Skip to main content
Mallory
Back to threat actors

Green Blood Group

Also known asGreen Blood Group

Green Blood Group is a ransomware gang / ransomware operation. In the provided reporting, it claimed responsibility for a cyberattack against Senegal’s Directorate of File Automation (DAF), an agency that manages national ID cards, passports, biometric records, and other sensitive national identity data. The attack reportedly temporarily suspended DAF operations. Green Blood Group claimed it stole 139 GB of data from DAF systems; claimed stolen data included citizen database records, immigration files, and biometric details; and leaked an email allegedly showing exfiltration of card personalization data after two DAF servers were breached. The content only directly supports the alias Green Blood Group and does not provide high-confidence attribution to a nation-state or identify sub-groups.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they target

Geographies tied to known operations.

  • 🇸🇳 Senegal
MITRE ATT&CK

Tradecraft

4 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

4 of 15 tactics5 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0042
Resource Development
1 technique
T1585
Establish Accounts
T1585.001
Social Media Accounts
TA0009
Collection
1 technique
T1213
Data from Information Repositories
TA0010
Exfiltration
1 technique
T1041×4
Exfiltration Over C2 Channel
TA0040
Impact
1 technique
T1486×4
Data Encrypted for Impact
ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
recorded future blogNews
Jun 17, 2026
State Digital Surveillance Risk Landscape

Claimed a breach of Senegal’s digital ID system and exfiltration of a large volume of sensitive data, including biometric data.

Read more
scworldNews
Feb 10, 2026
Cyberattack disrupts Senegal ID department’s operations | SC Media

Ransomware operation claiming data theft (139 GB) from Senegal's Directorate of File Automation, with alleged exfiltration of citizen database records, immigration files, and biometric details; also referenced leaking an email related to the incident.

Read more
scworldNews
Feb 10, 2026
Ransomware encryption to regain traction amid weakening data exfiltration tactics | SC Media

Claimed a ransomware-related intrusion and data theft (139 GB) against Senegal’s Directorate of File Automation, impacting national ID/passport/biometric record management operations.

Read more
scworldNews
Feb 10, 2026
Senate panel OKs Trump’s Cybercom, NSA nominee | SC Media

Claimed a ransomware-related intrusion and data theft (139 GB) against Senegal’s Directorate of File Automation, impacting national ID/passport/biometric record management operations.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping4

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.