🇮🇷 IR

Sinobi Group

Also known asSinobi Group

Sinobi Group is a ransomware extortion actor identified in the provided content as operating under the name “Sinobi Group.” The group’s extortion note states it is financially motivated rather than politically motivated, offers file decryption and suppression of reputational harm in exchange for payment, sets a 7-day deadline to begin negotiations, directs victims to communicate via Tor-based chat portals with clearnet fallback domains, offers a free test decrypt, claims to have stolen files including income/insurance documents, and warns victims not to use third-party recovery tools or reboot systems. TRM Labs reporting cited in the content links Sinobi Group to a cluster of nearly 200 cryptocurrency addresses used to launder victim payments across multiple ransomware groups, specifically INC, Lynx, Sinobi Group, and info@ranshelp. In that investigation, TRM identified non-VPN IP access from Iran to the laundering cluster and found deposits from Sinobi-linked addresses to HashCr4cker, a credential decryption service, and Bearhost, a bulletproof hosting provider. Known aliases in the provided content: sinobi_group.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

8 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

5 of 15 tactics8 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0042

Resource Development

1 technique

T1583

Acquire Infrastructure

T1583.001

Domains

TA0006

Credential Access

1 technique

T1110

Brute Force

TA0011

Command and Control

1 technique

T1090

Proxy

TA0010

Exfiltration

3 techniques

T1020

Automated Exfiltration

T1048

Exfiltration Over Alternative Protocol

T1567

Exfiltration Over Web Service

TA0040

Impact

1 technique

T1486

Data Encrypted for Impact

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

trm labs blogNews

Apr 8, 2026

New Disruption Opportunities in the Evolving Ransomware Ecosystem | TRM Blog

Ransomware group linked to laundering infrastructure accessed from Iran and to payments to cybercrime service providers including HashCr4cker and Bearhost.

provendata blogNews

Jan 30, 2026

Sinobi Ransomware Explained: Intrusion Methods, Encryption, and Incident Response - Proven Data

Ransomware-style extortion operation: instructs victim to use Tor to access a negotiation chat, offers test decryption and a list of allegedly stolen files, threatens reputational damage via a leaks blog, and references possession of income/insurance documents (implying data theft and potential double-extortion).

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping8

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.