thor
Thor is a threat actor cluster first observed attacking Russian companies in 2025. The group is involved in ransomware operations, deploying LockBit and Babuk ransomware as final payloads. Thor exploits vulnerabilities in Microsoft SharePoint (CVE-2025-53770), Ivanti Endpoint Manager Mobile (CVE-2025-4427 and CVE-2025-4428), Ivanti Connect Secure (CVE-2024-21887), and Ivanti Sentry (CVE-2023-38035) to gain initial access. For persistence, Thor utilizes tools such as Tactical RMM and MeshAgent. There is no high-confidence attribution regarding Thor's origins or nation-state affiliation based on the available information.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Thor is a threat group involved in ransomware attacks against Russian companies, deploying ransomware and remote management tools for persistence.
Thor is a financially motivated threat group targeting Russian organizations with ransomware and related tools, focusing on data theft and extortion.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.