Dire Wolf
Dire Wolf is a human-operated ransomware operation first documented in May 2025 and linked to targeted, financially motivated intrusions. The group uses a double-extortion model, combining system encryption with the threat of data exposure, and operates a dedicated dark web leak site where victim disclosures are published in batches. Victims are directed to one-to-one negotiation via Tox, with staged deadlines and escalation through the leak site if negotiations fail. Reported victim activity spans multiple regions and sectors, with technology and manufacturing organizations repeatedly appearing; one source also characterized the group as having an Asia/Italy focus. Technically, Dire Wolf uses a Go-based Windows encryptor, commonly delivered as a UPX-packed executable. The malware uses a system-wide mutex and a local marker file to avoid redundant execution, encrypts local storage and accessible network resources, applies exclusions to preserve basic OS operability, and appends the .direwolf extension to encrypted files. Its encryption design uses Curve25519-based key exchange with ChaCha20 for file encryption, generating per-file session keys; smaller files are fully encrypted while larger files may be partially encrypted for speed. After encryption, it commonly drops a ransom note named HowToRecoveryFiles.txt, may record local completion state, self-delete, and in some cases trigger a forced reboot. Intrusions may also include pre-encryption steps intended to weaken recovery options, including disruption of backup and recovery capabilities and suppression or disabling of Windows event logging. Dire Wolf has also been observed in intrusion contexts involving the EDR killer SmilingKiller. ESET reported SmilingKiller during LockBit and Dire Wolf intrusions and noted that it uses control-flow flattening and was inspired by kill-floor while switching the abused driver to K7RKScan.sys. Aliases directly reflected in the content: dire_wolf.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
12 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware group associated with use of the SmilingKiller EDR killer during intrusions to evade defenses.
Ransomware group observed using SmilingKiller during intrusions.
Human-operated, targeted ransomware/extortion operation (first observed May 2025) using double extortion (data theft + encryption) with a dedicated leak site and one-to-one negotiations via Tox. Uses a Go-based Windows encryptor (often UPX-packed) that encrypts local and accessible network resources, appends .direwolf, drops HowToRecoveryFiles.txt, and may self-delete/force reboot. Pre-encryption activity includes disrupting backups/recovery and suppressing/clearing Windows event logs to hinder restoration and forensics.
Dire Wolf is a ransomware group that, in 2025, focused on data theft and leak-based extortion rather than traditional ransomware encryption, aiming to pressure victims through reputational damage.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.