lineage. No Zeon-specific indicators of compromise beyond the name and its association with Conti-like ransom notes are directly provided in the content.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

bleeping computerNews

Oct 31, 2025

Ukrainian extradited from Ireland on Conti ransomware charges

Ransomware operation cited as associated with post-Conti member migration/infiltration.

cyberscoopNews

Aug 4, 2025

Details emerge on BlackSuit ransomware takedown

Named as a Conti successor/rebrand subgroup following the 2022 Conti breakup.

bleeping computerNews

May 30, 2025

Germany doxxes Conti ransomware and TrickBot ring leader

Ransomware name mentioned as a successor/related operation after Conti’s shutdown.

bleeping computerNews

Jan 20, 2024

Researchers link 3AM ransomware to Conti, Royal cybercrime gangs

Ransomware referenced for timeline correlation with observed proxy infrastructure activity.

+2 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.