Weyhro

Also known asweyhro

Weyhro is an emerging ransomware/extortion group first listed as a new ransomware variant appearing in March 2024. Reporting in the provided content places it among new and emerging ransomware groups observed through 2025. Flashpoint states that Weyhro, like RansomHub, shifted to a pure extortion model and ditched encryption. Dragos also lists Weyhro among new/emerging ransomware groups observed in Q1 2025. The content further notes that LockBit 5.0 was assessed to have reposted victim data taken from other groups, including Weyhro, indicating Weyhro operated a leak site or public victim-claiming mechanism. Mentioned victim claims attributed to Weyhro include Avantune, Fragola S.p.A, MBI International, Resnick & Caffrey, CELCO Inc, Montgomery, Little & Soran, Terra Construction, Valens Bank Pay Exchange, Adriatic Glass & Mirrors, McMillan James Equipment Company, 101 Arch Street, Synergy Investments, Community Services of Missouri, and Chemtron RiverBend. The content does not attribute Weyhro to a nation-state and does not provide confirmed aliases or sub-groups beyond the name Weyhro itself.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

data breaches netNews

Dec 7, 2025

LockBit 5’s “new secure blog domain” infra leaked already

Named ransomware/extortion group referenced as the original source of some victims that LockBit 5.0 allegedly recycled.

blackfogNews

Sep 10, 2025

Ongoing: New Ransomware Gangs in 2025

Named as a new ransomware variant/gang emerging in 2024 and associated with victim claims posted in March 2024.

dark readingNews

Aug 28, 2025

Akira, Cl0p Top List of 5 Most Active Ransomware-as-a-Service Groups

Emerging ransomware/extortion group mentioned as adopting a pure extortion approach (ditching encryption).

dragos blogNews

May 21, 2025

Dragos Industrial Ransomware Analysis: Q1 2025

Emerging ransomware group listed as active in Q1 2025.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.