RADAR

Also known asradar

Radar is a cybercriminal threat actor identified in the provided reporting as both a ransomware group and an initial access broker (IAB). Reporting cited in the content states that four new ransomware groups emerged in 2025, including Radar. Separate reporting describes RADAR as a known IAB that listed RDP access to a Swiss company for sale in mid-October; that victim reportedly appeared on RansomHub’s leak site just over a month later, indicating a likely handoff of access to a downstream ransomware operator. The content also states that the RADAR group carried out a cluster of attacks against the real estate sector. Based on the provided material, Radar’s observed activity includes brokering or selling compromised remote access, specifically RDP access, and conducting attacks associated with the real estate sector. No nation-state attribution is provided in the content, and no additional aliases or sub-groups are mentioned beyond the name RADAR/Radar.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

real estate

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

dark readingNews

Jan 14, 2026

Retail, Services Industries Under Fire in Oceania

Cluster of attacks attributed to RADAR against real estate organizations in Oceania.

ahnlab asec blogNews

Sep 11, 2025

Ransom & Dark Web Issues Week 2, September 2025

Radar is a newly emerged ransomware group active as of September 2025.

scworldNews

May 1, 2025

An identity defenders’ worst nightmare? Initial Access Brokers and here is why

Initial Access Broker (IAB) that advertises/sells RDP access; example given of an apparent handoff where access sold preceded the victim appearing on a ransomware leak site (RansomHub).

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.