MalwareRansomwareUsed by 1 actor

0APT ransomware

0apt_ransomware, commonly referred to in the provided reporting as 0APT, is a ransomware operation assessed by Cyderes Howler Cell to be an active ransomware-as-a-service (RaaS) platform with a working affiliate model. Although some researchers, including GuidePoint Security, assessed the group may have been a fake gang using other criminals’ stolen data, Cyderes reported that it accessed the group’s RaaS portal, collected malware samples, and determined the ransomware payloads were viable, functional, and ready for deployment. The ransomware was described as a legitimate encrypter emphasizing reliability, operator configurability, and secure cryptographic implementation, with characteristics aligning with broader Rust-based ransomware trends. No specific infection vector, victimology, targeted industries, platforms, or indicators of compromise were provided in the content.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

0APT

Cyderes has managed to get its hands on the group's actual ransomware, and it's apparently a legit encrypter.

via risky biz rssnews.risky.biz

MITRE ATT&CK

Techniques & procedures

1 distinct technique documented for this family, organized by ATT&CK tactic.

Impact

1 technique

T1486Data Encrypted for ImpactEvidence2

"The platform allowed affiliates to generate five ransomware samples per account... These samples utilized encryption algorithms including AES256, Salsa20/ChaCha, and the rare Speck cipher... Generated ransomware appends the .0apt extension and drops README0apt.txt"

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

Feb 22, 2026

Attacker gets into France's DB listing all bank accounts • The Register

RaaS ransomware payload described as reliable and configurable, with secure cryptographic implementation and aligned with modern Rust-based ransomware development trends.

risky biz rssNews

Feb 18, 2026

Supply chain attack plants backdoor on Android tablets

Ransomware referenced as a functional file-encrypting payload ('legit encrypter') after prior claims of fake victim listings.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping1

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.