Mad Liberator is a ransomware and extortion threat actor that emerged in mid-2024. The group has been associated with opportunistic intrusions that rely heavily on abuse of legitimate remote access software, particularly AnyDesk, to obtain interactive access to victim systems while blending into normal administrative activity. Reporting indicates that the actor has primarily emphasized data theft and coercive extortion, including operation of a leak site used to pressure victims by threatening publication of stolen information. Some reporting has also linked the group to encryption and double-extortion activity, although data exfiltration appears to be the most consistently observed element. A notable Mad Liberator tradecraft pattern involves social engineering users into accepting unsolicited remote-support sessions by making the activity appear to be routine IT maintenance. In observed operations, the actor used AnyDesk features to transfer tools, disable local keyboard and mouse input, and exfiltrate files directly through built-in file transfer functionality. The group has also used a fake Windows update-themed decoy program to occupy the victim visually while theft activity proceeds in the background. Post-access activity has included collection of files from cloud-synced storage and mapped network shares, limited internal reconnaissance using common network scanning utilities, and deployment of ransom notes on accessible shared resources. Mad Liberator has also been identified among ransomware actors observed exploiting or abusing remote monitoring and management tooling for access and control. The group’s operational style suggests preference for low-friction intrusion methods that exploit user trust, legitimate administration channels, and native or widely deployed remote-management capabilities rather than noisy malware-heavy initial access chains. Known aliases include mad_liberator and mad_liberator_ransomware_group.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
11 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
2 malware families attributed to this actor across reporting.
4 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A newly emerged ransomware/data-extortion group focused primarily on data exfiltration, with reported occasional encryption and double extortion. In the described incident, it abused AnyDesk remote access, used social engineering to gain session approval, displayed a fake Windows Update screen to mask activity, disabled user input, exfiltrated files from OneDrive and mapped network shares, scanned the subnet with Advanced IP Scanner, and dropped ransom notes on shared network locations.
Observed exploiting AnyDesk for unauthorized remote access by tricking targets into installing the software.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.