DoppelPaymer
DoppelPaymer is a ransomware operation/gang associated in the provided reporting with the Evil Corp cybercrime ecosystem, which is described as Russia-based and sanctioned by the United States. The content also states that Grief is an offshoot or possible rebrand of DoppelPaymer, and that DoppelPaymer evolved from Evil Corp. DoppelPaymer is repeatedly described as using double extortion, stealing data and threatening public release via a leak site in addition to encrypting victim systems. The reporting notes that this data-exposure extortion model was adopted alongside or after Maze by major ransomware operations including DoppelPaymer, and that DoppelPaymer published victim data on its ransomware leak site. The content links DoppelPaymer to multiple intrusion-enablement and operational techniques. Infoblox identified SocGholish/FakeUpdates as an entry point used for ransomware groups including DoppelPaymer. Separate reporting notes QBot/Qakbot has been used by DoppelPaymer and other ransomware groups. The content also references adversary abuse of legitimate rootkit-removal kits and antivirus drivers to impair or disable defensive tools, with a citation tied to DoppelPaymer in that discussion. Victimology in the provided content includes manufacturing, government, education, telecommunications, energy, and industrial organizations. Specifically mentioned victims or claimed victims include Foxconn CTBG MX / Foxconn North America in Ciudad Juárez, Compal, PEMEX, Bretagne Télécom, Banijay Group SAS, Newcastle University, Hall County in Georgia, the City of Torrance, and Delaware County. In the Foxconn incident in late November 2020, DoppelPaymer reportedly demanded 1804.0955 BTC (about $34.7 million), claimed to have stolen 100 GB of data, encrypted roughly 1,200 to 1,400 servers, and destroyed 20 to 30 TB of backup data; Foxconn files were later published on the group’s leak site. Another report states DoppelPaymer demanded nearly $17 million from Compal. The content also highlights industrial and OT exposure risk from DoppelPaymer extortion leaks. Mandiant analyzed a reshared 2.3 GB DoppelPaymer leak from a major Latin American oil and gas organization and found usernames, passwords, IP addresses, remote-service information, asset tags, OEM information, operator panel information, and network diagrams. Law-enforcement reporting in the content states that Moldovan and Dutch authorities arrested a DoppelPaymer ransomware affiliate in mid-May 2025, linking the affiliate to multimillion-dollar losses to European entities.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
8 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Recent activity
19 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named as one of several ransomware groups that used SocGholish infections as an entry point for follow-on attacks.
Previously involved in ransomware attacks targeting Foxconn.
Conducted a ransomware attack against a Foxconn plant in Ciudad Juárez and demanded a $34 million ransom.
Ransomware operation that claimed a prior attack on Foxconn's CTBG MX facility, demanding a $34 million ransom after alleged data theft, large-scale server encryption, and backup destruction.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.