BravoX is an emerging ransomware-as-a-service (RaaS) operation first publicly observed in January 2026. The group is associated with double-extortion activity, combining data theft with file encryption and threats to publish stolen information through a leak platform if victims refuse to pay. Reporting indicates the operation has targeted organizations in multiple countries and sectors, including financial services and healthcare-related businesses. Observed tradecraft shows a conventional but effective enterprise intrusion workflow. In at least one investigated case, initial access was obtained through an SSL VPN account protected only by a weak password and lacking multi-factor authentication. After access, BravoX conducted internal reconnaissance using network scanning utilities and Windows management commands, searched for credentials and remote-access information, dumped LSASS memory to obtain privileged credentials, and moved laterally via Remote Desktop Protocol. The actors also demonstrated persistence through scheduled tasks that launched a Tor hidden service to expose remote desktop access and an SSH-based SOCKS5 tunneling mechanism to maintain covert connectivity into the victim environment. BravoX has shown deliberate defense evasion and anti-security behavior. Reported activity includes attempts to disable endpoint protections and the use of an EDR-killing tool together with a vulnerable driver to interfere with security products, including Microsoft Defender and Sophos EDR. For data theft, the group has used Rclone prior to encryption. Encryption activity has affected both virtualized and physical systems, including targeting virtual disk files and server operating systems. Victim interaction is handled through a negotiation portal that reportedly offers limited free decryption as proof, promises deletion of stolen data, and frames payment as part of a remediation process. The group’s extortion model includes a staged leak process and aggressive coercive tactics when negotiations fail, including mass unsolicited messaging and direct outreach to employees on professional networking platforms. BravoX has also been described as maintaining a polished leak site and negotiation infrastructure consistent with a structured criminal service model. Behavioral indicators have led some analysts to assess that BravoX likely operates from the former Soviet sphere. That assessment is partly based on the group’s reported prohibition against targeting organizations in the Commonwealth of Independent States, a pattern historically associated with several post-Soviet cybercriminal operations. This attribution remains an analytic assessment rather than a confirmed state linkage. No confirmed sub-groups are currently available. Known alias usage in available reporting is limited to capitalization variants such as bravox and BravoX.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
21 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
13 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Conducting a ransomware attack against PB Fiduciaire SA, a financial services organization in Switzerland.
Conducting a ransomware attack against Meta, a Brazil-based organization.
Emerging ransomware group conducting double-extortion attacks involving data exfiltration, encryption of virtual and physical systems, and aggressive victim negotiation and extortion.
Newly identified ransomware group referenced in ASEC’s week-4 January 2026 roundup.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.