Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors

DireWolf

Also known asdirewolf

DireWolf is a ransomware group first reported as emerging in May 2025, with first victim postings on its leak site reported on May 26, 2025. Reporting cited in the provided content describes it as quickly demonstrating mature extortion operations, including structured victim posting and double extortion tactics. A later August 28, 2025 deep-dive referenced in the content reported about 39 confirmed victims through August 2025. Victim geography in the provided reporting spans more than 11 countries, with concentration in Singapore, Thailand, the Philippines, and Taiwan. Additional reporting in the content states DireWolf claimed multiple victims in Malaysia. Sector-focused reporting from Cyfirma says Direwolf showed one of the highest levels of focus on the energy and utilities industry among ransomware groups with meaningful victim counts. Specific incidents mentioned in the content include a ransomware attack against a Pakistani automobile assembly and sales company and an attack on Universidad Mayor in Chile, for which the DireWolf group took credit. The content associates DireWolf with a malicious domain used in campaigns or social engineering: tor-browser[.]io, including subdomains such as www, sitemap, and sitemaps. The group is also listed among newer or newly prominent ransomware groups observed in 2025. No nation-state attribution is provided in the supplied content. Known alias in the content: direwolf / DireWolf.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Energy
  • Utilities
MITRE ATT&CK

Tradecraft

2 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

2 of 15 tactics2 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1566
Phishing
TA0040
Impact
1 technique
T1486
Data Encrypted for Impact
ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app
the hacker newsNews
Feb 10, 2026
Reynolds Ransomware Embeds BYOVD Driver to Disable EDR Security Tools

Named as a ransomware crew that emerged in 2025; no additional details provided.

Read more
bitdefender blogNews
Feb 10, 2026
Bitdefender Threat Debrief | February 2026

Ransomware group referenced for claiming multiple victims in Malaysia; associated victims in the regional summary were largely manufacturing organizations.

Read more
industrialcyberNews
Feb 4, 2026
Energy and utilities cyber threats escalate as ransomware and APT activity rise, Cyfirma reports - Industrial Cyber

Ransomware group showing focused attention on the energy and utilities sector.

Read more
cyble blogNews
Jan 1, 2026
10 New Ransomware Groups Of 2025 & Threat Trends For 2026

Ransomware operation that rapidly achieved mature double-extortion processes and structured leak-site victim posting; reported Asia-heavy victim concentration.

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping2

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.