TridentLocker
TridentLocker is a ransomware-as-a-service (RaaS) group that emerged in late November 2025 and has publicly claimed multiple attacks via its Tor-based leak site. The group uses double-extortion tactics, encrypting systems and threatening to leak exfiltrated data, and has been described as also calling itself a data broker. Reported techniques directly mentioned in the content include data exfiltration over web protocols (MITRE ATT&CK T1071.001) and encryption for impact (T1486). Since its emergence, it has listed about 12 victims on its leak site. Reported targeting spans manufacturing, government, IT, and professional services, with activity primarily affecting North America and Europe, and also references to China, the UK, and Belgium. Confirmed or publicly claimed victims mentioned in the content include Sedgwick Government Solutions, from which TridentLocker claimed to have stolen about 3.39-3.4 GB of data from an isolated file transfer system and published samples, and Belgium’s postal operator bpost, where the group claimed exfiltration of 5,140 files totaling about 30.46 GB from a third-party exchange platform. Aliases directly provided in the content: tridentlocker.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- insurance
- government
Tradecraft
6 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Recent activity
13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware/extortion activity targeting a government-services subsidiary; claims data theft and uses leak-site threats to coerce payment/negotiation.
Conducting ransomware attacks against government contractors.
TridentLocker is a ransomware-as-a-service group that conducts data theft and extortion operations, targeting organizations such as Sedgwick Government Solutions and claiming to exfiltrate sensitive data.
TridentLocker is a ransomware-as-a-service group that emerged in late November 2025. It conducts double-extortion ransomware attacks, encrypting victim systems and threatening to leak exfiltrated data. The group has claimed at least 12 victims across manufacturing, government, IT, and professional services, primarily in North America and Europe.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.