Skip to main content
Mallory
Back to threat actors
🇷🇺 RU1 malware family

Wagner Group

Also known aswagner_group

Wagner Group is a Russian mercenary and paramilitary organization led by Yevgeny Prigozhin in the cited reporting. The content describes it as an infamous Russian mercenary outfit reportedly headquartered in Molkino, southern Russia, and active in Ukraine, Syria, Mali, and other parts of Africa. It is referenced as being used by Russia and linked in one report to GRU recruitment of local proxies for sabotage operations in Europe. The reporting attributes to Wagner Group a documented record of torturing and murdering prisoners and civilians in Ukraine, Syria, and Mali. In April 2023, Prigozhin publicly instructed Wagner fighters to "kill everyone on the battlefield" and said they would "no longer take any prisoners." Former Wagner members cited in the content accused Prigozhin of ordering the group to "annihilate everyone" in Soledar and Bakhmut. The content also states Wagner became notorious for sharing videos of sledgehammer murders and beheadings in Syria and Ukraine. In Africa and the Sahel, the content describes Wagner-affiliated Telegram channels disseminating graphic conflict content, including torture videos, mutilated bodies, and trophy photos with decapitated heads, as part of information and psychological operations intended to humiliate, threaten, or terrorize combatants and civilians. One report alleges Wagner and Malian armed forces moved toward Kidal in October 2023, leaving destruction and clusters of beheadings in villages along Route 16, and links this campaign to mass displacement. The content also describes Wagner’s use of Telegram and cryptocurrency-linked infrastructure. Wagner-affiliated entities are said to have used digital assets for fundraising, logistics, and cross-border value transfer. A specialized subunit, Task Force Rusich, is described as a far-right sabotage and assault reconnaissance group operating within Wagner Group. Rusich, established in 2014 by Alexey Milchakov and Yan Petrovsky, is reported to have fought alongside Wagner in Ukraine and Syria and was linked by TRM Labs to cryptocurrency-focused malware, including clipper functionality and possible mining-related activity. Known subgroup: Task Force Rusich.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Military

Where they target

Geographies tied to known operations.

  • 🇱🇾 Libya
  • 🇨🇩 Congo - Kinshasa

Where they're from

Attributed origin per open-source reporting.

  • RU
MITRE ATT&CK

Tradecraft

7 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

6 of 15 tactics7 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
1 technique
T1589
Gather Victim Identity Information
TA0042
Resource Development
1 technique
T1585
Establish Accounts
TA0005
Stealth
1 technique
T1036
Masquerading
TA0011
Command and Control
1 technique
T1105
Ingress Tool Transfer
TA0010
Exfiltration
1 technique
T1567
Exfiltration Over Web Service
TA0040
Impact
2 techniques
T1491
Defacement
T1496
Resource Hijacking
ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen
XMRigThe code references XMRig, an open-source tool commonly used to mine Monero (XMR), and several Rusich-linked addresses have received funds from mining pools.1Mar 11, 2026
IOCS

Observables

1 indicator attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

1 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
trm labs blogNews
Mar 11, 2026
Self-funding Extremism: How Task Force Rusich Leveraged Malware to Steal and Mine Cryptocurrency | TRM Blog

Russian private military organization described as maintaining cryptocurrency-based financial infrastructure supporting operations (including conflict-zone activity and sanctions evasion). In this reporting, Wagner is linked indirectly through its subunit Task Force Rusich, which is tied to malware-enabled crypto theft and possible mining, with proceeds consolidated through exchange infrastructure.

Read more
lawfare mediaNews
Feb 20, 2026
Europe's Cyber Bullets Can't Replace Political Will | Lawfare

Used as a proxy recruitment vehicle in a Russia-linked sabotage campaign across Europe, including cyber-enabled elements and real-world sabotage.

Read more
osint team blogNews
Nov 20, 2025
I Checked the Worst OpSec Practices So You Don’t Have To

Wagner Group is a Russian private military company known for its involvement in armed conflicts and geopolitical operations. The group suffered a major operational security failure when sensitive data backups were stored online and subsequently hacked, exposing their operations and leadership.

Read more
lieber westpointNews
Feb 26, 2025
Terror, Chaos, and Shame: When Information Operations Constitute War Crimes - Lieber Institute West Point

Uses Telegram and affiliated media channels to disseminate graphic conflict content, including torture, mutilation, beheadings, and trophy imagery, to humiliate victims, terrorize civilian populations, and support political and military objectives in Africa, particularly the Sahel and Mali.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping7

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables1

Domains, IPs, and hashes tied to this actor, refreshed continuously.