Codefinger
Codefinger is a threat actor associated with ransomware attacks targeting AWS environments, specifically Amazon S3. In January 2025, Halcyon reported that Codefinger abused AWS S3 server-side encryption with customer-provided keys (SSE-C) to encrypt victim data and extort organizations for the AES-256 decryption key. Reporting cited here distinguishes Codefinger from Crimson Collective by noting that Codefinger encrypted targeted S3 buckets, whereas Crimson Collective focused on data theft and extortion. The available content directly identifies the actor only as Codefinger and does not provide additional confirmed aliases, sub-groups, or attribution to a nation state.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Conducted a ransomware campaign abusing customer-provided encryption key functionality in cloud object storage to make victim data inaccessible and extort payment for the encryption key.
AWS S3 환경에서 SSE-C 기능을 악용해 데이터를 암호화하고, 복호화용 AES-256 키 제공 대가로 금전을 요구하는 클라우드 대상 랜섬웨어로 언급됨.
Ransomware activity targeting AWS environments, specifically encrypting S3 buckets (as contrasted with Crimson Collective’s extortion/data theft approach).
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.