Secp0 is a ransomware threat actor/variant first referenced in the provided content as emerging in March 2024, with additional reporting noting it was discovered in March 2025. The content directly associates Secp0 with World Leaks, and World Leaks reporting lists known associations with Hive Ransomware, Secp0 Ransomware, and UNC6148. Lexfo is cited as analyzing Secp0’s introduction, which stated that it was “testing a solution to simplify the release of large datasets,” using World Leaks’ homegrown tools. Based on the provided content, Secp0 appears linked to data-leak and extortion activity associated with the World Leaks ecosystem. Through that association, relevant reported targeting includes industrial/manufacturing organizations, healthcare organizations, technology firms, and other organizations with valuable intellectual property, with many victims located in the United States and additional victims in Canada and Europe. The content does not provide high-confidence, actor-specific TTPs unique to Secp0 beyond its stated use of World Leaks’ tooling and its association with the World Leaks ecosystem.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named as an associated group to World Leaks in the reporting.
Referenced only as a known association of World Leaks.
Named as a new ransomware variant/gang emerging in 2024.
Emerging group using World Leaks tooling to simplify large-scale data release operations.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.