Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors

Payload

Also known asPayload

Payload is a ransomware operation first observed in February 2026. It is described as a relatively new, active double-extortion group that combines data theft with file encryption, and has been tracked as an emerging ransomware operation with international ambitions. Public reporting in the provided content places its victims across multiple countries and sectors, including real estate, energy, healthcare, telecom, agriculture, logistics, transportation, construction, manufacturing, technology, and healthcare entities such as smaller providers and clinics. The content also notes a claimed March 15, 2026 breach of Royal Bahrain Hospital involving 110 GB of allegedly stolen data. Operationally, Payload has been described in some reporting as part of the 2026 ransomware-as-a-service ecosystem, but the strongest technical reporting in the provided content states that public claims of a RaaS model are unverified because no public evidence of an affiliate program or builder panel was identified. Technically, Payload supports Windows and Linux/ESXi environments. It appends the .payload extension to encrypted files and drops a ransom note named RECOVER_payload.txt. The malware uses Curve25519 ECDH for per-file key agreement and ChaCha20 for file encryption, with a per-file encryption model and a 56-byte footer RC4-encrypted with the key "FBI." Reported anti-forensics and defense-evasion behavior includes deleting shadow copies, clearing Windows Event Logs, patching ETW-related functions in ntdll, terminating numerous services and processes including backup and database software, emptying the recycle bin, and self-deletion via NTFS alternate data streams. The Linux/ESXi variant parses VMware inventory data to locate VM disk paths. Reporting in the content assesses Payload as heavily derived from the leaked Babuk source code, with modifications including ChaCha20-based encryption, ETW patching, full Windows event log wiping, and NTFS ADS self-deletion. Aliases directly reflected in the content: Payload, Payload ransomware, Payload Ransomware group.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Financial Services
  • Capital Goods
  • Academia & Research
  • Consumer Services

Where they target

Geographies tied to known operations.

  • 🇨🇾 Cyprus
  • 🇦🇹 Austria
  • 🇵🇱 Poland
  • 🇳🇴 Norway
  • 🇸🇬 Singapore
  • 🇯🇵 Japan
MITRE ATT&CK

Tradecraft

14 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

4 of 15 tactics16 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0002
Execution
2 techniques
T1106
Native API
T1569
System Services
TA0005
Stealth
2 techniques
T1070
Indicator Removal
T1070.001×2
Clear Windows Event Logs
T1070.004×2
File Deletion
T1497
Virtualization/Sandbox Evasion
T1497.001
System Checks
TA0007
Discovery
4 techniques
T1057
Process Discovery
T1082
System Information Discovery
T1135
Network Share Discovery
T1497
Virtualization/Sandbox Evasion
T1497.001
System Checks
TA0040
Impact
4 techniques
T1486×3
Data Encrypted for Impact
T1489
Service Stop
T1490×2
Inhibit System Recovery
T1657
Financial Theft
ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app
cyber security newsNews
May 26, 2026
Payload Ransomware Uses ChaCha20 and Curve25519 ECDH to Encrypt Windows Files

Emerging ransomware operation conducting global extortion attacks via a leak site and negotiation portal, targeting organizations where downtime creates immediate financial pressure.

Read more
codebyNews
May 20, 2026
Ransomware-as-a-Service 2026: TTPs и detection

Named as one of five ransomware operators publishing new victims on DLS infrastructure in a single day as part of the fragmented 2026 RaaS landscape.

Read more
cyfirma otherNews
May 15, 2026
TRACKING RANSOMWARE : APRIL 2026 - CYFIRMA

A ransomware operator that remained visible despite a moderate decline in incidents.

Read more
polyswarmNews
May 4, 2026
Critical Condition: The 2026 Healthcare Cyber Threat Landscape

Active ransomware used in targeted campaigns against smaller healthcare providers and clinics.

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping14

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.