Summary
A new ransomware group named 0Apt, also known as 0Apt Syndicate, has publicly claimed and leaked partial data for over 190 victims since it emerged on 28 January 2026. 0Apt follows standard double-extortion patterns and operates as a ransomware-as-a-service (RaaS), using affiliates to target victims. Initial analysis of a 0Apt ransomware sample obtained by Halcyon shows that the Windows and Linux variants are fully operational, confirming 0Apt operates a competent RaaS panel and ransomware.
Victim listings on the group’s leak site—branded 0APT | Command Ops—include data sizes, content descriptions, and pressure tactics such as “Clock is ticking” and “Last chance to pay.” 0Apt’s initial listings contain organization names that appear purposefully generic or misleading, which may represent a strategy to attract attention or provide victims’ time to negotiate. Halcyon has not yet verified claimed victims and is conducting deeper technical analysis to further understand the ransomware’s capabilities.
Background
On 28 January 2026, a ransomware group calling itself 0Apt began posting victim data to its dark web leak site. The group’s leak site, accessible via a single TOR-based portal running on NGINX 1.22.1, is used for publishing stolen data and applying pressure to victims.
Initial analysis of a 0Apt ransomware sample obtained by Halcyon shows that the malware, written in Rust, encrypts files with the extension “.0apt” and generates a standard ransom note leading to the group’s chat portal. The group has primarily targeted organizations in transportation/logistics, technology, energy, manufacturing, and healthcare sectors, with the United States accounting for the majority of claimed victims. Like most standard RaaS group disclosures, 0Apt attempted to underscore its political neutrality and business focus by publishing the following message on its site: “We are a politically neutral underground syndicate. We do not want to destroy your business, we only want financial compensation. Treat this as a sudden tax on your security negligence.”
0Apt’s rapid posting of 71 victims in approximately two to three days is unusual but not unprecedented. For example, in the first three months of 2025, activity from separate ransomware group, Clop, increased 1400% due to mass exploitation of zero-day vulnerabilities, listing 389 victims in February 2025 alone. While there is no evidence that 0Apt has exploited a zero-day, 0Apt may have:
- Bulk-loaded historical breaches upon launching for impact
- Exploited a common vulnerability
- Purchased access from Initial Access Brokers (IABs)
RaaS groups may strategically wait to post their victims to generate a large backlog of breached organizations, creating heightened attention by coming across as an already highly successful group upon launch. Threat actors also often scan the internet for devices still unpatched against common vulnerabilities, creating an efficient access point. Recently announced vulnerabilities were also a target for RaaS groups to gain access to as many organizations as possible in search of ultimately being paid a ransom.
Claimed Victims
0Apt has claimed 190 victims since its emergence on 28 January 2026, with 71 of them occurring from 28 January 2026 to 30 January 2026. The group’s targeting appears opportunistic but exhibits a preference for critical infrastructure and data-rich sectors. The healthcare industry has had twenty victims claimed, followed by professional services with eighteen, and technology/software with fifteen. Geographically, the United States dominates the victim list with 54 alleged organizations, followed by the United Kingdom with eight, and Liberia with four.
Notably, the majority of listed victims lack country attribution in current tracking data, suggesting either incomplete intelligence or deliberate obfuscation by the threat actors. Some of the alleged victims’ data contains empty files or is impossible to download with current threat actor infrastructure.
No victims have been marked as having data fully published yet, potentially indicating the group is still in the negotiation or pressure phase with most targets. The site also uses a “payment status” that ultimately terminates the victim’s countdown, suggesting that victims might not be removed entirely from the site even if payment is made. The 0Apt site lists massive data leaks for each published victim and stores the file trees the same size as the full leak. This setup is unusual and makes it difficult to download the data in an effort to validate the breaches.
Note: Claimed victim numbers are updated as of February 5th, 2026. Additional victim claims are likely to follow.
Mitigations
Organizations should implement the following MITRE ATT&CK mitigation strategies:
Indicators of Compromise (IOCs)
TOX Chat: AE7FDDF4ADD95AC3DF29802662DA14C51E95A99992E8E087974AFE1A57481E5381FE429F8BC8
Session Chat: 058818f5d84c39403b01ffa023a21b9fe118ffb237fd642c53e73944fb7ac02e6f
TOR Infrastructure: http://oaptxiyisljt2kv3we2we34kuudmqda7f2geffoylzpeo7ourhtz4dad[.]onion
References
Source Summary
This alert is based on information from dark web monitoring, malware analysis, leak site observations, and published threat intelligence. Technical claims attributed to the advertisement reflect the group’s self-reported capabilities and have not been verified through independent reverse engineering. Assessments may be revised as additional evidence becomes available.
For more ransomware research and threat intelligence, visit the Halcyon Ransomware Research Center.
Click Here For The Original Source.
