CyberVolk

CyberVolk is a pro-Russian hacktivist group, also referred to as GLORIAMIST, first documented in late 2024. Multiple sources in the provided content describe the group as conducting attacks aligned with Russian government interests, including attacks against public and government entities opposing Russia or siding with Ukraine. The content also states CyberVolk is reportedly India-based or of Indian origin. CyberVolk is associated with both DDoS activity and ransomware operations. In 2025, after a period of dormancy attributed to Telegram enforcement actions, the group resurfaced in August with a ransomware-as-a-service offering called VolkLocker, also referred to as CyberVolk 2.x. VolkLocker is described as a Golang-based, cross-platform ransomware targeting Windows and Linux, including VMware ESXi environments. The operation is managed through Telegram, which is used for payload building, command-and-control, affiliate management, victim messaging, decryption workflows, and broader automation. The provided content states that VolkLocker uses AES-256-GCM for file encryption, attempts privilege escalation via the Windows ms-settings UAC bypass, performs system and environment discovery, enumerates drives, checks for virtualization and sandbox artifacts, modifies the Windows Registry, deletes volume shadow copies, and terminates security or analysis-related processes. The ransomware also includes destructive enforcement behavior, including deletion of user folders and other wipe actions if payment deadlines expire or incorrect decryption keys are entered repeatedly. A consistently reported implementation flaw in VolkLocker is that the master encryption key is hard-coded in the executable and also written in plaintext to %TEMP%\system_backup.key, apparently due to a test artifact left in production builds. The content states this flaw can allow victims to recover encrypted files without paying. Multiple sources also describe CyberVolk as reusing, tweaking, and rebranding leaked ransomware source code, including derivation from AzzaSec-related code. CyberVolk monetizes access to VolkLocker through tiered RaaS pricing and, according to the content, expanded its offerings to include standalone remote access trojan and keylogger tools. The content further notes repeated Telegram bans and channel removals, aggressive recruitment of lesser-skilled affiliates, and operational quality-control issues reflected in debug or test artifacts shipped in live builds.